quasar | 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c2281b1740f2acd02e9e19f83441b033
SHA1

bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA256

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA512

0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
SSDEEP

49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2544-1-0x0000000000B60000-0x0000000000E84000-memory.dmp	family_quasar
behavioral1/files/0x000800000001933b-5.dat	family_quasar
behavioral1/memory/2052-7-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
behavioral1/memory/2928-32-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/1152-43-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar
behavioral1/memory/480-54-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar
behavioral1/memory/1944-66-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral1/memory/1184-109-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/2356-120-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral1/memory/316-131-0x0000000000E20000-0x0000000001144000-memory.dmp	family_quasar
behavioral1/memory/2496-143-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/1440-165-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2052	PerfWatson1.exe
2660	PerfWatson1.exe
2928	PerfWatson1.exe
1152	PerfWatson1.exe
480	PerfWatson1.exe
1944	PerfWatson1.exe
1756	PerfWatson1.exe
2712	PerfWatson1.exe
2500	PerfWatson1.exe
1184	PerfWatson1.exe
2356	PerfWatson1.exe
316	PerfWatson1.exe
2496	PerfWatson1.exe
2296	PerfWatson1.exe
1440	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2772	PING.EXE
2956	PING.EXE
2936	PING.EXE
2836	PING.EXE
3068	PING.EXE
1200	PING.EXE
2156	PING.EXE
2232	PING.EXE
1188	PING.EXE
1724	PING.EXE
1480	PING.EXE
1992	PING.EXE
2872	PING.EXE
2128	PING.EXE
1068	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2956	PING.EXE
1200	PING.EXE
1068	PING.EXE
1724	PING.EXE
2836	PING.EXE
2772	PING.EXE
2936	PING.EXE
1480	PING.EXE
3068	PING.EXE
2156	PING.EXE
1992	PING.EXE
2128	PING.EXE
1188	PING.EXE
2232	PING.EXE
2872	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
2612	schtasks.exe
2876	schtasks.exe
2492	schtasks.exe
2292	schtasks.exe
2656	schtasks.exe
1144	schtasks.exe
1888	schtasks.exe
2624	schtasks.exe
2920	schtasks.exe
2576	schtasks.exe
3036	schtasks.exe
324	schtasks.exe
3028	schtasks.exe
2520	schtasks.exe
2832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	Client-built.exe
Token: SeDebugPrivilege	2052	PerfWatson1.exe
Token: SeDebugPrivilege	2660	PerfWatson1.exe
Token: SeDebugPrivilege	2928	PerfWatson1.exe
Token: SeDebugPrivilege	1152	PerfWatson1.exe
Token: SeDebugPrivilege	480	PerfWatson1.exe
Token: SeDebugPrivilege	1944	PerfWatson1.exe
Token: SeDebugPrivilege	1756	PerfWatson1.exe
Token: SeDebugPrivilege	2712	PerfWatson1.exe
Token: SeDebugPrivilege	2500	PerfWatson1.exe
Token: SeDebugPrivilege	1184	PerfWatson1.exe
Token: SeDebugPrivilege	2356	PerfWatson1.exe
Token: SeDebugPrivilege	316	PerfWatson1.exe
Token: SeDebugPrivilege	2496	PerfWatson1.exe
Token: SeDebugPrivilege	2296	PerfWatson1.exe
Token: SeDebugPrivilege	1440	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2520	2544	Client-built.exe	31
PID 2544 wrote to memory of 2520	2544	Client-built.exe	31
PID 2544 wrote to memory of 2520	2544	Client-built.exe	31
PID 2544 wrote to memory of 2052	2544	Client-built.exe	33
PID 2544 wrote to memory of 2052	2544	Client-built.exe	33
PID 2544 wrote to memory of 2052	2544	Client-built.exe	33
PID 2052 wrote to memory of 2832	2052	PerfWatson1.exe	34
PID 2052 wrote to memory of 2832	2052	PerfWatson1.exe	34
PID 2052 wrote to memory of 2832	2052	PerfWatson1.exe	34
PID 2052 wrote to memory of 2844	2052	PerfWatson1.exe	36
PID 2052 wrote to memory of 2844	2052	PerfWatson1.exe	36
PID 2052 wrote to memory of 2844	2052	PerfWatson1.exe	36
PID 2844 wrote to memory of 2640	2844	cmd.exe	38
PID 2844 wrote to memory of 2640	2844	cmd.exe	38
PID 2844 wrote to memory of 2640	2844	cmd.exe	38
PID 2844 wrote to memory of 2872	2844	cmd.exe	39
PID 2844 wrote to memory of 2872	2844	cmd.exe	39
PID 2844 wrote to memory of 2872	2844	cmd.exe	39
PID 2844 wrote to memory of 2660	2844	cmd.exe	40
PID 2844 wrote to memory of 2660	2844	cmd.exe	40
PID 2844 wrote to memory of 2660	2844	cmd.exe	40
PID 2660 wrote to memory of 2624	2660	PerfWatson1.exe	41
PID 2660 wrote to memory of 2624	2660	PerfWatson1.exe	41
PID 2660 wrote to memory of 2624	2660	PerfWatson1.exe	41
PID 2660 wrote to memory of 2856	2660	PerfWatson1.exe	43
PID 2660 wrote to memory of 2856	2660	PerfWatson1.exe	43
PID 2660 wrote to memory of 2856	2660	PerfWatson1.exe	43
PID 2856 wrote to memory of 1684	2856	cmd.exe	45
PID 2856 wrote to memory of 1684	2856	cmd.exe	45
PID 2856 wrote to memory of 1684	2856	cmd.exe	45
PID 2856 wrote to memory of 2936	2856	cmd.exe	46
PID 2856 wrote to memory of 2936	2856	cmd.exe	46
PID 2856 wrote to memory of 2936	2856	cmd.exe	46
PID 2856 wrote to memory of 2928	2856	cmd.exe	47
PID 2856 wrote to memory of 2928	2856	cmd.exe	47
PID 2856 wrote to memory of 2928	2856	cmd.exe	47
PID 2928 wrote to memory of 2920	2928	PerfWatson1.exe	48
PID 2928 wrote to memory of 2920	2928	PerfWatson1.exe	48
PID 2928 wrote to memory of 2920	2928	PerfWatson1.exe	48
PID 2928 wrote to memory of 1896	2928	PerfWatson1.exe	50
PID 2928 wrote to memory of 1896	2928	PerfWatson1.exe	50
PID 2928 wrote to memory of 1896	2928	PerfWatson1.exe	50
PID 1896 wrote to memory of 2144	1896	cmd.exe	52
PID 1896 wrote to memory of 2144	1896	cmd.exe	52
PID 1896 wrote to memory of 2144	1896	cmd.exe	52
PID 1896 wrote to memory of 1188	1896	cmd.exe	53
PID 1896 wrote to memory of 1188	1896	cmd.exe	53
PID 1896 wrote to memory of 1188	1896	cmd.exe	53
PID 1896 wrote to memory of 1152	1896	cmd.exe	54
PID 1896 wrote to memory of 1152	1896	cmd.exe	54
PID 1896 wrote to memory of 1152	1896	cmd.exe	54
PID 1152 wrote to memory of 3036	1152	PerfWatson1.exe	55
PID 1152 wrote to memory of 3036	1152	PerfWatson1.exe	55
PID 1152 wrote to memory of 3036	1152	PerfWatson1.exe	55
PID 1152 wrote to memory of 2376	1152	PerfWatson1.exe	57
PID 1152 wrote to memory of 2376	1152	PerfWatson1.exe	57
PID 1152 wrote to memory of 2376	1152	PerfWatson1.exe	57
PID 2376 wrote to memory of 2460	2376	cmd.exe	59
PID 2376 wrote to memory of 2460	2376	cmd.exe	59
PID 2376 wrote to memory of 2460	2376	cmd.exe	59
PID 2376 wrote to memory of 2128	2376	cmd.exe	60
PID 2376 wrote to memory of 2128	2376	cmd.exe	60
PID 2376 wrote to memory of 2128	2376	cmd.exe	60
PID 2376 wrote to memory of 480	2376	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2520
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2832
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\D0SiDwiRS5Wk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2640
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2872
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tog4ubqxPRxN.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1684
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I8H78cHE367k.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwMNZpId4ZWB.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hZStIM92SVxl.bat" "
        11⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KPTjfTS44m9z.bat" "
        13⤵
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zxgGMWgqDiAH.bat" "
        15⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\61f0wi6V0KfV.bat" "
        17⤵
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pHlMECGz32y9.bat" "
        19⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ZeXdU4bFCje.bat" "
        21⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fNIF29HgJgGb.bat" "
        23⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X9q5akbXDJXy.bat" "
        25⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\meJe4Rxdh46b.bat" "
        27⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuRpzj1nW9Fz.bat" "
        29⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSLS2WDHPcVC.bat" "
        31⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61f0wi6V0KfV.bat

Filesize
210B

MD5
1cb30ae4ddb6661995c9498fc3333204

SHA1
35a8088f7a0cb342329d3debf3fd9bbb9f2ee4c2

SHA256
39bfd76085ed30376cfa1b360e8d47d59ccc4e11027e3aa8a477c0136a81d0d7

SHA512
2dd1afe391a5086750b46ae0486accbb1eb8676d23e48b88417dd1c1364c2546232557310d6329376f03537e7f8ae4d88d2d6b12fd1c8633436eef0205df61a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ZeXdU4bFCje.bat

Filesize
210B

MD5
67a32cff470195a9783d54d5d8d0520f

SHA1
0df912601c6258ba31d2738893d9cd2a1b33c5a3

SHA256
50fa7d5ad38a8c3c395b16333ec96bd3ae9fb4fc9be78da40081acbf9a645b9a

SHA512
e01b34467690e197bad3017af9335ab2588df37cc82c617b8303da680aeb7c40a9d7092b259d5afbfca54655432c1435b79fc38d3542e6668ddc6e5eac35f7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0SiDwiRS5Wk.bat

Filesize
210B

MD5
861be57adfeb7dc3cfe16d695407c225

SHA1
646d90b215fb3c26a9f8512a7a9a57645b93c7d6

SHA256
7624beaf52a7fcd0455c749cb9e02386e9c031760d4bf6d979d76c6767d1ec7e

SHA512
6dcf4c2cccc18e624c939de0bdfa8b94cd85ff87eb326b0bc14695098d4e28d6ec90c46e905710c3264a4fd6b21e4649c395a075d434f03dfc00fa88526e7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMNZpId4ZWB.bat

Filesize
210B

MD5
b08b12070428cef2984558c21a779a6c

SHA1
74d63ec2d5f74cf494ace00f59bf391fd10a84ba

SHA256
f92434bb6eef58aa83de7410eaffde239206a04df29b223a37aee2654d674b92

SHA512
3c0f8fcf0731fd9884abb4e202c6b305898a319200f8e149f4123a6c4b446d7c8177ab633bdad510091b8d40aae8545af0508acc32235ea4a3be443ed51bd84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuRpzj1nW9Fz.bat

Filesize
210B

MD5
b12be00387d33bfbe532cef917397476

SHA1
72ce6ba1d725b3bd0299c9833757da6e953be6dd

SHA256
346b44f7b739bf922b02c1fbe9cbeff8ed9325b5ddc28b1340cddf65f2e03b30

SHA512
5019bd6ed8e913c5e8239ed1753904ff7fc860e13a00458e8278d36be5e63599797a995206e634f159e6b808c10f63ae87b80c4b085333756d63564283b9076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8H78cHE367k.bat

Filesize
210B

MD5
93a26dbd3ad0477b60e60274a7782e7d

SHA1
a7112b2cd45b5ffa515956b5ca950d227f2c74a4

SHA256
f00dc849915c7a120ba64bb5c6a09018c1337ee487dfa12ab38ff2d508314603

SHA512
46d8dcca5025f6ceeba05f17fb46bcd218d1f1ea6a1ffdf21f44aaf96c72e076d874ccfa1f331a2f4e57fe370fb9797f85b96e6e0a97cfb1dddca5ea4ae9252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KPTjfTS44m9z.bat

Filesize
210B

MD5
cac69fb8fe3b39498a70d5931413de65

SHA1
bc26087d7eab53d97cf40a5bed26a5e8bbcdcca9

SHA256
b336426354bdb61e14cf7abe1deb44112a2daf602853908cca83c5a1431aae9e

SHA512
822347ad16ce2ca047654b43f4ce1c17b9e536edf6338c81137a4e4da02d7a3ca6a69e72519b8e2044f4f18985dc17af366f589a78002cde867a13a272e0d0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSLS2WDHPcVC.bat

Filesize
210B

MD5
45375f648b88f98021e675ecd5f0d6b8

SHA1
fdbb52c978e7815fb9974dc6dfd8c1654cbe9131

SHA256
9196a3a1e372a0c49a1910d3bee33f8324510e7f8b20b8cf36928750c2eab7a0

SHA512
b27bc72089502c1b75d42d714ad919d341959102dc7950b2ad077e7aa0ade6f94a9e802edf091556f04b73726643832d2da0ef0995720b3de3e04005e152974c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9q5akbXDJXy.bat

Filesize
210B

MD5
46e6e462d5f475757ce4a82a7720f9cb

SHA1
e1204fdaafd3e0103466a1e3bee72de2d9fff2fd

SHA256
da71cff91f399ccda80804158e0e8bb8678be3ffb24c349e1b2227cc31f8e2df

SHA512
5153a9e37637f224fec1d49cb1dd99420a760ab730b60f597a18f54ca72083008b98e5a243d0d61d09b683ff2d8fa2dd5b5e24de5ca373db83f2377a8567e96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fNIF29HgJgGb.bat

Filesize
210B

MD5
66cb3ca947d5c7562f72ee4d5b9f99c5

SHA1
3403501b0f0ca5be2060fb45b8f90ca2eab76013

SHA256
6f7baacd9b27c1e081074152f165bb6fc5d6910375f3ceb4501ff089ea2fa252

SHA512
833674f80677dde40742e30347df1a1e57563e625e961c12f5eb8952f1b8e53cc95c7cd6018b978b836ef216d802f826855aa457b8bb79b9bd41845794cf81c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZStIM92SVxl.bat

Filesize
210B

MD5
c407a1f56a0d8d3871b386435842c7dd

SHA1
6df76dd2c0dfc60ec06fbffc45793891cab3a25b

SHA256
d4cb831a27bfe50603ef376ca0d6e3eb6a4f31abba81230ba472bcaca9d04570

SHA512
956580b95666eb2cab7acafed1bca4fb1b0b5fee19a1f3312ee6bcdaf4a3d540badda0811483558a345000526faf11fa8bab32cdaa18a34d01cbcab0864e0c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\meJe4Rxdh46b.bat

Filesize
210B

MD5
883997b737739dc1a91267a5c76ad23b

SHA1
291da8d691dce3ba5708b777da63d6a9af693b0b

SHA256
7680108839462ab3e4570be58c4d4bc085005fc96c7e177a1c465908ec507252

SHA512
6bec0a0af21f4ee292ab0c0b2582cd68349fc8c1c5387b0b98b3aa3c9cdda2736d4cebf33fa27d411045ebaf244650705d59031fb5f900b36fa9847aceb8ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\pHlMECGz32y9.bat

Filesize
210B

MD5
0b20b3dc7fbc36d93e45237d2ff71b70

SHA1
001cbfe28fcfa72057ccfdbd97f04fc9c8946359

SHA256
c8289d1a6302776979b25f6c430c16032528e8ad301f6a7c7d3f11ec34abf92e

SHA512
f176203c034b8d39b9f17e6cc4189386daf972db9d97514369d7b02a99e57824823827ab4f8f50b7241cfaa3fb2e5fc4a87a9d22329fafe92ce57405e66a39b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tog4ubqxPRxN.bat

Filesize
210B

MD5
bdd0b012ec485093296ebe7637fe4dcf

SHA1
55d2456f3773002cad62d5242cb8de21f00e5cef

SHA256
fa0e2fa1d38ace53057115b43bf6c7f1d1b8c718fd3c4e94e43ec080f2330715

SHA512
18910df632455922b9ca3823d3f9c7f88e4694e12ef1decf7c5104325aadda70ba6599e51117954dfb63df159a0457d162adb516556d32f8f4570aefd94355b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxgGMWgqDiAH.bat

Filesize
210B

MD5
2529eaaf59489a7c570745655b7fc502

SHA1
c6c05d146fa2daba376c914821d06ec793968f60

SHA256
7d4a3c617fdc9976bc9843aa86177b10ea1a8b744adb88b4ed97296f2d59429c

SHA512
ec11c98d6c05094a29f31bff2c7ae058ff5bf8287701414069fb8e04bb5ebd7c60c3c127e2942c9fec3d568589e1b42bb5bac3a6692f89246da00bcaddba5f4e

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
memory/316-131-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/480-54-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/1152-43-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/1184-109-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/1440-165-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/1944-66-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2052-7-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/2052-19-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2052-9-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2052-10-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2356-120-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download
memory/2496-143-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/2544-1-0x0000000000B60000-0x0000000000E84000-memory.dmp

Filesize
3.1MB

Download
memory/2544-8-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2928-32-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads