Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:11
Behavioral task
behavioral1
Sample
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Resource
win7-20241010-en
General
-
Target
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
-
Size
3.1MB
-
MD5
c2281b1740f2acd02e9e19f83441b033
-
SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c
-
SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
-
SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
-
SSDEEP
49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo
Malware Config
Extracted
quasar
1.4.0
Office04
connectdadad.ddns.net:4782
e862a94f-5f45-4b8c-89de-f84dadb095d0
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3800-1-0x0000000000C60000-0x0000000000F84000-memory.dmp family_quasar behavioral2/files/0x0007000000023cce-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PerfWatson1.exe -
Executes dropped EXE 15 IoCs
pid Process 3544 PerfWatson1.exe 4712 PerfWatson1.exe 4976 PerfWatson1.exe 3140 PerfWatson1.exe 4004 PerfWatson1.exe 2952 PerfWatson1.exe 5052 PerfWatson1.exe 3996 PerfWatson1.exe 3916 PerfWatson1.exe 1832 PerfWatson1.exe 2068 PerfWatson1.exe 3800 PerfWatson1.exe 2760 PerfWatson1.exe 2244 PerfWatson1.exe 4580 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3808 PING.EXE 4352 PING.EXE 4100 PING.EXE 2320 PING.EXE 1864 PING.EXE 3152 PING.EXE 1636 PING.EXE 2988 PING.EXE 4072 PING.EXE 2920 PING.EXE 4896 PING.EXE 4492 PING.EXE 5068 PING.EXE 2792 PING.EXE 4488 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2320 PING.EXE 4100 PING.EXE 4352 PING.EXE 4072 PING.EXE 4488 PING.EXE 2988 PING.EXE 4492 PING.EXE 1864 PING.EXE 2920 PING.EXE 3808 PING.EXE 5068 PING.EXE 2792 PING.EXE 3152 PING.EXE 4896 PING.EXE 1636 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4948 schtasks.exe 5020 schtasks.exe 1532 schtasks.exe 3756 schtasks.exe 4976 schtasks.exe 2080 schtasks.exe 4912 schtasks.exe 5068 schtasks.exe 952 schtasks.exe 3968 schtasks.exe 896 schtasks.exe 2568 schtasks.exe 5052 schtasks.exe 4048 schtasks.exe 4696 schtasks.exe 1032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3800 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe Token: SeDebugPrivilege 3544 PerfWatson1.exe Token: SeDebugPrivilege 4712 PerfWatson1.exe Token: SeDebugPrivilege 4976 PerfWatson1.exe Token: SeDebugPrivilege 3140 PerfWatson1.exe Token: SeDebugPrivilege 4004 PerfWatson1.exe Token: SeDebugPrivilege 2952 PerfWatson1.exe Token: SeDebugPrivilege 5052 PerfWatson1.exe Token: SeDebugPrivilege 3996 PerfWatson1.exe Token: SeDebugPrivilege 3916 PerfWatson1.exe Token: SeDebugPrivilege 1832 PerfWatson1.exe Token: SeDebugPrivilege 2068 PerfWatson1.exe Token: SeDebugPrivilege 3800 PerfWatson1.exe Token: SeDebugPrivilege 2760 PerfWatson1.exe Token: SeDebugPrivilege 2244 PerfWatson1.exe Token: SeDebugPrivilege 4580 PerfWatson1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3544 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 4948 3800 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 84 PID 3800 wrote to memory of 4948 3800 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 84 PID 3800 wrote to memory of 3544 3800 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 86 PID 3800 wrote to memory of 3544 3800 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe 86 PID 3544 wrote to memory of 2568 3544 PerfWatson1.exe 87 PID 3544 wrote to memory of 2568 3544 PerfWatson1.exe 87 PID 3544 wrote to memory of 2988 3544 PerfWatson1.exe 89 PID 3544 wrote to memory of 2988 3544 PerfWatson1.exe 89 PID 2988 wrote to memory of 3932 2988 cmd.exe 91 PID 2988 wrote to memory of 3932 2988 cmd.exe 91 PID 2988 wrote to memory of 4072 2988 cmd.exe 92 PID 2988 wrote to memory of 4072 2988 cmd.exe 92 PID 2988 wrote to memory of 4712 2988 cmd.exe 97 PID 2988 wrote to memory of 4712 2988 cmd.exe 97 PID 4712 wrote to memory of 5052 4712 PerfWatson1.exe 98 PID 4712 wrote to memory of 5052 4712 PerfWatson1.exe 98 PID 4712 wrote to memory of 1860 4712 PerfWatson1.exe 100 PID 4712 wrote to memory of 1860 4712 PerfWatson1.exe 100 PID 1860 wrote to memory of 2888 1860 cmd.exe 102 PID 1860 wrote to memory of 2888 1860 cmd.exe 102 PID 1860 wrote to memory of 2320 1860 cmd.exe 103 PID 1860 wrote to memory of 2320 1860 cmd.exe 103 PID 1860 wrote to memory of 4976 1860 cmd.exe 107 PID 1860 wrote to memory of 4976 1860 cmd.exe 107 PID 4976 wrote to memory of 5020 4976 PerfWatson1.exe 108 PID 4976 wrote to memory of 5020 4976 PerfWatson1.exe 108 PID 4976 wrote to memory of 3584 4976 PerfWatson1.exe 110 PID 4976 wrote to memory of 3584 4976 PerfWatson1.exe 110 PID 3584 wrote to memory of 1840 3584 cmd.exe 112 PID 3584 wrote to memory of 1840 3584 cmd.exe 112 PID 3584 wrote to memory of 1864 3584 cmd.exe 113 PID 3584 wrote to memory of 1864 3584 cmd.exe 113 PID 3584 wrote to memory of 3140 3584 cmd.exe 115 PID 3584 wrote to memory of 3140 3584 cmd.exe 115 PID 3140 wrote to memory of 4048 3140 PerfWatson1.exe 117 PID 3140 wrote to memory of 4048 3140 PerfWatson1.exe 117 PID 3140 wrote to memory of 1628 3140 PerfWatson1.exe 119 PID 3140 wrote to memory of 1628 3140 PerfWatson1.exe 119 PID 1628 wrote to memory of 3976 1628 cmd.exe 121 PID 1628 wrote to memory of 3976 1628 cmd.exe 121 PID 1628 wrote to memory of 4100 1628 cmd.exe 122 PID 1628 wrote to memory of 4100 1628 cmd.exe 122 PID 1628 wrote to memory of 4004 1628 cmd.exe 123 PID 1628 wrote to memory of 4004 1628 cmd.exe 123 PID 4004 wrote to memory of 4696 4004 PerfWatson1.exe 124 PID 4004 wrote to memory of 4696 4004 PerfWatson1.exe 124 PID 4004 wrote to memory of 452 4004 PerfWatson1.exe 126 PID 4004 wrote to memory of 452 4004 PerfWatson1.exe 126 PID 452 wrote to memory of 2208 452 cmd.exe 128 PID 452 wrote to memory of 2208 452 cmd.exe 128 PID 452 wrote to memory of 2792 452 cmd.exe 129 PID 452 wrote to memory of 2792 452 cmd.exe 129 PID 452 wrote to memory of 2952 452 cmd.exe 130 PID 452 wrote to memory of 2952 452 cmd.exe 130 PID 2952 wrote to memory of 2080 2952 PerfWatson1.exe 131 PID 2952 wrote to memory of 2080 2952 PerfWatson1.exe 131 PID 2952 wrote to memory of 3832 2952 PerfWatson1.exe 133 PID 2952 wrote to memory of 3832 2952 PerfWatson1.exe 133 PID 3832 wrote to memory of 764 3832 cmd.exe 135 PID 3832 wrote to memory of 764 3832 cmd.exe 135 PID 3832 wrote to memory of 2920 3832 cmd.exe 136 PID 3832 wrote to memory of 2920 3832 cmd.exe 136 PID 3832 wrote to memory of 5052 3832 cmd.exe 137 PID 3832 wrote to memory of 5052 3832 cmd.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztVa0C2vpKxZ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4072
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fJItz2Xf0QcS.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFvZYeUvxbpx.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1864
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HE6WpiY8tSiu.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4100
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgk5QqYsjlwt.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8xRtjsMl9Eq.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U6VdzyX3l8Ub.bat" "15⤵PID:3756
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTRt3uCCtZEL.bat" "17⤵PID:1020
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3152
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Prftg8GAu0qQ.bat" "19⤵PID:836
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1SulscQJdt2.bat" "21⤵PID:4328
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4896
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ZPWiPGgCdzM.bat" "23⤵PID:2120
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoWSh9aMQTiJ.bat" "25⤵PID:3948
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ubEyuoDZ4Vrh.bat" "27⤵PID:4600
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:5052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4492
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7u5fhH5uzKEk.bat" "29⤵PID:5116
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4352
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SDzDZL1aBcde.bat" "31⤵PID:4284
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
210B
MD5e0aae6ee0ec225815d960fe0d0502522
SHA1bb06ff4159a6fa564acb3e4548d733737f237d36
SHA2563f8482d12b80ce20d4f0b7a55c3d2f3f32618ea5bd9bae22e80e50dc80455fc6
SHA512ab010d0bbf8bbd604c6cfa8fd46b5d030dc46a4c1db2bf802047fcab08a89119ac1f7e4c0c55610d7951a41716c3353df76c8dc378d989fde7aa6706a521996f
-
Filesize
210B
MD5e291489b1602578970a27c303cfa327f
SHA1c7a9fb7939cbee33ae210868263809394543d07a
SHA256a35b398342677a0d1da91a65d6988ce36ddf9a80d7e3ae33c77bd3076a6ed79d
SHA512a2219914dcbfbeb4ba9f1fdd5a47637c31ae7c8b2435dbbb10f27585cdae77cda187b4abb633166054522a9faff9af5cc255890327cc3311b0d4b7f42011b717
-
Filesize
210B
MD58d7033a8fa8b752aa848e695cfcbc271
SHA15fae7d507e5e2db5d9140c8009a9781c6acb30e6
SHA256ec89e2454e8c4503f262ec82b9b214edf279dd7f8ae8ab5a4a75d0cfdf38f535
SHA5126e6ef73705bac05d94ce02fe8cd36a7acfede4e8b0562d8818d976f07fa209adbd6dcdabf67666d7dadd78189d87303561f25edf5867f4c907365fd39d428860
-
Filesize
210B
MD5a66674ccd205dcc93551629934123590
SHA1e3744fcd5f5bab169b86a592981a902a589f9ba9
SHA2560d710f50513865bf40406d29beaf1e0030a6a932570c162b2afd65d6225c2d31
SHA51224e3fdcfc8dc5d7f1e5bccf57037fc765bc9d71037379b809b9d1c69a1bfcd91c8f5fe33e1dcf2cbeaca113e57bb08d2ae24aab183a91f941a6cdda1bcb5c6f5
-
Filesize
210B
MD5830283cb77198f724235bd94913693a2
SHA10bc40bfbe8845001d7025f882bd0b1d4134395fc
SHA256e871351130050cfb2d116f7b13ecd1726f2ef805f6ac062ac3ad9c883670bd6c
SHA512457083850f3fdb45e6d61e3614dc2c7346daeea1f7dd7e4f1a021e34402e676c0aea491cacd297be11fd6373babca6db1d11da10d1d0e2d5cef9729da934ec8d
-
Filesize
210B
MD5dc49d3e41b8b8f85c4994afff8738f75
SHA16f14fa556c2d7b900d0819fc872b9b7a4dc2a13b
SHA256ade688129b1c3a804d3ee96841913b033b7186dc33271690b7b665cbcc9670e3
SHA51250336a14e5002808124b2627eea0fb128b3a342743a1c442272a8eb7c7e64d95a65a549f488c55fee2b5de77da31f57c5dd8f28c16367b71d01e7e1c724091c3
-
Filesize
210B
MD5666a70eb1d644620cf705eff1ea531e5
SHA1a260f4fb80e49655459fa66934ae9ab4f97af049
SHA256f2c93bcbf508fea887a3219636da9d369f722bce1c3218473f6d3f0495ee9d5b
SHA512dd39e47549230bfc43f4688d339061a2146b64838c437d41c48177fec02f3d2132c0822a0d1dd7c64820a4abd4567608af4f509af2bde354ba2f13f77731820b
-
Filesize
210B
MD5bac260aeb8acbbb8b7aa574b220e92e7
SHA1ed72bab13dd128cead401a7ad154b172a3ff2c74
SHA25666d1ba09749db77cc202b75926341d4fa3115aaba8226a42605813e91155b5bc
SHA5122fd6d9d1e70b8bda363aa9442ae7f53605799dfb5479e445d0fd3b5fbe5df4317fe85fd170cd9b240840daa7f105597d07df1232741c8576e0dfd5c8324a7b4b
-
Filesize
210B
MD5bf7d64ffdad8abefbe3b76e8b2af9469
SHA16e97bcfd8d729011ba86417f6be88df034a89761
SHA2569af97b87ff918b5fc482e9c4c5474528fa81b645433c7f978905e90db3a83dd5
SHA5120f5fc47d82b888d2092aa6436712594569b8ccb17c56550a7d029210184775b832dc2924f7392cead49a506409495c7381c148a85bd1ce415b3b603313d8db38
-
Filesize
210B
MD5590f350d2bd00f6337e1f5b020ffcafa
SHA193c35689edc3db92612a99626473fbb764c1db42
SHA25672eefc2c1e5f3ba50304338fb1b82482a558150fbb622e36091459910e6bf39f
SHA512e9fe49a3fb1486392d349132c1f5f00d4469e2645b32b35cfbc587e987cabb3556a03bdc856821d579093d097916433788b415298d6c2fd1e2161e5a01397dfa
-
Filesize
210B
MD5e9edcd80df75a67b4d0a1271c7e66a19
SHA10e151ae8b64eaa36d215b845ac78426b7e83168c
SHA2561877d24c2df125cd3a0c71cbe2a1617c984938bb965f4f4862587276c8688b31
SHA5126c70a07692781c135087865015cffc0d410784edd0090aaca0d5c63c8a4db5793f0b023387ae76ecddf79ed42fc53faddf0caa2a6ddde1c2a90f3f84d577adc8
-
Filesize
210B
MD556b2f830ed63bb9dd6b975053222c9d7
SHA106f7192c34a8421a22abce99d7174745a72b1ea1
SHA256e4fac106f225a11d95609009a920c78d25beb3f4aac6d7fb18b6ac9b98f0965a
SHA512ecaffe73908a5797de0d86ec8e936ddfca80825d05b5f1bdbb49771a209a5cb4968172d4756539d9e19cf446fac6fe86382449d8ce0891211ab3511bf5da2098
-
Filesize
210B
MD5a88f03f32b3797b3d27ca957ce2f101d
SHA1ac10f32ab970231c676b110765f95050eed3db28
SHA25693d73da8eedcdf2d1aeb46cec1c7318a9ebba61dcc56afce32994eac88430db3
SHA51258ef073ea5a5e7cc0d084c6c53d7faeb6b370f800d0cba3350726fec085181f2602a5cfefa3124ddd996f123441eb76e2dd16d7591b476835d4076f98a075912
-
Filesize
210B
MD55a0da4fb77d9ed05f9c61bee0b2362b1
SHA1323b2e9a15660dcf8545629c9d37cb48b74fa7a5
SHA2565c5ad361f4a5d82c3e1225a557e7e27067977dfced96f2c44a1d1236a4c9ce07
SHA51297316ef3bb1fcc180f1cf0b5b869282c81a8313b6e07e6ffb4c1ae242e395bf66c1ee43e9dcb9d3e57c0f5a1ec87f7f5f5be621f5d0591651198bdac5a2df030
-
Filesize
210B
MD578018621adb61e5c5a649069ccf992d5
SHA172b32882963239b76daa858be019d746ed91ca21
SHA2561dac6f4cbc1148428e3bed6b59bcb51d32796b06ddcc32b5815af65c61b2a564
SHA512f0d01e8ce59c0f833f988a092ef2dcb1cf967c95c56dfb7a7738da29434edf382b12cec483cf9b1697b5c63cba64fd4bfdb7c4ca3fd4d7d5796b9a74e924afe5
-
Filesize
3.1MB
MD5c2281b1740f2acd02e9e19f83441b033
SHA1bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA2568fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA5120c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027