quasar | 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

Analysis

max time kernel
147s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Size

3.1MB
MD5

c2281b1740f2acd02e9e19f83441b033
SHA1

bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA256

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA512

0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
SSDEEP

49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1740-1-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/files/0x000b000000016cab-5.dat	family_quasar
behavioral1/memory/1984-8-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2516-22-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar
behavioral1/memory/764-44-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/680-55-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/1064-66-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar
behavioral1/memory/2856-98-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral1/memory/1952-109-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/memory/1812-131-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/1808-142-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
1984	PerfWatson1.exe
2516	PerfWatson1.exe
1436	PerfWatson1.exe
764	PerfWatson1.exe
680	PerfWatson1.exe
1064	PerfWatson1.exe
2192	PerfWatson1.exe
1984	PerfWatson1.exe
2856	PerfWatson1.exe
1952	PerfWatson1.exe
2232	PerfWatson1.exe
1812	PerfWatson1.exe
1808	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2972	PING.EXE
1784	PING.EXE
580	PING.EXE
1260	PING.EXE
2584	PING.EXE
2616	PING.EXE
2244	PING.EXE
2468	PING.EXE
2072	PING.EXE
892	PING.EXE
2848	PING.EXE
2248	PING.EXE
1780	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
1260	PING.EXE
2584	PING.EXE
1780	PING.EXE
2468	PING.EXE
892	PING.EXE
2972	PING.EXE
1784	PING.EXE
580	PING.EXE
2616	PING.EXE
2848	PING.EXE
2248	PING.EXE
2244	PING.EXE
2072	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
756	schtasks.exe
2604	schtasks.exe
1444	schtasks.exe
1028	schtasks.exe
1644	schtasks.exe
2448	schtasks.exe
2424	schtasks.exe
2964	schtasks.exe
1500	schtasks.exe
2216	schtasks.exe
2820	schtasks.exe
2548	schtasks.exe
2364	schtasks.exe
2264	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Token: SeDebugPrivilege	1984	PerfWatson1.exe
Token: SeDebugPrivilege	2516	PerfWatson1.exe
Token: SeDebugPrivilege	1436	PerfWatson1.exe
Token: SeDebugPrivilege	764	PerfWatson1.exe
Token: SeDebugPrivilege	680	PerfWatson1.exe
Token: SeDebugPrivilege	1064	PerfWatson1.exe
Token: SeDebugPrivilege	2192	PerfWatson1.exe
Token: SeDebugPrivilege	1984	PerfWatson1.exe
Token: SeDebugPrivilege	2856	PerfWatson1.exe
Token: SeDebugPrivilege	1952	PerfWatson1.exe
Token: SeDebugPrivilege	2232	PerfWatson1.exe
Token: SeDebugPrivilege	1812	PerfWatson1.exe
Token: SeDebugPrivilege	1808	PerfWatson1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2424	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1740 wrote to memory of 2424	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1740 wrote to memory of 2424	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1740 wrote to memory of 1984	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1740 wrote to memory of 1984	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1740 wrote to memory of 1984	1740	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1984 wrote to memory of 2964	1984	PerfWatson1.exe	33
PID 1984 wrote to memory of 2964	1984	PerfWatson1.exe	33
PID 1984 wrote to memory of 2964	1984	PerfWatson1.exe	33
PID 1984 wrote to memory of 3016	1984	PerfWatson1.exe	35
PID 1984 wrote to memory of 3016	1984	PerfWatson1.exe	35
PID 1984 wrote to memory of 3016	1984	PerfWatson1.exe	35
PID 3016 wrote to memory of 2512	3016	cmd.exe	37
PID 3016 wrote to memory of 2512	3016	cmd.exe	37
PID 3016 wrote to memory of 2512	3016	cmd.exe	37
PID 3016 wrote to memory of 2972	3016	cmd.exe	38
PID 3016 wrote to memory of 2972	3016	cmd.exe	38
PID 3016 wrote to memory of 2972	3016	cmd.exe	38
PID 3016 wrote to memory of 2516	3016	cmd.exe	39
PID 3016 wrote to memory of 2516	3016	cmd.exe	39
PID 3016 wrote to memory of 2516	3016	cmd.exe	39
PID 2516 wrote to memory of 2548	2516	PerfWatson1.exe	40
PID 2516 wrote to memory of 2548	2516	PerfWatson1.exe	40
PID 2516 wrote to memory of 2548	2516	PerfWatson1.exe	40
PID 2516 wrote to memory of 1192	2516	PerfWatson1.exe	42
PID 2516 wrote to memory of 1192	2516	PerfWatson1.exe	42
PID 2516 wrote to memory of 1192	2516	PerfWatson1.exe	42
PID 1192 wrote to memory of 2904	1192	cmd.exe	44
PID 1192 wrote to memory of 2904	1192	cmd.exe	44
PID 1192 wrote to memory of 2904	1192	cmd.exe	44
PID 1192 wrote to memory of 1784	1192	cmd.exe	45
PID 1192 wrote to memory of 1784	1192	cmd.exe	45
PID 1192 wrote to memory of 1784	1192	cmd.exe	45
PID 1192 wrote to memory of 1436	1192	cmd.exe	46
PID 1192 wrote to memory of 1436	1192	cmd.exe	46
PID 1192 wrote to memory of 1436	1192	cmd.exe	46
PID 1436 wrote to memory of 1500	1436	PerfWatson1.exe	47
PID 1436 wrote to memory of 1500	1436	PerfWatson1.exe	47
PID 1436 wrote to memory of 1500	1436	PerfWatson1.exe	47
PID 1436 wrote to memory of 1408	1436	PerfWatson1.exe	49
PID 1436 wrote to memory of 1408	1436	PerfWatson1.exe	49
PID 1436 wrote to memory of 1408	1436	PerfWatson1.exe	49
PID 1408 wrote to memory of 2348	1408	cmd.exe	51
PID 1408 wrote to memory of 2348	1408	cmd.exe	51
PID 1408 wrote to memory of 2348	1408	cmd.exe	51
PID 1408 wrote to memory of 580	1408	cmd.exe	52
PID 1408 wrote to memory of 580	1408	cmd.exe	52
PID 1408 wrote to memory of 580	1408	cmd.exe	52
PID 1408 wrote to memory of 764	1408	cmd.exe	53
PID 1408 wrote to memory of 764	1408	cmd.exe	53
PID 1408 wrote to memory of 764	1408	cmd.exe	53
PID 764 wrote to memory of 2216	764	PerfWatson1.exe	54
PID 764 wrote to memory of 2216	764	PerfWatson1.exe	54
PID 764 wrote to memory of 2216	764	PerfWatson1.exe	54
PID 764 wrote to memory of 1964	764	PerfWatson1.exe	56
PID 764 wrote to memory of 1964	764	PerfWatson1.exe	56
PID 764 wrote to memory of 1964	764	PerfWatson1.exe	56
PID 1964 wrote to memory of 1644	1964	cmd.exe	58
PID 1964 wrote to memory of 1644	1964	cmd.exe	58
PID 1964 wrote to memory of 1644	1964	cmd.exe	58
PID 1964 wrote to memory of 1260	1964	cmd.exe	59
PID 1964 wrote to memory of 1260	1964	cmd.exe	59
PID 1964 wrote to memory of 1260	1964	cmd.exe	59
PID 1964 wrote to memory of 680	1964	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2424
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\I9vhx2Aakqu1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2512
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2972
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwQQUY4dauSv.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2904
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xv3UyZwpZNwe.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\89ymXu8UdOMp.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWiO67TQBZ0p.bat" "
        11⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3r7BAm278qy1.bat" "
        13⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dDim1BTpfeGC.bat" "
        15⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TZTmmJcmMxVu.bat" "
        17⤵
        
        PID:964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tjZkS3k2WtGE.bat" "
        19⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ePvjqKDCxnvU.bat" "
        21⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fY5H8E7NCGZq.bat" "
        23⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7SEHmhjNcPwW.bat" "
        25⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2l5lwYxno6ye.bat" "
        27⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2l5lwYxno6ye.bat

Filesize
210B

MD5
107bfb98aa9846a94a887dfbb7ac9a36

SHA1
589baa157c22cf9de1e1c498a9aa33a975042954

SHA256
410f379afa1927501f74cf8a6700e6078792af8c54b9e4576ce8f6abfb8f9196

SHA512
553b9ff3f4144c9e7a69cdb0066e7a1925ee37b8b49c7beb3bab7e7f15ae9d586b016405cf8a9cf9f76c9e3dd8177d02b2327e00aa4d323ff42136c159e48859

Download Submit
C:\Users\Admin\AppData\Local\Temp\3r7BAm278qy1.bat

Filesize
210B

MD5
de1f060d0538b41c72889765c4df6edd

SHA1
00d56235079be26b55cc7a17d65c11772cb93423

SHA256
50d5f15e3c94bda8658bbdaa22753f3b340af3bb38659091eb73e0994946f149

SHA512
f843caf9c6689ecfbcced7fa41464cda55f222fc29e0bc3eb0ef3b125a0df4edfd06dc4a82cd6952a18a8268d0160bfb4a36f5430f94737ed8c65199fa95c454

Download Submit
C:\Users\Admin\AppData\Local\Temp\7SEHmhjNcPwW.bat

Filesize
210B

MD5
195023044a43d93bf7b6c7dde9c4ec12

SHA1
1e890a20429683943ddbc4198352e1c290bdd301

SHA256
573b1d88e10bf58e4329322defdb2ff6bfe87197f15e7093665cd8f1e175b28b

SHA512
e287974113996f0ca2154b41e209c543af9af51e13b55a508f33dae02fde86194cbf954af5b73fc6dc342b0f645dfe4e500f8d81aef67ff7cbbc08e8427722b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\89ymXu8UdOMp.bat

Filesize
210B

MD5
a48362091afaced37ba1c790b4e924af

SHA1
1a84099ea0aade622aea9282eef79ca0a895353b

SHA256
5c5d6997505d560d88edcecfac575dc9e4bdd6e0f56e7ca74a0ba45e33c9d3c2

SHA512
bf8e2513bc96f2e77b217b7f3fafb868df6b8b1cd185fe6f143a991e3fbdbbee0a5401b1e9ab0fcf3e3854aa0272934fe733013020646805572d8209d0adf9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\I9vhx2Aakqu1.bat

Filesize
210B

MD5
23be366ab8a83d75c1143ad0e0a4ffeb

SHA1
ea194a9bd413b9a66d0349654cbbb611ad811bbb

SHA256
af0bdfcf587c2894fd5eb578d34f2ad74fd1cc878ce86410d2218be429498eab

SHA512
44e124252b2c03cde95825185041fd02146620e9a435aa0b777da2a09b4f927143a25ff275113251eb8db686a6dca9b59be51f89f47f5dc34553ebef7792b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwQQUY4dauSv.bat

Filesize
210B

MD5
1f74eb8649ec01731af11a2993776728

SHA1
eddce3bb9421d663662e0b453fd4ca8e1d57bfa4

SHA256
b6f99cb423cf61cef0cc01aff95b15db3160b562c964094cebebf90abc5a017e

SHA512
4a65dc2245b2d380ccdfe0a0101fcfb171353d14ebcd5faf1e9124b8cb7b7857eae04669dce8e3f249e7aec20216155a9e7251d76d541f923169789ad37a5b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZTmmJcmMxVu.bat

Filesize
210B

MD5
863232158732133e9f3ff36e3703ab8c

SHA1
8546405a8a96623df1748045d7c53c67687513fc

SHA256
1ec8234f254c8dea70aa117934a7cd541fdfd69c97cd623501ea7a71f034efd5

SHA512
a74b815d8a042db611c24e2f9600d35fa8709920c58b62bc2456cc28a6de55102cffd829da81e717a9145f269a0160dcc484a1b0101ffbf0c74fce9c4684cfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dDim1BTpfeGC.bat

Filesize
210B

MD5
2c282f2529e15097605410708e974b90

SHA1
fac769f69882934b7e65ce81e740d9099dca4c8b

SHA256
1c97d808a3f4ebe778ce59775613934c498a7cf159273140b2f35819154e3d44

SHA512
4caa68af0ee9f687dd6a0f033d9290619dab08b8d23e43257a6d6387c4aad38d22216b18eed7f9f79952d0e14e7fc6f7a406c3c0e284ae6a95e1e2fc7454647c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePvjqKDCxnvU.bat

Filesize
210B

MD5
cea47d27e32453be2971a2b2c221b09e

SHA1
6ae0f4d9a32899910a8f0d04a6671868bbdfbf83

SHA256
a10a39c33b8cd435c8e2cca18300fb580db722fd5a13b27b65563cfea5a65990

SHA512
fc5a4b72720f7c99bce5e6297d918ffd02a91291404f763fd68350ebad20ac4af81a7b39d3fa0572fd6a20b7aa072f3a7a8d3c758c067e8c524c54e81905e5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fY5H8E7NCGZq.bat

Filesize
210B

MD5
58d519f8ad9add068b0f1362ae568b89

SHA1
4ce01cc4a5319338f4e8bf9ef78c906cae7bef69

SHA256
0f9f1f82a9c4aa82d35ef2a1cb20f18cd152cd5a14b82a1025473de2f80210c1

SHA512
fcc318d5051e713a5029ef933de8d3e8d8e73ec29215a0c3dcfa420f39f19334867d20665fdc4ad24fecffae7a7030ac49ec8327673dde3cf2555fac78bc19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWiO67TQBZ0p.bat

Filesize
210B

MD5
3c799d56650cba08c3c9ecbd49289ae6

SHA1
a42dac28736843dbd6dd3d12e721183d9e275bcf

SHA256
7058ae19eab7ef033d43ba9d9d6263d4989877a7ca4971ad7053789998c89950

SHA512
03a1294f97692c11d176b67dd52cd52d47122698fe2267b8216b95ecae08c63f73a96f56d4a9e855259533d54fe96a4d6f049d807028e8912384c4e3ebb64027

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjZkS3k2WtGE.bat

Filesize
210B

MD5
5c0493ba4b9fc6433f3145a164298bd1

SHA1
e83f02153f0fa5b6326ef9167c8e34ed07148d89

SHA256
c634d12abce8131c978bcefbaa5bb2f869c3738d4af06334b381e48aeaa01779

SHA512
24a487b8eab0bd73ae8eaa8f6b722a61eba49a61cd18effb79a70695c35ece0ce7dc261387179218d46083794f02d6be4309fd10b7faeadb83d55df2ad33a48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xv3UyZwpZNwe.bat

Filesize
210B

MD5
cab15e41eb69c36757a93505525cbf9f

SHA1
bb08ef4a78d9b153f21f26cb0fd1584638f4f47c

SHA256
b7ffc15d6430a25f4bdc7711f2c082121ca702f461c3036256637d79a3cc343c

SHA512
9a1e436f2e54b764d387fa8a43580fb58855376dfc3cc8b092c416338ef380c07e50fb894e27587fe76d0546a8aa28bca77b77f945ed9a09849b43c8a2b89fd4

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
memory/680-55-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/764-44-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/1064-66-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/1740-1-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/1740-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-9-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1808-142-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download
memory/1812-131-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/1952-109-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/1984-20-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-7-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-8-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/1984-10-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-22-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2856-98-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads