quasar | 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sharpmonoinjector.exe
Size

3.1MB
MD5

4522bc113a6f5b984e9ffac278f9f064
SHA1

392ec955d7b5c5da965f7af9f929b89c33409b03
SHA256

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
SHA512

c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
SSDEEP

98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2980-1-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar
behavioral1/memory/2908-13-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
behavioral1/memory/2484-42-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/1048-52-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar
behavioral1/memory/2148-62-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/memory/3024-118-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/2768-140-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2100	PING.EXE
1972	PING.EXE
2924	PING.EXE
1240	PING.EXE
568	PING.EXE
2780	PING.EXE
1560	PING.EXE
1248	PING.EXE
952	PING.EXE
2316	PING.EXE
376	PING.EXE
2608	PING.EXE
2236	PING.EXE
2344	PING.EXE
1900	PING.EXE
2224	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2316	PING.EXE
2780	PING.EXE
1560	PING.EXE
952	PING.EXE
2924	PING.EXE
2236	PING.EXE
2608	PING.EXE
2344	PING.EXE
2224	PING.EXE
1248	PING.EXE
376	PING.EXE
568	PING.EXE
1972	PING.EXE
1240	PING.EXE
1900	PING.EXE
2100	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe
1704	schtasks.exe
2944	schtasks.exe
1768	schtasks.exe
1052	schtasks.exe
1708	schtasks.exe
2840	schtasks.exe
1264	schtasks.exe
2140	schtasks.exe
2964	schtasks.exe
1620	schtasks.exe
2600	schtasks.exe
476	schtasks.exe
380	schtasks.exe
3068	schtasks.exe
1764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	sharpmonoinjector.exe
Token: SeDebugPrivilege	2908	sharpmonoinjector.exe
Token: SeDebugPrivilege	664	sharpmonoinjector.exe
Token: SeDebugPrivilege	2020	sharpmonoinjector.exe
Token: SeDebugPrivilege	2484	sharpmonoinjector.exe
Token: SeDebugPrivilege	1048	sharpmonoinjector.exe
Token: SeDebugPrivilege	2148	sharpmonoinjector.exe
Token: SeDebugPrivilege	2716	sharpmonoinjector.exe
Token: SeDebugPrivilege	1908	sharpmonoinjector.exe
Token: SeDebugPrivilege	1820	sharpmonoinjector.exe
Token: SeDebugPrivilege	1580	sharpmonoinjector.exe
Token: SeDebugPrivilege	2280	sharpmonoinjector.exe
Token: SeDebugPrivilege	3024	sharpmonoinjector.exe
Token: SeDebugPrivilege	2536	sharpmonoinjector.exe
Token: SeDebugPrivilege	2768	sharpmonoinjector.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2140	2980	sharpmonoinjector.exe	30
PID 2980 wrote to memory of 2140	2980	sharpmonoinjector.exe	30
PID 2980 wrote to memory of 2140	2980	sharpmonoinjector.exe	30
PID 2980 wrote to memory of 2740	2980	sharpmonoinjector.exe	32
PID 2980 wrote to memory of 2740	2980	sharpmonoinjector.exe	32
PID 2980 wrote to memory of 2740	2980	sharpmonoinjector.exe	32
PID 2740 wrote to memory of 2640	2740	cmd.exe	34
PID 2740 wrote to memory of 2640	2740	cmd.exe	34
PID 2740 wrote to memory of 2640	2740	cmd.exe	34
PID 2740 wrote to memory of 2924	2740	cmd.exe	35
PID 2740 wrote to memory of 2924	2740	cmd.exe	35
PID 2740 wrote to memory of 2924	2740	cmd.exe	35
PID 2740 wrote to memory of 2908	2740	cmd.exe	36
PID 2740 wrote to memory of 2908	2740	cmd.exe	36
PID 2740 wrote to memory of 2908	2740	cmd.exe	36
PID 2908 wrote to memory of 2600	2908	sharpmonoinjector.exe	37
PID 2908 wrote to memory of 2600	2908	sharpmonoinjector.exe	37
PID 2908 wrote to memory of 2600	2908	sharpmonoinjector.exe	37
PID 2908 wrote to memory of 2220	2908	sharpmonoinjector.exe	39
PID 2908 wrote to memory of 2220	2908	sharpmonoinjector.exe	39
PID 2908 wrote to memory of 2220	2908	sharpmonoinjector.exe	39
PID 2220 wrote to memory of 800	2220	cmd.exe	41
PID 2220 wrote to memory of 800	2220	cmd.exe	41
PID 2220 wrote to memory of 800	2220	cmd.exe	41
PID 2220 wrote to memory of 1240	2220	cmd.exe	42
PID 2220 wrote to memory of 1240	2220	cmd.exe	42
PID 2220 wrote to memory of 1240	2220	cmd.exe	42
PID 2220 wrote to memory of 664	2220	cmd.exe	44
PID 2220 wrote to memory of 664	2220	cmd.exe	44
PID 2220 wrote to memory of 664	2220	cmd.exe	44
PID 664 wrote to memory of 476	664	sharpmonoinjector.exe	45
PID 664 wrote to memory of 476	664	sharpmonoinjector.exe	45
PID 664 wrote to memory of 476	664	sharpmonoinjector.exe	45
PID 664 wrote to memory of 2948	664	sharpmonoinjector.exe	47
PID 664 wrote to memory of 2948	664	sharpmonoinjector.exe	47
PID 664 wrote to memory of 2948	664	sharpmonoinjector.exe	47
PID 2948 wrote to memory of 2032	2948	cmd.exe	49
PID 2948 wrote to memory of 2032	2948	cmd.exe	49
PID 2948 wrote to memory of 2032	2948	cmd.exe	49
PID 2948 wrote to memory of 1248	2948	cmd.exe	50
PID 2948 wrote to memory of 1248	2948	cmd.exe	50
PID 2948 wrote to memory of 1248	2948	cmd.exe	50
PID 2948 wrote to memory of 2020	2948	cmd.exe	51
PID 2948 wrote to memory of 2020	2948	cmd.exe	51
PID 2948 wrote to memory of 2020	2948	cmd.exe	51
PID 2020 wrote to memory of 2964	2020	sharpmonoinjector.exe	52
PID 2020 wrote to memory of 2964	2020	sharpmonoinjector.exe	52
PID 2020 wrote to memory of 2964	2020	sharpmonoinjector.exe	52
PID 2020 wrote to memory of 1788	2020	sharpmonoinjector.exe	54
PID 2020 wrote to memory of 1788	2020	sharpmonoinjector.exe	54
PID 2020 wrote to memory of 1788	2020	sharpmonoinjector.exe	54
PID 1788 wrote to memory of 1148	1788	cmd.exe	56
PID 1788 wrote to memory of 1148	1788	cmd.exe	56
PID 1788 wrote to memory of 1148	1788	cmd.exe	56
PID 1788 wrote to memory of 376	1788	cmd.exe	57
PID 1788 wrote to memory of 376	1788	cmd.exe	57
PID 1788 wrote to memory of 376	1788	cmd.exe	57
PID 1788 wrote to memory of 2484	1788	cmd.exe	58
PID 1788 wrote to memory of 2484	1788	cmd.exe	58
PID 1788 wrote to memory of 2484	1788	cmd.exe	58
PID 2484 wrote to memory of 1708	2484	sharpmonoinjector.exe	59
PID 2484 wrote to memory of 1708	2484	sharpmonoinjector.exe	59
PID 2484 wrote to memory of 1708	2484	sharpmonoinjector.exe	59
PID 2484 wrote to memory of 288	2484	sharpmonoinjector.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AXsN8XjsZGNx.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2640
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
    "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2600
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\OdzCCenTJB4f.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:800
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:476
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jVDH0rNBqu7r.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\00uK3lm9Br9j.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eXTMp0YizuWy.bat" "
        10⤵
        
        PID:288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\s4y0fQSFupWQ.bat" "
        12⤵
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAQPAetx5JeM.bat" "
        14⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\320XWSOPskdi.bat" "
        16⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ju4roDnKTAZ3.bat" "
        18⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\f4jrZMAItGP9.bat" "
        20⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hubzfR7s7AY5.bat" "
        22⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e4EdcKVQvxJE.bat" "
        24⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uutcE6poKd6l.bat" "
        26⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0hihpSmAgebR.bat" "
        28⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        29⤵
        
        PID:2388
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WbMEaIQ0Sn6l.bat" "
        30⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\J9qunhDJbKyp.bat" "
        32⤵
        
        PID:824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00uK3lm9Br9j.bat

Filesize
214B

MD5
16eb33bd5383321a479a51f6731f7925

SHA1
c86931ef83db23a679d75d11b5b68d6fc65c7da8

SHA256
786a0bdee6d5495f6c4b255e55ba0fb2a087674336c6712b764ab82c400b69af

SHA512
1e54cc3d73d445a955038e51207957408b7c4cde3b8267dc597ac5e15a8f00d6e9e3bc6fa13d0a80b3fabd48a3d338db0db5b4600071a902f06ed3f833128d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hihpSmAgebR.bat

Filesize
214B

MD5
8edbf1d1930f0b7cb07a50f79d161c96

SHA1
8fb24e4b7007f371dcf4fb6e845818b28e8454a4

SHA256
dce23eca6f35e9f320478b902101d1cdf4400c46230f0e8d70fd5a25e38d7df4

SHA512
7999ad52087d64c9b4a0368b5295e0a4ec0aa0c1c56da6dec7f2f813d385b4e8878bb0b2c1615c2317a7dde6318cb12d4d33ffc9bd45e0c792fa8e16020adaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\320XWSOPskdi.bat

Filesize
214B

MD5
be5f3c43e6fbbc58b73bc464d6f22e3e

SHA1
726e68fc15f63a3d67da0114d7af4948bf96f769

SHA256
e304b98c7dd280e8b81365775455d95cce6fe1627dcc91f2d2c369cf7452e629

SHA512
efffb4924d4e98f48e215642fbcbcc54708aeefae716b7a10bea89627a0eb55d20a42d721d7e48f0cd5a4daaaf52f5bfdc481e4f515511e6972e4df2db2e3d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXsN8XjsZGNx.bat

Filesize
214B

MD5
4a57dc6c0f5021d738f165d72ae11b32

SHA1
e37cbc6e7d5a56d7ce6f690c370657ae532eed22

SHA256
fbb55cd1b4f2c38c3ad48f15b695cd99608ec0d5a27d9fea372cc6dcf47dcfb0

SHA512
b01f78c3f32b6301543b1c4c7b69d1de6d577edbdbf453ce94a76afd95d5e6b72a56b647474c3cc48ae1a1df59ff9e5cfa13aa6fe733d613506cfe95de9c40df

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9qunhDJbKyp.bat

Filesize
214B

MD5
933a7b8f3ed6caddf001bcff16068862

SHA1
6d4c2c5b56097f068e1cf71cc4a2bdf91e907bc6

SHA256
dde9deaef0adffada80891adf1afd87b47364d7cbbb84d9c5ef2a5d3de972588

SHA512
affba4a92a483f2eb666ebc9a6fe53892bdb71525f1654229ece86c80d324a970f1bb56422d5f4a1da83780745d4f3b04fab8ad945f9f1e147e8c9d39146821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ju4roDnKTAZ3.bat

Filesize
214B

MD5
7cf2de0a64d898eb5816b1b94de7c80c

SHA1
c2207153cfbc1d9f51d5600f7f58b01171e139eb

SHA256
563b4e789349aa85e13358b70e1646cfd1e9cf045aef34aff622832b4493790d

SHA512
0bb69970abdfa5e789ae8ffa17bff15a600662e5824b9360fed16f95a6fe39fcdb5acddbe2045914c639b36f7a94c6ae9cf52f65ba3bf7125de506f29b81f6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OdzCCenTJB4f.bat

Filesize
214B

MD5
e474479000114dd63d2febb92ecbbd81

SHA1
976ea0cdc7e4a63d5cb30737d7c343be2320dfa3

SHA256
f87223e44bffec05d6a74cbd7b45d13c8ce0821b98315c147d6e4db7059bc6fa

SHA512
c10076cb129abcd41564f6ea433ee85ff9a924f584fb45ffa0ff1b3eb32ddb8429e75f0f0ed459027c765e997f3d0fb829f41c2399411bf3995d42da1884406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAQPAetx5JeM.bat

Filesize
214B

MD5
d31ce7d0422976d23746560613c9e3d7

SHA1
caa13e7b5b7d5e3b83973b34166b984270244bec

SHA256
dcf9fbe5b5a2846ae20262bffa74e89486c8a630f07ebdd6d0cb6e1d0c35a901

SHA512
9634436726b51fa6f83c6d9b5d8d9451c9c44b28bc73f2523539dfaaaf13f0b0f5dd78bf836fb9169d68e188094724bb0a51d031191dac704380bfa5c700b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4EdcKVQvxJE.bat

Filesize
214B

MD5
05e8b298d0fb858b76e177f52c124b89

SHA1
0ab17d0692616094f21d29d42db7b92107ed10b1

SHA256
2762dcf052b19e6336c045e53de99a68e093aa436b4def35971beef8b180e9e3

SHA512
ccf56e73665294ef175c6f69db278735e2f678cd9daad7adc9cee22fb5897284da02fce70f9888e3498b66ee9300440f640d8c2b9e2c8af0cdd4c9ccf679f876

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXTMp0YizuWy.bat

Filesize
214B

MD5
1dfb62f783b56f9cb7df75d6be284669

SHA1
976944527439a920d0da8513f0707752b6fceccf

SHA256
de263623c9aeba809891d9c4468ad5961561023ac5521c6cfb14c997b7d6b001

SHA512
e5912e040c09aa8bd0ae3c575796548d7e57328e039658ebfdd1b86bb488c385ea3d78728eef40c3fd9fba5db08744b3a126bf10f6b5e2a2458626d91af1f3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4jrZMAItGP9.bat

Filesize
214B

MD5
1fe37e4eb607d08b447e6e24f61f2966

SHA1
f430831203cd4ca1a7ea0b86d17545155a12b8d1

SHA256
5162ed6980ac4ff4192fe48a70cb2788e3b70de09163e1fda30349be2de8dbe6

SHA512
9715b61aa0e1edf108800fcf965f5978949ce98f2a05f7886597320fe837bd4e495ff08fe63f8fe47b3b058f1bf709f30124484ce870ce358f9b09bc4a0e7f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hubzfR7s7AY5.bat

Filesize
214B

MD5
f2803d800737136161ac684d84466e07

SHA1
31610e3a43536d9642f9cc40357e24e8ef513b64

SHA256
c505d930bf50b246101602e7886c7e02e66d159083c744d32ae2ab87b5545906

SHA512
fa066299eac47d3b7cf90a62e535be2a414c0d2af145ecb87b84dbe6ddec7a1391c20258ee3dcba6462e9cecc730c6943acec47402f6ba78c1b7e061af12d912

Download Submit
C:\Users\Admin\AppData\Local\Temp\jVDH0rNBqu7r.bat

Filesize
214B

MD5
238e29e83a38d3c0855b6a7ab3292867

SHA1
09c44bc919cf68882fb2027a9802c749cea99cc8

SHA256
f453e1d5f945f089c994dbbceb13a6f77ea08e34ced251e4c3e65972ffabd3ff

SHA512
59c9b1c65a72dfdeb917ec6c602cb8dd40c9b3f637b9df1829b876d087ee913eb12559bb72a5c7101511db940865375232669e4a38436897e80d8728289d2600

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4y0fQSFupWQ.bat

Filesize
214B

MD5
031d49bcc0bf0e43a023615b5d926972

SHA1
561ca6ef12d13251d430e761e99df87b67b00db7

SHA256
caaedca876d9d288d5592f1929719eba4a2887d3a76133f8b978b6fcb0ebe18c

SHA512
555c09f7404a291a56525ca083aa61a72d73dcaadabb04ad1a0496c0b210de0659c23a3019d7f4366617c334fa2c563b4398a17b305c1c005d8a6f60724282d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uutcE6poKd6l.bat

Filesize
214B

MD5
ca27faa1492aabcce0e98d1668c1d054

SHA1
39a945b0b9de4160f196698d5321ca79c39c1a93

SHA256
2364a195304cff167317fb5858a00b95c9218370d3aadc07bde2391613a75277

SHA512
bb7ced9c03101cef3a28f7863c51ef2778232d540cb3c0a0db15461b681b0d99085a84594c98a05b10d213f63b3ce036d7fe5540ac08552f9775e43cf5f0dd6f

Download Submit
memory/1048-52-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download
memory/2148-62-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/2388-139-0x000007FEF1C90000-0x000007FEF1D04000-memory.dmp

Filesize
464KB

Download
memory/2484-42-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/2768-140-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/2908-13-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2980-12-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-1-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download
memory/3024-118-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads