Analysis
-
max time kernel
143s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:19
Behavioral task
behavioral1
Sample
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Resource
win7-20240729-en
General
-
Target
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
-
Size
3.1MB
-
MD5
a813f565b05ee9df7e5db8dbbcc0fa43
-
SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1
-
SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
-
SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
-
SSDEEP
98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv
Malware Config
Extracted
quasar
1.4.0
Office04
microsoftsys.ddns.net:4782
67e0653d-eedf-4888-88ab-78e97eb2df27
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 8 IoCs
resource yara_rule behavioral1/memory/2316-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp family_quasar behavioral1/files/0x00070000000195d6-5.dat family_quasar behavioral1/memory/2744-8-0x0000000000B80000-0x0000000000EA4000-memory.dmp family_quasar behavioral1/memory/2056-32-0x00000000010E0000-0x0000000001404000-memory.dmp family_quasar behavioral1/memory/1060-53-0x0000000000130000-0x0000000000454000-memory.dmp family_quasar behavioral1/memory/2064-64-0x00000000012A0000-0x00000000015C4000-memory.dmp family_quasar behavioral1/memory/1600-75-0x0000000001320000-0x0000000001644000-memory.dmp family_quasar behavioral1/memory/1468-156-0x0000000000020000-0x0000000000344000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2744 PerfWatson1.exe 2664 PerfWatson1.exe 2056 PerfWatson1.exe 1848 PerfWatson1.exe 1060 PerfWatson1.exe 2064 PerfWatson1.exe 1600 PerfWatson1.exe 2928 PerfWatson1.exe 2728 PerfWatson1.exe 940 PerfWatson1.exe 2976 PerfWatson1.exe 2140 PerfWatson1.exe 1488 PerfWatson1.exe 1956 PerfWatson1.exe 1468 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2784 PING.EXE 3004 PING.EXE 2612 PING.EXE 612 PING.EXE 1952 PING.EXE 2828 PING.EXE 1760 PING.EXE 2648 PING.EXE 304 PING.EXE 2356 PING.EXE 908 PING.EXE 2196 PING.EXE 2416 PING.EXE 1304 PING.EXE 2124 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1760 PING.EXE 2648 PING.EXE 908 PING.EXE 304 PING.EXE 2416 PING.EXE 2612 PING.EXE 612 PING.EXE 2196 PING.EXE 1304 PING.EXE 2124 PING.EXE 3004 PING.EXE 2356 PING.EXE 1952 PING.EXE 2828 PING.EXE 2784 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe 1232 schtasks.exe 1692 schtasks.exe 484 schtasks.exe 2888 schtasks.exe 1088 schtasks.exe 2084 schtasks.exe 1580 schtasks.exe 2964 schtasks.exe 2076 schtasks.exe 3048 schtasks.exe 1276 schtasks.exe 1916 schtasks.exe 2252 schtasks.exe 2100 schtasks.exe 1992 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe Token: SeDebugPrivilege 2744 PerfWatson1.exe Token: SeDebugPrivilege 2664 PerfWatson1.exe Token: SeDebugPrivilege 2056 PerfWatson1.exe Token: SeDebugPrivilege 1848 PerfWatson1.exe Token: SeDebugPrivilege 1060 PerfWatson1.exe Token: SeDebugPrivilege 2064 PerfWatson1.exe Token: SeDebugPrivilege 1600 PerfWatson1.exe Token: SeDebugPrivilege 2928 PerfWatson1.exe Token: SeDebugPrivilege 2728 PerfWatson1.exe Token: SeDebugPrivilege 940 PerfWatson1.exe Token: SeDebugPrivilege 2976 PerfWatson1.exe Token: SeDebugPrivilege 2140 PerfWatson1.exe Token: SeDebugPrivilege 1488 PerfWatson1.exe Token: SeDebugPrivilege 1956 PerfWatson1.exe Token: SeDebugPrivilege 1468 PerfWatson1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 484 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 30 PID 2316 wrote to memory of 484 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 30 PID 2316 wrote to memory of 484 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 30 PID 2316 wrote to memory of 2744 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 32 PID 2316 wrote to memory of 2744 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 32 PID 2316 wrote to memory of 2744 2316 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe 32 PID 2744 wrote to memory of 2964 2744 PerfWatson1.exe 33 PID 2744 wrote to memory of 2964 2744 PerfWatson1.exe 33 PID 2744 wrote to memory of 2964 2744 PerfWatson1.exe 33 PID 2744 wrote to memory of 2956 2744 PerfWatson1.exe 35 PID 2744 wrote to memory of 2956 2744 PerfWatson1.exe 35 PID 2744 wrote to memory of 2956 2744 PerfWatson1.exe 35 PID 2956 wrote to memory of 3032 2956 cmd.exe 37 PID 2956 wrote to memory of 3032 2956 cmd.exe 37 PID 2956 wrote to memory of 3032 2956 cmd.exe 37 PID 2956 wrote to memory of 3004 2956 cmd.exe 38 PID 2956 wrote to memory of 3004 2956 cmd.exe 38 PID 2956 wrote to memory of 3004 2956 cmd.exe 38 PID 2956 wrote to memory of 2664 2956 cmd.exe 39 PID 2956 wrote to memory of 2664 2956 cmd.exe 39 PID 2956 wrote to memory of 2664 2956 cmd.exe 39 PID 2664 wrote to memory of 2728 2664 PerfWatson1.exe 40 PID 2664 wrote to memory of 2728 2664 PerfWatson1.exe 40 PID 2664 wrote to memory of 2728 2664 PerfWatson1.exe 40 PID 2664 wrote to memory of 940 2664 PerfWatson1.exe 42 PID 2664 wrote to memory of 940 2664 PerfWatson1.exe 42 PID 2664 wrote to memory of 940 2664 PerfWatson1.exe 42 PID 940 wrote to memory of 2748 940 cmd.exe 44 PID 940 wrote to memory of 2748 940 cmd.exe 44 PID 940 wrote to memory of 2748 940 cmd.exe 44 PID 940 wrote to memory of 2416 940 cmd.exe 45 PID 940 wrote to memory of 2416 940 cmd.exe 45 PID 940 wrote to memory of 2416 940 cmd.exe 45 PID 940 wrote to memory of 2056 940 cmd.exe 46 PID 940 wrote to memory of 2056 940 cmd.exe 46 PID 940 wrote to memory of 2056 940 cmd.exe 46 PID 2056 wrote to memory of 2888 2056 PerfWatson1.exe 47 PID 2056 wrote to memory of 2888 2056 PerfWatson1.exe 47 PID 2056 wrote to memory of 2888 2056 PerfWatson1.exe 47 PID 2056 wrote to memory of 2976 2056 PerfWatson1.exe 49 PID 2056 wrote to memory of 2976 2056 PerfWatson1.exe 49 PID 2056 wrote to memory of 2976 2056 PerfWatson1.exe 49 PID 2976 wrote to memory of 448 2976 cmd.exe 51 PID 2976 wrote to memory of 448 2976 cmd.exe 51 PID 2976 wrote to memory of 448 2976 cmd.exe 51 PID 2976 wrote to memory of 2612 2976 cmd.exe 52 PID 2976 wrote to memory of 2612 2976 cmd.exe 52 PID 2976 wrote to memory of 2612 2976 cmd.exe 52 PID 2976 wrote to memory of 1848 2976 cmd.exe 53 PID 2976 wrote to memory of 1848 2976 cmd.exe 53 PID 2976 wrote to memory of 1848 2976 cmd.exe 53 PID 1848 wrote to memory of 1232 1848 PerfWatson1.exe 54 PID 1848 wrote to memory of 1232 1848 PerfWatson1.exe 54 PID 1848 wrote to memory of 1232 1848 PerfWatson1.exe 54 PID 1848 wrote to memory of 1912 1848 PerfWatson1.exe 56 PID 1848 wrote to memory of 1912 1848 PerfWatson1.exe 56 PID 1848 wrote to memory of 1912 1848 PerfWatson1.exe 56 PID 1912 wrote to memory of 2104 1912 cmd.exe 58 PID 1912 wrote to memory of 2104 1912 cmd.exe 58 PID 1912 wrote to memory of 2104 1912 cmd.exe 58 PID 1912 wrote to memory of 2356 1912 cmd.exe 59 PID 1912 wrote to memory of 2356 1912 cmd.exe 59 PID 1912 wrote to memory of 2356 1912 cmd.exe 59 PID 1912 wrote to memory of 1060 1912 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:484
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2964
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TSZgaEMMDI4y.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WMsfJEC42eGd.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c0HlInKJpx8q.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2612
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1232
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Gif2R7lmEbVt.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2104
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2356
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VlkhVqXRIeM5.bat" "11⤵PID:2592
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:612
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2252
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vI2DjNQmmcoP.bat" "13⤵PID:1988
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2076
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bh5hM69GJT5B.bat" "15⤵PID:2392
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oeqJK1Zy4Pwg.bat" "17⤵PID:3032
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1088
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mXC1mH8GiEvA.bat" "19⤵PID:2420
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:908
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1276
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DfljeD2gfKS5.bat" "21⤵PID:2720
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2100
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WhX1CQu4qT1D.bat" "23⤵PID:1464
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2104
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2196
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BkHUYKTXTr8W.bat" "25⤵PID:2216
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:304
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2084
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QIuGRtYjfj17.bat" "27⤵PID:2244
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1304
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1580
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ra63HTp2nrMY.bat" "29⤵PID:856
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2124
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1916
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UjM5iIhssj07.bat" "31⤵PID:836
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD509f56a7d4f6ae995fb668b70f0728760
SHA1fedd813b2bbd3605704c9b62bd842b2e6c643694
SHA256ace3e1d4fa1caede1adb91ba1cb427b0381201f7393ce64af5a648c92ba7c697
SHA512e953415627ee26325e863a2d08bb679a6277766301d03a02f1fb99fbab8e42743b99f6862ec6506156f0cf92cc6da3065c45276bb0ef819fe2d4dbc8361fd0a2
-
Filesize
210B
MD532d34250418f735b85e5b0ac2d45f9bd
SHA1e90460220efd52f9c07145a2ad5f5d643d386b63
SHA2561a68d3c3ce1d4cdaf64fb9e26006f40eee29482447650126f6c8c3506026732a
SHA512156bd3cb2d07323a1f2734a87783389621fcc99565d1610494934d42df7df21789c47b2f8fa2a5cd5d438b39f1df332aff584f6bd897bb6619d6b6b7c565efbc
-
Filesize
210B
MD5492b11383611e8fa9b26082d0dc6252e
SHA160a7cc4d3f797b8a80a89f3fe9c4c4623ecf0951
SHA2564b42b437c6f48eae6a8b85a2c586b952c0e0cff3c974e0f8b6ca247f5ebdb8d7
SHA5128ec53eedb464c2c24350da40a6c66a1db34c30e8064fa0334dfdd55aa9516003ae1276d0281aae335bbaba88483a9cb7d1550ace30a2c8fdc4666d2937b412c6
-
Filesize
210B
MD54714f6556bbe7e93eac6553945a27030
SHA1d5998b48c0a85bd154cf7dcae029f4ca3decf1d0
SHA256a9058b6f0ad0b0ae86a0b0b325787e319241c5c0c58520ef06b9e80ad5b31dc4
SHA512f5679ecfe73963426972a706bfba9889f6bc985b4f932b444e1fa2ed2570acbc3c5f1b72b70db1d3e90221b7fb58e766d608cfbb72e6e23d3cdf535b338a3a80
-
Filesize
210B
MD5db83b18dec96fdff7c5e32340ca0c431
SHA1d4b2d3c6bde121d3df9173eec33168a7b9370b35
SHA2564016ed242e9feb67fef794c981179d9ff5973c4014e84b92e8eda1c3d3b88b3b
SHA512f48549e2c3fb7c7b6bf3b43cdad37c794618f66dfb7700d24166b833ec03187829acc932a3305040f586b9499d400b3edc3602d829c6126bc4638ab913e58d71
-
Filesize
210B
MD5b3fa532b764837fe3f5ea6aead0c6987
SHA1798691458601d68f45d9cfc0ab5f6e0d6c09c07b
SHA256a18017121d65f6be68885f0d7eea649f1b30e875a7a8436eae192b54ee83d9a2
SHA5120fd76eda8457adb67bebb80084d4ff724d1846b0fe7d126f00a38dc52516fc7550b45674f167cb4418b28eae7ea244bb9a1e15cd725fc941d6a98be2a93a3e3f
-
Filesize
210B
MD58cb9cd824f8103108636c35993504ad2
SHA107bdddf049ea9fbc708d5e33518f13559798ae98
SHA256626c06b80d86cd639998809e5f39a41f703ea5d2db5a12d118a31a93436f67b9
SHA5126657fca5dfc0847d4d2fa419d37deeab419afcd2309394a7c546793396e926efa1ee48b27fe65329821bd9e23ea49c1ff957342ea1a260ba895909d1790bb46a
-
Filesize
210B
MD5080ae6be3288d299ed69ad22be95cf7f
SHA1167bf9b1ee8256f3db9d06dcefdca1a367affa1b
SHA25650337148cfe1b5281408e4f3176e7e9145d248e0f4a3ccbb4fbcbec62bfcca7a
SHA512e30ac1590ee4eccafab4b319fa5200804c9161ebd7f718c19746d3258dd3d57748c039b04d5572c27c64215ccd7487741a7ef2577a04969edc6a51388e6b839c
-
Filesize
210B
MD5dc1d365865df9ff2dc8d4a9c5a8560af
SHA1d0477ce4f73888ad33bc2a3e41bc31872ccc70b8
SHA2569dac195bd9399d1f243332c79a04eef7b8cb0abf4e3197bc489154b64b10342e
SHA5129b9eabc5cc0eb157200bf5c74d475525ca2135464313c9885de16c633a55c61339a67dee9c890a909073adeedfc0b5f6325c6c8625f20ad893ce22c905606a11
-
Filesize
210B
MD596359bec8a1d3e0522f48fc38d85cb77
SHA1c709de9c6e483f98581a16de71ff855463b0ceb7
SHA2563d346432d21b37ebcb4501101e85e05085f9a5c134cea62b97cd7275340c9c95
SHA512602f8d7ee7b49cf7806022c2a702282121cfe71d43ea0b76eb49cec4b8f63b8808cf8d325cddd37eaf2236e4732ee9a95f94530ccaa39039b0007a8086ad82f9
-
Filesize
210B
MD53e22415b444eca2bc2496b5ee4216a5b
SHA11244e633071bda3e64bfc1326f604e42b49f5108
SHA256c29eced2d0d5e935784f72bea1e22b6bca7d79440ec46b73681a958c6f0ba6f6
SHA512c7633c6e6386c356ce3f18e5fa2c77fc1f48cbbe832150aef0ecda1241e53cfc64befdf53193505f785144cc5c5b93dba093781a0bde2861b7c41d98ab57c3a4
-
Filesize
210B
MD5ede7d450f89179f3fcd39d5dc1a68c75
SHA110329444be5badf12a01b2c4e1869217e363a971
SHA256be0d79f258682c641044fac8cfc3dfe29f5c4a5a827483737c159d2ab42413a4
SHA51252edd6412dacce307e0b2405d7ef3a811b84f722cf0991f122c2ba3d2c8f0680289eedb5c3d5e0a291f162b5794c3190f5cebb0e0c39e6011f3a2803c10f0edc
-
Filesize
210B
MD57976cf8f9d04a24287857ef20c51ed75
SHA1bde1ee55f2cde73dc33f5aaf73337e0057fd4c82
SHA256c98429c7db812be49bed8105ab299b789aa5ff7c2179fe0633594f22a5498916
SHA512948abe9bc27c5a086442f5ee32956288e71eab183ee246be54cd06b95e4c38510566d8b00e6289e81ebbd5586f9d4d50fb839b9b37b7cb1f1527c86f3e716101
-
Filesize
210B
MD5f454c23dfd8320bf89f4cff9508c5621
SHA14351f13e590dec7ec9e9d9f313a5c1daa5708df6
SHA256cd9df061b531dc115d5627cd3a495ad10f1c630855d0332929e449781113f9ac
SHA5125d25ce68e2fc9f679abc614aa29d91e3483401c587959d468dead92b560ca5878a1af51f08063614f422488a8c1c17902ed6d1722790335698fd112cd52cd0d6
-
Filesize
210B
MD52d23ea80119b6931e0aed3f9f23329ea
SHA1f63d27bb4cea651713bad614ad8aa795e0efab96
SHA256376b686a9d8463ad4313dc5b0f44e6afe754ebf5438bd33e8875f2a541483611
SHA512bbb3b8b17a009c4f5678139420d42eae418872983193d1a16913313c734e7ed427ce167619a103f658d5d190ca4166b6440587ad49e89a8198f8bb13efee633f
-
Filesize
3.1MB
MD5a813f565b05ee9df7e5db8dbbcc0fa43
SHA1f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e