quasar | 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Amogus.exe
Size

3.2MB
MD5

23c072bdc1c5fe6c2290df7cd3e9abf8
SHA1

e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA256

8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA512

5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
SSDEEP

98304:xv642pda6D+/PjlLOlZyQipV2mRJ6Nae:1eOpPU9

Score

10^/10

quasar main discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/1268-1-0x0000000000AC0000-0x0000000000E00000-memory.dmp	family_quasar
behavioral1/files/0x00070000000186f1-6.dat	family_quasar
behavioral1/memory/2416-9-0x0000000000C40000-0x0000000000F80000-memory.dmp	family_quasar
behavioral1/memory/2796-23-0x0000000000F20000-0x0000000001260000-memory.dmp	family_quasar
behavioral1/memory/680-55-0x0000000001080000-0x00000000013C0000-memory.dmp	family_quasar
behavioral1/memory/2288-117-0x0000000000200000-0x0000000000540000-memory.dmp	family_quasar
behavioral1/memory/1036-128-0x0000000000DE0000-0x0000000001120000-memory.dmp	family_quasar
behavioral1/memory/2500-140-0x00000000003F0000-0x0000000000730000-memory.dmp	family_quasar
behavioral1/memory/2176-151-0x0000000001200000-0x0000000001540000-memory.dmp	family_quasar
behavioral1/memory/2080-162-0x00000000012D0000-0x0000000001610000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2416	Win64.exe
2796	Win64.exe
2976	Win64.exe
1432	Win64.exe
680	Win64.exe
2584	Win64.exe
484	Win64.exe
2852	Win64.exe
2092	Win64.exe
1696	Win64.exe
2288	Win64.exe
1036	Win64.exe
2500	Win64.exe
2176	Win64.exe
2080	Win64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1272	PING.EXE
2208	PING.EXE
2328	PING.EXE
1820	PING.EXE
1268	PING.EXE
1500	PING.EXE
2460	PING.EXE
928	PING.EXE
2064	PING.EXE
2320	PING.EXE
332	PING.EXE
1680	PING.EXE
3028	PING.EXE
572	PING.EXE
860	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
928	PING.EXE
2064	PING.EXE
1820	PING.EXE
1268	PING.EXE
332	PING.EXE
2208	PING.EXE
2328	PING.EXE
3028	PING.EXE
2320	PING.EXE
1680	PING.EXE
2460	PING.EXE
1500	PING.EXE
1272	PING.EXE
572	PING.EXE
860	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
2512	schtasks.exe
1744	schtasks.exe
864	schtasks.exe
1112	schtasks.exe
1716	schtasks.exe
1528	schtasks.exe
1148	schtasks.exe
1652	schtasks.exe
2152	schtasks.exe
2924	schtasks.exe
1952	schtasks.exe
1548	schtasks.exe
2056	schtasks.exe
2260	schtasks.exe
2832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	Amogus.exe
Token: SeDebugPrivilege	2416	Win64.exe
Token: SeDebugPrivilege	2796	Win64.exe
Token: SeDebugPrivilege	2976	Win64.exe
Token: SeDebugPrivilege	1432	Win64.exe
Token: SeDebugPrivilege	680	Win64.exe
Token: SeDebugPrivilege	2584	Win64.exe
Token: SeDebugPrivilege	484	Win64.exe
Token: SeDebugPrivilege	2852	Win64.exe
Token: SeDebugPrivilege	2092	Win64.exe
Token: SeDebugPrivilege	1696	Win64.exe
Token: SeDebugPrivilege	2288	Win64.exe
Token: SeDebugPrivilege	1036	Win64.exe
Token: SeDebugPrivilege	2500	Win64.exe
Token: SeDebugPrivilege	2176	Win64.exe
Token: SeDebugPrivilege	2080	Win64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1652	1268	Amogus.exe	31
PID 1268 wrote to memory of 1652	1268	Amogus.exe	31
PID 1268 wrote to memory of 1652	1268	Amogus.exe	31
PID 1268 wrote to memory of 2416	1268	Amogus.exe	33
PID 1268 wrote to memory of 2416	1268	Amogus.exe	33
PID 1268 wrote to memory of 2416	1268	Amogus.exe	33
PID 2416 wrote to memory of 2152	2416	Win64.exe	34
PID 2416 wrote to memory of 2152	2416	Win64.exe	34
PID 2416 wrote to memory of 2152	2416	Win64.exe	34
PID 2416 wrote to memory of 780	2416	Win64.exe	36
PID 2416 wrote to memory of 780	2416	Win64.exe	36
PID 2416 wrote to memory of 780	2416	Win64.exe	36
PID 780 wrote to memory of 2264	780	cmd.exe	38
PID 780 wrote to memory of 2264	780	cmd.exe	38
PID 780 wrote to memory of 2264	780	cmd.exe	38
PID 780 wrote to memory of 332	780	cmd.exe	39
PID 780 wrote to memory of 332	780	cmd.exe	39
PID 780 wrote to memory of 332	780	cmd.exe	39
PID 780 wrote to memory of 2796	780	cmd.exe	40
PID 780 wrote to memory of 2796	780	cmd.exe	40
PID 780 wrote to memory of 2796	780	cmd.exe	40
PID 2796 wrote to memory of 2924	2796	Win64.exe	41
PID 2796 wrote to memory of 2924	2796	Win64.exe	41
PID 2796 wrote to memory of 2924	2796	Win64.exe	41
PID 2796 wrote to memory of 2352	2796	Win64.exe	43
PID 2796 wrote to memory of 2352	2796	Win64.exe	43
PID 2796 wrote to memory of 2352	2796	Win64.exe	43
PID 2352 wrote to memory of 2336	2352	cmd.exe	45
PID 2352 wrote to memory of 2336	2352	cmd.exe	45
PID 2352 wrote to memory of 2336	2352	cmd.exe	45
PID 2352 wrote to memory of 1500	2352	cmd.exe	46
PID 2352 wrote to memory of 1500	2352	cmd.exe	46
PID 2352 wrote to memory of 1500	2352	cmd.exe	46
PID 2352 wrote to memory of 2976	2352	cmd.exe	47
PID 2352 wrote to memory of 2976	2352	cmd.exe	47
PID 2352 wrote to memory of 2976	2352	cmd.exe	47
PID 2976 wrote to memory of 1744	2976	Win64.exe	48
PID 2976 wrote to memory of 1744	2976	Win64.exe	48
PID 2976 wrote to memory of 1744	2976	Win64.exe	48
PID 2976 wrote to memory of 3020	2976	Win64.exe	50
PID 2976 wrote to memory of 3020	2976	Win64.exe	50
PID 2976 wrote to memory of 3020	2976	Win64.exe	50
PID 3020 wrote to memory of 3024	3020	cmd.exe	52
PID 3020 wrote to memory of 3024	3020	cmd.exe	52
PID 3020 wrote to memory of 3024	3020	cmd.exe	52
PID 3020 wrote to memory of 1680	3020	cmd.exe	53
PID 3020 wrote to memory of 1680	3020	cmd.exe	53
PID 3020 wrote to memory of 1680	3020	cmd.exe	53
PID 3020 wrote to memory of 1432	3020	cmd.exe	54
PID 3020 wrote to memory of 1432	3020	cmd.exe	54
PID 3020 wrote to memory of 1432	3020	cmd.exe	54
PID 1432 wrote to memory of 2260	1432	Win64.exe	55
PID 1432 wrote to memory of 2260	1432	Win64.exe	55
PID 1432 wrote to memory of 2260	1432	Win64.exe	55
PID 1432 wrote to memory of 2160	1432	Win64.exe	57
PID 1432 wrote to memory of 2160	1432	Win64.exe	57
PID 1432 wrote to memory of 2160	1432	Win64.exe	57
PID 2160 wrote to memory of 2200	2160	cmd.exe	59
PID 2160 wrote to memory of 2200	2160	cmd.exe	59
PID 2160 wrote to memory of 2200	2160	cmd.exe	59
PID 2160 wrote to memory of 2460	2160	cmd.exe	60
PID 2160 wrote to memory of 2460	2160	cmd.exe	60
PID 2160 wrote to memory of 2460	2160	cmd.exe	60
PID 2160 wrote to memory of 680	2160	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Amogus.exe
"C:\Users\Admin\AppData\Local\Temp\Amogus.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1652
- C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2152
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tK6aWKgy7M8C.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2264
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:332
  - - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MeNKBTXricc0.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2336
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1500
      - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OffLvqRc25qN.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\twgfOu2hv0yR.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQ723AmlHRwH.bat" "
        11⤵
        
        PID:1068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NykXMXN4QkCD.bat" "
        13⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0mEwsRhAfCPX.bat" "
        15⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CpQfoxIzbve9.bat" "
        17⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQ1yq3Z3N0nE.bat" "
        19⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QXOOWZM6TweW.bat" "
        21⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lnte3Oq9RZEN.bat" "
        23⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMgfViBCZEC0.bat" "
        25⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcAROFyAdEIs.bat" "
        27⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkEftBWnhWVv.bat" "
        29⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMSfIwbWkISi.bat" "
        31⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0mEwsRhAfCPX.bat

Filesize
206B

MD5
fec17d685a9da92acdd5c5d1db5ed57e

SHA1
beb319b6e458d5d516af3aa23bf2677ac66695e1

SHA256
6802d9e26c4208005540f47190bf053e280f2a1ce00e134ccef1fb885d64f975

SHA512
1b5e443785c4ad8c56be1d3f33ca673492300cb967f8e2738dc7e000d6f0cfe8a1a455257df6d01eec5130813f65d5e2689ba58ff4d9464b8a60a16419c6a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpQfoxIzbve9.bat

Filesize
206B

MD5
99bf19165e49557aa8eff31a449d9842

SHA1
b9d27c4c574691cc5acc9d06bd8b0834c66b3b86

SHA256
ede6a6871ca6b3138aecc513fde405de67819715c5dd89fab0f456c36d6f519d

SHA512
6d7d0bc61c03613312121d4c9baeabe51a2735b9896dfd6825e5b22c184e730e9514676531570442482ebbdb7145d8f9d357ba00b17a9ad102bdc616d0a0900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkEftBWnhWVv.bat

Filesize
206B

MD5
2d89d78854ebc208ff02ccfca5419ffb

SHA1
0c0d7101ba5e2d6cce8d9fb84f38edc28e65da0c

SHA256
733b01c72f301c3ae0e0e02bf9e9ffe271be93db5487020652940dc686662c7b

SHA512
d1468e9b7692732c3b603f476607c5871d0d5bce51448558e7c5f36ff47db58c6cec42daa4b93b372c3ec869038e45a1cc5040a460d3c7f34569a6cb61076f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMSfIwbWkISi.bat

Filesize
206B

MD5
709052ebe1a5ad1eefbedc6943a574b1

SHA1
cabf34e6bf8f2d067e2c373046e82d79e50d2848

SHA256
774a5a5df9fbcf72aceebcab8a3fe41cc99999a08055b58cdcc2f7855c75dc69

SHA512
fe97c4077538647cc9105c31981cc4c642645b26271f3e097d330f1f1d363cc0334c059bbc7600f0baed6ae1bcdc7fdf2f57fe4eb001a15cc9e235bb135dc27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MeNKBTXricc0.bat

Filesize
206B

MD5
a9627f74b569540413467a31aa34aebd

SHA1
b5d6c6331bce96837222c258b366b705b2b97a32

SHA256
b40212a355a6cfeee3a5c6881ffcf19c2c3fadde7dfd16016b954ddc1e79fbd4

SHA512
13e46bfa2ed4c70cc4eccae89e55c84a712e81e6ba6a96763dc60baf46daf8250032e32a2101a48f718f23950a6b2caaa4bd7adf4c6913c231f69502065e32b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NykXMXN4QkCD.bat

Filesize
206B

MD5
8e3ba8445c0361e72065865a0a431daf

SHA1
727ff0b3dc2fa75c7fbcb675f66e34c5e838e15b

SHA256
1a79ad9f826c76bf825d5a1eb3d76c8bfa7e707955a3a561187509a739c5b247

SHA512
d9db6d6529389228f8d7c8371358743e2c95e5c2a9adb1c6f5f8f3879c1d0352e937b09ba9fbb58948cc8ebec5a19490cb219be91380463dab5796dfaaba1825

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQ723AmlHRwH.bat

Filesize
206B

MD5
77fe4b0331fa16d0f9e6e1eeade0cc22

SHA1
8e18075087ca1a69c81be8d8291aa083e81cf502

SHA256
92e9d3e6bc5949ea9a32884abd997ae1f3714ecb690a161a499908e832cd6fe1

SHA512
761dc60288e0490d6889b8fd792b54382e4d17e681f5f0044e42ceb384c84ad729a6e721a6faf67aa8ef4c32f7faa48cc571cfb41b81a3ae528c5f21bbab4892

Download Submit
C:\Users\Admin\AppData\Local\Temp\OffLvqRc25qN.bat

Filesize
206B

MD5
b9087a122dec7c74b8896a8dda580abe

SHA1
c2d1834ca0ddf1f04683c24c23c6d7a01af897f7

SHA256
8b3f0dc8158dbf0be59de09ed77e467648f56c7c6ab87d0a24d0bc8ce610393f

SHA512
450ffb6d0f12189938ca8cfff0de0e1cf292fe6e0091c3ca8ef7df7f7cd7c134741a889d3d6a7200fdd237222637e85278932a461cd6c177212cb84eb9515106

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXOOWZM6TweW.bat

Filesize
206B

MD5
5831e1ba9a5870062c16ad81e5cac5a8

SHA1
52d178e71ba427299febd27593be7d9ee6aa1112

SHA256
fbf8388a6195d9b5503ce3922800eac70c07bbc12615ff867eb15f170bdd50b0

SHA512
e85ac6cc79f133b46f124dfb0978b34cc135e6a2ba4e48f2afd7c27955405c295bfbb12230af5ada2bde9ba03eb21d20427d8a3d7de9cfb0458afa1158d1a907

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAROFyAdEIs.bat

Filesize
206B

MD5
e47ed8cd6e9eee1518571d3b04dc3365

SHA1
3d65ddb88fc65e564590d98ccf3559359d592952

SHA256
e63e6c1fe9b85dcbe7a0ec12fd9b33e27b708779bff83cfeadb5eda8a669eb0a

SHA512
abde138403c59091cb6fc23df4be8a3c694bbd7a4ba07f272e2eb9b9e124b36ba8331469647b426964ea55f5aa1c21b67a0ef37be6477baeea8261486211c300

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnte3Oq9RZEN.bat

Filesize
206B

MD5
df43028d4b2b0175f2247a00b482df54

SHA1
2a20e81aa2238c5ba38087cbaef0200a12822922

SHA256
e38d4dc2577156b9d2893d10e57426d8cd00c29645a0128aadbbae62f0db3d22

SHA512
0a985a88caed1d8f73d3546a2543aa0c46ff3c4d9ffe4e0a1bad2eecd85e46324df363c4f1ba35d9cd074aa23563207eb6945ff147ce20f56cd4529167375699

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQ1yq3Z3N0nE.bat

Filesize
206B

MD5
740feaec800cad6a409ffe632bc43765

SHA1
8ed88c93383a1d940924d82e697dda3d0a0e5c84

SHA256
0e8006f1b9e93e9617144a45169471f31d62c147cd113e05b509cb8db044d3b3

SHA512
a7ea01612c9b9a9a481176b02dcd470693459fd47dc1d93acec22eca552a0e0dbbc04d9b7e13fa6a4d1001762206a0a404c599d5493dfdf2bc6c7f3ef63cd346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tK6aWKgy7M8C.bat

Filesize
206B

MD5
803f47e632ad4e5d93087ec8f2339995

SHA1
e372c0e588c33a38f27bfec73c5075ec36295a8b

SHA256
3b59ed88cedcbd3e9d517927c1307d5f331e8e0bc5ef40cfd42ec0ae7209f38c

SHA512
ed0134e7c1be51b1ef58ff8343a4d0ef5197d0f1346800a47147fa9a0e34063b840167586db2c30820e3ef0c09e6251ab5fab245de3d50ef2ff4303aad6fb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\twgfOu2hv0yR.bat

Filesize
206B

MD5
8fda6f8038f697867437aebecf74b018

SHA1
1b2467e1bfbf69981bf116787d439132a9a549e3

SHA256
0b2d088e5da8f3c6226c39229ce65179504d98bf1280605a6c03aac54f8da6f0

SHA512
7801ee543d735a545235eef23741c5884c64fd564d1ef629e1969f9a311f92106b09f3fc60cad95eef156dd47c32590b43a5dc02378e8f26ee91ac9cf3927f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgfViBCZEC0.bat

Filesize
206B

MD5
9920c9aa25a4c9ad5b8b6612ec40e8ed

SHA1
5bd0e38fcfe83a122ffa2a689da8183007ee0bc6

SHA256
b8c9bd4d8c704eb78ead4db509ca4a27fcaad54eae89ab1afb2578cec3f7428b

SHA512
6cb6b6af8a03fe269bc63cc3b18af376fd8c3bd5d26bc0adac158d8fdaf952cb790a1fc533d175d8a6fd5c42dab0ddb445b3c650bebebb5a43995d4059f47d7c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
memory/680-55-0x0000000001080000-0x00000000013C0000-memory.dmp

Filesize
3.2MB

Download
memory/1036-128-0x0000000000DE0000-0x0000000001120000-memory.dmp

Filesize
3.2MB

Download
memory/1268-1-0x0000000000AC0000-0x0000000000E00000-memory.dmp

Filesize
3.2MB

Download
memory/1268-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/1268-10-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1268-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-162-0x00000000012D0000-0x0000000001610000-memory.dmp

Filesize
3.2MB

Download
memory/2176-151-0x0000000001200000-0x0000000001540000-memory.dmp

Filesize
3.2MB

Download
memory/2288-117-0x0000000000200000-0x0000000000540000-memory.dmp

Filesize
3.2MB

Download
memory/2416-21-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-8-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-9-0x0000000000C40000-0x0000000000F80000-memory.dmp

Filesize
3.2MB

Download
memory/2416-11-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-140-0x00000000003F0000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/2796-23-0x0000000000F20000-0x0000000001260000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads