Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
EXIT/Exit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
QuasarDependencies.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
QuasarScript.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Start.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
img-recog.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
self-contain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
win/qwindows.dll
Resource
win10v2004-20241007-en
General
-
Target
Start.bat
-
Size
4KB
-
MD5
d8d7df6fe62f011b7458e01a921b574f
-
SHA1
7c9b3904e4dbc5814c6580ea7c4586245ef002d8
-
SHA256
66b039ce03cc3c839a1d9b1a2c56cecef889bfbab67da276bc1298698473cbaf
-
SHA512
3d2552d25dbe37fe9aa87b469256dc953a4b57cd1ab7a5fa418d25c287f7d2589ec5213f2373e17264e4dbe315212656ecf1afa92ea48ed63491a97d9bb80cae
-
SSDEEP
96:QQPgAM1IfSmnPlTil5zKYzWe+spCjtR1+:9emSmMpC5R1+
Malware Config
Signatures
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 804 PING.EXE 860 PING.EXE 4196 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 804 PING.EXE 860 PING.EXE 4196 PING.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2436 wrote to memory of 3672 2436 cmd.exe 83 PID 2436 wrote to memory of 3672 2436 cmd.exe 83 PID 2436 wrote to memory of 804 2436 cmd.exe 92 PID 2436 wrote to memory of 804 2436 cmd.exe 92 PID 2436 wrote to memory of 4704 2436 cmd.exe 94 PID 2436 wrote to memory of 4704 2436 cmd.exe 94 PID 2436 wrote to memory of 860 2436 cmd.exe 98 PID 2436 wrote to memory of 860 2436 cmd.exe 98 PID 2436 wrote to memory of 4196 2436 cmd.exe 99 PID 2436 wrote to memory of 4196 2436 cmd.exe 99
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3672
-
-
C:\Windows\system32\PING.EXEping localhost -n 22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:804
-
-
C:\Windows\system32\mode.commode 60, 202⤵PID:4704
-
-
C:\Windows\system32\PING.EXEping localhost -n 22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:860
-
-
C:\Windows\system32\PING.EXEping localhost -n 22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4196
-