quasar | 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14495_Client-built.exe
Size

3.1MB
MD5

c2281b1740f2acd02e9e19f83441b033
SHA1

bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA256

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA512

0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
SSDEEP

49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2168-1-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/files/0x0007000000015d81-5.dat	family_quasar
behavioral1/memory/2456-9-0x0000000000CA0000-0x0000000000FC4000-memory.dmp	family_quasar
behavioral1/memory/916-63-0x00000000012C0000-0x00000000015E4000-memory.dmp	family_quasar
behavioral1/memory/2932-104-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/1304-115-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar
behavioral1/memory/848-126-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/2988-137-0x00000000010F0000-0x0000000001414000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2456	PerfWatson1.exe
2784	PerfWatson1.exe
620	PerfWatson1.exe
1776	PerfWatson1.exe
2600	PerfWatson1.exe
916	PerfWatson1.exe
1652	PerfWatson1.exe
2420	PerfWatson1.exe
2692	PerfWatson1.exe
2932	PerfWatson1.exe
1304	PerfWatson1.exe
848	PerfWatson1.exe
2988	PerfWatson1.exe
1092	PerfWatson1.exe
2428	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1876	PING.EXE
1892	PING.EXE
632	PING.EXE
1372	PING.EXE
320	PING.EXE
2788	PING.EXE
2624	PING.EXE
2004	PING.EXE
700	PING.EXE
2800	PING.EXE
1156	PING.EXE
1288	PING.EXE
1260	PING.EXE
864	PING.EXE
2740	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1892	PING.EXE
1372	PING.EXE
320	PING.EXE
2004	PING.EXE
632	PING.EXE
2788	PING.EXE
1156	PING.EXE
1876	PING.EXE
864	PING.EXE
2800	PING.EXE
2740	PING.EXE
2624	PING.EXE
700	PING.EXE
1288	PING.EXE
1260	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
2816	schtasks.exe
2528	schtasks.exe
3052	schtasks.exe
2180	schtasks.exe
1092	schtasks.exe
2792	schtasks.exe
2000	schtasks.exe
1540	schtasks.exe
2628	schtasks.exe
560	schtasks.exe
1904	schtasks.exe
1812	schtasks.exe
1768	schtasks.exe
860	schtasks.exe
2176	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	14495_Client-built.exe
Token: SeDebugPrivilege	2456	PerfWatson1.exe
Token: SeDebugPrivilege	2784	PerfWatson1.exe
Token: SeDebugPrivilege	620	PerfWatson1.exe
Token: SeDebugPrivilege	1776	PerfWatson1.exe
Token: SeDebugPrivilege	2600	PerfWatson1.exe
Token: SeDebugPrivilege	916	PerfWatson1.exe
Token: SeDebugPrivilege	1652	PerfWatson1.exe
Token: SeDebugPrivilege	2420	PerfWatson1.exe
Token: SeDebugPrivilege	2692	PerfWatson1.exe
Token: SeDebugPrivilege	2932	PerfWatson1.exe
Token: SeDebugPrivilege	1304	PerfWatson1.exe
Token: SeDebugPrivilege	848	PerfWatson1.exe
Token: SeDebugPrivilege	2988	PerfWatson1.exe
Token: SeDebugPrivilege	1092	PerfWatson1.exe
Token: SeDebugPrivilege	2428	PerfWatson1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2456	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3052	2168	14495_Client-built.exe	30
PID 2168 wrote to memory of 3052	2168	14495_Client-built.exe	30
PID 2168 wrote to memory of 3052	2168	14495_Client-built.exe	30
PID 2168 wrote to memory of 2456	2168	14495_Client-built.exe	32
PID 2168 wrote to memory of 2456	2168	14495_Client-built.exe	32
PID 2168 wrote to memory of 2456	2168	14495_Client-built.exe	32
PID 2456 wrote to memory of 2180	2456	PerfWatson1.exe	33
PID 2456 wrote to memory of 2180	2456	PerfWatson1.exe	33
PID 2456 wrote to memory of 2180	2456	PerfWatson1.exe	33
PID 2456 wrote to memory of 2768	2456	PerfWatson1.exe	35
PID 2456 wrote to memory of 2768	2456	PerfWatson1.exe	35
PID 2456 wrote to memory of 2768	2456	PerfWatson1.exe	35
PID 2768 wrote to memory of 2804	2768	cmd.exe	37
PID 2768 wrote to memory of 2804	2768	cmd.exe	37
PID 2768 wrote to memory of 2804	2768	cmd.exe	37
PID 2768 wrote to memory of 2624	2768	cmd.exe	38
PID 2768 wrote to memory of 2624	2768	cmd.exe	38
PID 2768 wrote to memory of 2624	2768	cmd.exe	38
PID 2768 wrote to memory of 2784	2768	cmd.exe	40
PID 2768 wrote to memory of 2784	2768	cmd.exe	40
PID 2768 wrote to memory of 2784	2768	cmd.exe	40
PID 2784 wrote to memory of 2628	2784	PerfWatson1.exe	41
PID 2784 wrote to memory of 2628	2784	PerfWatson1.exe	41
PID 2784 wrote to memory of 2628	2784	PerfWatson1.exe	41
PID 2784 wrote to memory of 1284	2784	PerfWatson1.exe	43
PID 2784 wrote to memory of 1284	2784	PerfWatson1.exe	43
PID 2784 wrote to memory of 1284	2784	PerfWatson1.exe	43
PID 1284 wrote to memory of 2852	1284	cmd.exe	45
PID 1284 wrote to memory of 2852	1284	cmd.exe	45
PID 1284 wrote to memory of 2852	1284	cmd.exe	45
PID 1284 wrote to memory of 2004	1284	cmd.exe	46
PID 1284 wrote to memory of 2004	1284	cmd.exe	46
PID 1284 wrote to memory of 2004	1284	cmd.exe	46
PID 1284 wrote to memory of 620	1284	cmd.exe	47
PID 1284 wrote to memory of 620	1284	cmd.exe	47
PID 1284 wrote to memory of 620	1284	cmd.exe	47
PID 620 wrote to memory of 1768	620	PerfWatson1.exe	48
PID 620 wrote to memory of 1768	620	PerfWatson1.exe	48
PID 620 wrote to memory of 1768	620	PerfWatson1.exe	48
PID 620 wrote to memory of 2980	620	PerfWatson1.exe	50
PID 620 wrote to memory of 2980	620	PerfWatson1.exe	50
PID 620 wrote to memory of 2980	620	PerfWatson1.exe	50
PID 2980 wrote to memory of 588	2980	cmd.exe	52
PID 2980 wrote to memory of 588	2980	cmd.exe	52
PID 2980 wrote to memory of 588	2980	cmd.exe	52
PID 2980 wrote to memory of 700	2980	cmd.exe	53
PID 2980 wrote to memory of 700	2980	cmd.exe	53
PID 2980 wrote to memory of 700	2980	cmd.exe	53
PID 2980 wrote to memory of 1776	2980	cmd.exe	54
PID 2980 wrote to memory of 1776	2980	cmd.exe	54
PID 2980 wrote to memory of 1776	2980	cmd.exe	54
PID 1776 wrote to memory of 860	1776	PerfWatson1.exe	55
PID 1776 wrote to memory of 860	1776	PerfWatson1.exe	55
PID 1776 wrote to memory of 860	1776	PerfWatson1.exe	55
PID 1776 wrote to memory of 1732	1776	PerfWatson1.exe	57
PID 1776 wrote to memory of 1732	1776	PerfWatson1.exe	57
PID 1776 wrote to memory of 1732	1776	PerfWatson1.exe	57
PID 1732 wrote to memory of 2204	1732	cmd.exe	59
PID 1732 wrote to memory of 2204	1732	cmd.exe	59
PID 1732 wrote to memory of 2204	1732	cmd.exe	59
PID 1732 wrote to memory of 1892	1732	cmd.exe	60
PID 1732 wrote to memory of 1892	1732	cmd.exe	60
PID 1732 wrote to memory of 1892	1732	cmd.exe	60
PID 1732 wrote to memory of 2600	1732	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\14495_Client-built.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2180
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1CTEHBUq4QNa.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2804
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\et054cyFPoUi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2852
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hgw0X7m6Pdop.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaIOAl9C0DZC.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OtpnKMKxBTW7.bat" "
        11⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKKTvLlZbsBI.bat" "
        13⤵
        
        PID:796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\09K0UeIrKQvs.bat" "
        15⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hXWYSZiRApzt.bat" "
        17⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\90t967gN3T3K.bat" "
        19⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OB3wtkyYjCSq.bat" "
        21⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZifmXdTG0t0N.bat" "
        23⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z16Vd3uHXJOl.bat" "
        25⤵
        
        PID:964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DbG1xUQ5djPF.bat" "
        27⤵
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\urBChJR2Jh9H.bat" "
        29⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1htlejHsxPKA.bat" "
        31⤵
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09K0UeIrKQvs.bat

Filesize
210B

MD5
27a34e0efbb21a72dfce95c730106ab3

SHA1
912bb676428dcd464c37ea214113a872a4e98b79

SHA256
4e278bda996f08f1d3d3e4491aaf4c422d19aad104b5f215b326a9b6ef41918c

SHA512
f6db0f1a9dde900f707b2f9b2dec6258f74f9b94743c3afdf6134f1e83240c70bf1d461203977ee92e610d726405d39a8abe3c471fa5f977bb64d9c2f3ac4dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CTEHBUq4QNa.bat

Filesize
210B

MD5
2da912f01c11eb0bd41a4958b0c96a5c

SHA1
43c5381dfb01f0dbe9b16240646e1982ef6cdb9f

SHA256
b3e5f8d35022eb388ad3f04b5020e339cf3b17d3f8b02d8f5dd23350f652f566

SHA512
6b6184b815074bb4769a4b7edbc430f241d08a70ad9cd631ac915591c090f3369b525b034bcb020302b5c12bb4f6b6747e87f04cee7d3e5f478049ebaa9a0634

Download Submit
C:\Users\Admin\AppData\Local\Temp\1htlejHsxPKA.bat

Filesize
210B

MD5
a579fa74b688b6d7ec79926995b75bb0

SHA1
14e389903f4254600857897d527f89a1a61f3955

SHA256
bd434c7e8f498b4fcffc16f0acf1d3d3095b6992c77bf03883a1ca1a681bcf53

SHA512
c02d33d775273e95108718df39702b955425c38dbe9439ffc4d3c93df800dcfa30b98f8b8c354181feefb3b042c828db776d278971fb519369b786883b4b3ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\90t967gN3T3K.bat

Filesize
210B

MD5
a0043cbe3cb86952223d07d5d9381518

SHA1
d5901df553406c42ca63afd0e50bfa462e1ba31b

SHA256
63f12abf39ed74393fa0ef94c4e48b6d496be37d2d5d6680c3baf04081d2903c

SHA512
17190e333d86d28ca684c9eda65bbf8f4e806e31ecb9323d82328040f3baa6a3bdaf16574ea714076765a2ec6a7848866d1c17e7025ff226eac39037b6a4cb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaIOAl9C0DZC.bat

Filesize
210B

MD5
d5fa8101322f8d4fded15bc674e34f53

SHA1
8bb5238fa6c20de39374bec28930b29cf1fb97e8

SHA256
633859ea3b46206664ec6cdaa8ec7a5c216521bb054536c6da4f9cfe8322f1ef

SHA512
b0a513af3d82cddf02116ea182aa952e7ea1cea8b41dd2457d3f25587c1309b3bf85ac103867a89864a57a2253d1bce6405043d0b9d7a4c9bcbac0b3d392052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DbG1xUQ5djPF.bat

Filesize
210B

MD5
3cb2dae1d8b7ad33641a8aed1b652b90

SHA1
4cc02945f791c2a06180dfddb1ecc7375495c8ed

SHA256
0101d674a315a2437005b9e442f965f3284f3e2ebaf5dc038fa334f93072f1b4

SHA512
48c9cc3c628293ed7bb87742796912b61a742e54e3c34ed273a46786fecd6609bdf5d43e46023d2ec3b8ae54ffc7f1963f6fdfb32d945656fc29fd5c3f993e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hgw0X7m6Pdop.bat

Filesize
210B

MD5
fadd8acca2df9ea83255e10df2a3be3b

SHA1
17df5b699ddb002ac0200a12fe0b55ee715e539f

SHA256
bf64963e9d94ee5309377fc28741b2dfc2ae97a1ebe27e963bf163c140c2a58f

SHA512
fcb7d97e43f4b1a561c196d6804b8c89204b93b8d135800f8c0f43d5cea637f88281e4b797e21e5c32c118f035f68e6f15b9a0e3d83e27f396fb5defcc3ef33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKKTvLlZbsBI.bat

Filesize
210B

MD5
3c0d5ed30aedccfafc6f64ff79a2ed9b

SHA1
516158e2a7df3f23d6338b4cb11a90eb939d7a8f

SHA256
45edaa48c7a8b0b12c5e50cb77dec5dd0688c5d866469b744707cadd08192a6e

SHA512
dadf97a3e7bdebe94631db742059120e31e7eea1f6d9d28f5b64d2532268b18913e60cee78f8a66939dde3779717acbf7ff5766bfc5b24abcdb759adda025b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\OB3wtkyYjCSq.bat

Filesize
210B

MD5
832f6951b394e1f6e28860bafe2ea708

SHA1
7c5d2c7d96051602f300e266cb23866cf85483e9

SHA256
5eb9945a8d2bca6062429842538be7c199709b5e6cfa8563ca2c40f0ff0b8d0a

SHA512
e35fd0545e9dfe59382556ff8614ccdaf966cd0ac486b6bad657696c7296a5de5fff9644d923d713ab99a4c2a476990bb72bd29e25f9f9c949ecbbc67b99b525

Download Submit
C:\Users\Admin\AppData\Local\Temp\OtpnKMKxBTW7.bat

Filesize
210B

MD5
59ffc03710d194a17a5f50082d497151

SHA1
50dd0e908863e8fc658b2d6ae84336e6719b3b8f

SHA256
15889c5d1080108130df2b292a70baf2e5300711e87bf9c71c18216ec3daca4b

SHA512
fd12cfcb66846ab75816832743e7aebe29af358e4deb720e432befc26bb46c8fcd2f26d0eb9f992f080e50a4b9d1c282d2191a21d4cce867caa91cf5b46b864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZifmXdTG0t0N.bat

Filesize
210B

MD5
7de280432a66503c65551e9a163aece9

SHA1
b4f54bae68cdd32c672abaa06010ef9307585806

SHA256
60563404f59ee41bd56a6e5644ffd6ac13af7f6aa9a18e13aa0e50b39eaa049b

SHA512
a3337790333b314a9e4ca360d2b10f2c2940a9a6b028421dfd8998841dc5e402dff1de85c0581264fa647c8d8dd67640cc2c7f3fc06dfae09fda38c87ffbfca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\et054cyFPoUi.bat

Filesize
210B

MD5
7d28732be922b0cb739f2bbe2b818dba

SHA1
0fe3a08f69dc6efa902ebb770701f214427468f8

SHA256
71240069d6f3180fb3ba52699fe06a2fac2d2a9de4aef7113e9dbac14e27ee9e

SHA512
14f341a441c5e97fd684554eaa949df8c336344d9970c4609a6dc175b5ecf7832cd2a22fa8a64cf973b527f01b4aa799527070321eef97ef7e2f537d821882f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hXWYSZiRApzt.bat

Filesize
210B

MD5
ef2dc080639bc3157c5791973821130b

SHA1
9effad6ba128efa302cbbeba9917ce496b537846

SHA256
76cec50d5fb1872818d7f4fe2b63874f070f645d4ad5c3c97269d5cf5972c62f

SHA512
4d01d314e00c246fbfd181d8771bdf5cd44cf68e9d35f3ef0417c1eac6d4bba65b368ba1c839f8af859f5fb7f7fe0c800580c75f37b8d29497d7fb0095414197

Download Submit
C:\Users\Admin\AppData\Local\Temp\urBChJR2Jh9H.bat

Filesize
210B

MD5
65323dbc640f64745da4cc1b88db8e63

SHA1
2628c7454eee3ddd1bb244cc06df0b9fedc42157

SHA256
2166c49128075a0bc71a7be95af23fd010d874ea903513a993291ea4636be49a

SHA512
1110dc7e167d94d91579f12decc4a322618335068f5b54be83839cdabdf23e440fe6448cdcd074c769a42fdf5842909da2f2505fb5ffe3b4ffefd63250d7d77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z16Vd3uHXJOl.bat

Filesize
210B

MD5
8055eef1f39531c63084ca83cefa4570

SHA1
f59093935578794db1221faff2fb4e15934b1008

SHA256
0763b2da2e1c36f8e6bacf5f262e3cc0109bb683db84ee8f3f1fbf1490124b2e

SHA512
94d66e7c6d93e5c4212444efa7aa1059b804996c5d4090f83278025696e62ee3279d52ec40ac9198cb4e24559a93dff8dbb4f350f79b6ce3292bf746406bf331

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
memory/848-126-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/916-63-0x00000000012C0000-0x00000000015E4000-memory.dmp

Filesize
3.1MB

Download
memory/1304-115-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/2168-7-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-1-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/2456-8-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-9-0x0000000000CA0000-0x0000000000FC4000-memory.dmp

Filesize
3.1MB

Download
memory/2456-10-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-20-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-104-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2988-137-0x00000000010F0000-0x0000000001414000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads