Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:27
Behavioral task
behavioral1
Sample
Amogus.exe
Resource
win7-20241023-en
General
-
Target
Amogus.exe
-
Size
3.2MB
-
MD5
23c072bdc1c5fe6c2290df7cd3e9abf8
-
SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902
-
SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
-
SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
-
SSDEEP
98304:xv642pda6D+/PjlLOlZyQipV2mRJ6Nae:1eOpPU9
Malware Config
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4028-1-0x0000000000CC0000-0x0000000001000000-memory.dmp family_quasar behavioral2/files/0x000a000000023b96-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Win64.exe -
Executes dropped EXE 15 IoCs
pid Process 3484 Win64.exe 2312 Win64.exe 3180 Win64.exe 4868 Win64.exe 2984 Win64.exe 4668 Win64.exe 3904 Win64.exe 3568 Win64.exe 4004 Win64.exe 2540 Win64.exe 3416 Win64.exe 4080 Win64.exe 3700 Win64.exe 4404 Win64.exe 4564 Win64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 548 PING.EXE 468 PING.EXE 2944 PING.EXE 1716 PING.EXE 4256 PING.EXE 5052 PING.EXE 3932 PING.EXE 4252 PING.EXE 4792 PING.EXE 4380 PING.EXE 552 PING.EXE 3316 PING.EXE 1616 PING.EXE 800 PING.EXE 1708 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4792 PING.EXE 4380 PING.EXE 468 PING.EXE 1708 PING.EXE 1716 PING.EXE 2944 PING.EXE 3932 PING.EXE 4256 PING.EXE 4252 PING.EXE 800 PING.EXE 552 PING.EXE 3316 PING.EXE 5052 PING.EXE 1616 PING.EXE 548 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2428 schtasks.exe 448 schtasks.exe 4008 schtasks.exe 1988 schtasks.exe 2764 schtasks.exe 264 schtasks.exe 3348 schtasks.exe 4108 schtasks.exe 4972 schtasks.exe 924 schtasks.exe 1848 schtasks.exe 400 schtasks.exe 4824 schtasks.exe 1384 schtasks.exe 4656 schtasks.exe 2352 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4028 Amogus.exe Token: SeDebugPrivilege 3484 Win64.exe Token: SeDebugPrivilege 2312 Win64.exe Token: SeDebugPrivilege 3180 Win64.exe Token: SeDebugPrivilege 4868 Win64.exe Token: SeDebugPrivilege 2984 Win64.exe Token: SeDebugPrivilege 4668 Win64.exe Token: SeDebugPrivilege 3904 Win64.exe Token: SeDebugPrivilege 3568 Win64.exe Token: SeDebugPrivilege 4004 Win64.exe Token: SeDebugPrivilege 2540 Win64.exe Token: SeDebugPrivilege 3416 Win64.exe Token: SeDebugPrivilege 4080 Win64.exe Token: SeDebugPrivilege 3700 Win64.exe Token: SeDebugPrivilege 4404 Win64.exe Token: SeDebugPrivilege 4564 Win64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4972 4028 Amogus.exe 82 PID 4028 wrote to memory of 4972 4028 Amogus.exe 82 PID 4028 wrote to memory of 3484 4028 Amogus.exe 84 PID 4028 wrote to memory of 3484 4028 Amogus.exe 84 PID 3484 wrote to memory of 1848 3484 Win64.exe 85 PID 3484 wrote to memory of 1848 3484 Win64.exe 85 PID 3484 wrote to memory of 3576 3484 Win64.exe 87 PID 3484 wrote to memory of 3576 3484 Win64.exe 87 PID 3576 wrote to memory of 4520 3576 cmd.exe 89 PID 3576 wrote to memory of 4520 3576 cmd.exe 89 PID 3576 wrote to memory of 1616 3576 cmd.exe 90 PID 3576 wrote to memory of 1616 3576 cmd.exe 90 PID 3576 wrote to memory of 2312 3576 cmd.exe 95 PID 3576 wrote to memory of 2312 3576 cmd.exe 95 PID 2312 wrote to memory of 2352 2312 Win64.exe 96 PID 2312 wrote to memory of 2352 2312 Win64.exe 96 PID 2312 wrote to memory of 1864 2312 Win64.exe 98 PID 2312 wrote to memory of 1864 2312 Win64.exe 98 PID 1864 wrote to memory of 1448 1864 cmd.exe 100 PID 1864 wrote to memory of 1448 1864 cmd.exe 100 PID 1864 wrote to memory of 548 1864 cmd.exe 101 PID 1864 wrote to memory of 548 1864 cmd.exe 101 PID 1864 wrote to memory of 3180 1864 cmd.exe 105 PID 1864 wrote to memory of 3180 1864 cmd.exe 105 PID 3180 wrote to memory of 400 3180 Win64.exe 106 PID 3180 wrote to memory of 400 3180 Win64.exe 106 PID 3180 wrote to memory of 1156 3180 Win64.exe 108 PID 3180 wrote to memory of 1156 3180 Win64.exe 108 PID 1156 wrote to memory of 536 1156 cmd.exe 110 PID 1156 wrote to memory of 536 1156 cmd.exe 110 PID 1156 wrote to memory of 468 1156 cmd.exe 111 PID 1156 wrote to memory of 468 1156 cmd.exe 111 PID 1156 wrote to memory of 4868 1156 cmd.exe 113 PID 1156 wrote to memory of 4868 1156 cmd.exe 113 PID 4868 wrote to memory of 4824 4868 Win64.exe 114 PID 4868 wrote to memory of 4824 4868 Win64.exe 114 PID 4868 wrote to memory of 3592 4868 Win64.exe 116 PID 4868 wrote to memory of 3592 4868 Win64.exe 116 PID 3592 wrote to memory of 4800 3592 cmd.exe 118 PID 3592 wrote to memory of 4800 3592 cmd.exe 118 PID 3592 wrote to memory of 4252 3592 cmd.exe 119 PID 3592 wrote to memory of 4252 3592 cmd.exe 119 PID 3592 wrote to memory of 2984 3592 cmd.exe 121 PID 3592 wrote to memory of 2984 3592 cmd.exe 121 PID 2984 wrote to memory of 1988 2984 Win64.exe 122 PID 2984 wrote to memory of 1988 2984 Win64.exe 122 PID 2984 wrote to memory of 1048 2984 Win64.exe 124 PID 2984 wrote to memory of 1048 2984 Win64.exe 124 PID 1048 wrote to memory of 4496 1048 cmd.exe 126 PID 1048 wrote to memory of 4496 1048 cmd.exe 126 PID 1048 wrote to memory of 800 1048 cmd.exe 127 PID 1048 wrote to memory of 800 1048 cmd.exe 127 PID 1048 wrote to memory of 4668 1048 cmd.exe 128 PID 1048 wrote to memory of 4668 1048 cmd.exe 128 PID 4668 wrote to memory of 924 4668 Win64.exe 129 PID 4668 wrote to memory of 924 4668 Win64.exe 129 PID 4668 wrote to memory of 3580 4668 Win64.exe 131 PID 4668 wrote to memory of 3580 4668 Win64.exe 131 PID 3580 wrote to memory of 3036 3580 cmd.exe 133 PID 3580 wrote to memory of 3036 3580 cmd.exe 133 PID 3580 wrote to memory of 1708 3580 cmd.exe 134 PID 3580 wrote to memory of 1708 3580 cmd.exe 134 PID 3580 wrote to memory of 3904 3580 cmd.exe 135 PID 3580 wrote to memory of 3904 3580 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Amogus.exe"C:\Users\Admin\AppData\Local\Temp\Amogus.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4972
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ophxdRwrDJy.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWQBqy9wiTzt.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:548
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xe1xw07fZDRu.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:468
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3AY3MZNzK6u.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEj3EU5gAS6m.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:800
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dKNAqRi3BbO.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwdcVQTG30cU.bat" "15⤵PID:1824
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:552
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nPyie7bvb8SZ.bat" "17⤵PID:428
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3316
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yFJYEvFebeXe.bat" "19⤵PID:4648
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THWbtZNxCzU7.bat" "21⤵PID:1480
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4792
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dt6KbFojPjxF.bat" "23⤵PID:1540
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4380
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcYxA3EKlEmq.bat" "25⤵PID:4508
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nsd4Ww7VZFxf.bat" "27⤵PID:4220
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:5008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L9JK0pUH2zj4.bat" "29⤵PID:628
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3932
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c9lYKXgHovGd.bat" "31⤵PID:4316
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
206B
MD531d788584a7dbf9e1f89280e266fd33f
SHA1bc1815aaabdf4849163c7b1976cfb876cca228de
SHA2566c55ce301f7f574896cc81c767385f857d8a5ad734e7dbe9c1679da80303346c
SHA5124fc433f93d6341f7bd4e8ba4e2e290cb36566f60d0b1ab401290000bbf26afcd7a3d1fae231dc610224504d4d66e39ae1326d724d04013f73040790cd01eec63
-
Filesize
206B
MD5a585832e4108efe8f2e6653893b6660c
SHA1a35dbfa371a2d8b700546f0126242005a7057b42
SHA256ee40a4c0bf9814888d5e752f18145bc18b3733ed6b4645e851b5573831ad71d8
SHA512aae61673ba6852ba4ae5e9b2258b0669a275f920f367ca56639b638468b365d9f08782edc9eefcadfb4ecac667cbf49bc0d09978d49d99d726f6e77cac8dea77
-
Filesize
206B
MD55b79e275ad62ef6cd18a6e26e0db71e9
SHA12f7eb070e76b39ddb60308d08486b713d88c3515
SHA256e36bf30fa6a79496d683698d6b80fb30d52494197ec36e3efb488cbc7d14c84c
SHA512e46e1f86f5bfcd30d47510d8e5fce6f6061b7ffa15e781b18ba9429bacb357164efb38b4fa5c293ee4b86db0b633920822307aecb473663ac233e2dee5c94d7f
-
Filesize
206B
MD5e4f862b87c568e7f91b9d675e5390a9f
SHA1efb88d27eb130f61304bb3d2b36d1b3f670ee435
SHA2561d6d6d728c786d3b287522d59363a7e34a04b926f1891c9fa8714eb6dd1726e0
SHA512bf98ae0c707fbe7f240374ab9ef8406e837f76db09241b782350947bbbfe78acb200bfa45065dff1e0d8392af01c0c991806c0d09b7a60a66e0bd0432881fbcc
-
Filesize
206B
MD5cdca67853899071b698083dd0aa02b0c
SHA1a1ac8c6e9429c60ae89e6bb2f959b4f1adf87986
SHA256d2d5d522598c031a843071bf970c6eb366dddadafb27c0a14affc28b9f518763
SHA512ce36d49c3b634569369665a641a76f1511c962fb117d115e47f5d70c002efc91067b0cf6bf8c4a2417c7d3d66e96c1abea6dfa46818b6da0ff2cf773081223d9
-
Filesize
206B
MD52ee0e684d90d48ce09bf55ebff9d1a59
SHA1f786d5622511865fb2238ef0c379b04bb558da89
SHA25648c750873eb31228bcb08c56d43b0bc6b021f7c1ae902c3de2aa61ae9cf78331
SHA51290ec88b65108c3f882d9fbb7f0c68b1456ee0010f357e6d0982aa89ef602a6ba83d75972bf2e680a318e70720662ee47be9fc0fbc11735e3f3d6a947cae3c5c5
-
Filesize
206B
MD512e216ebe9378758f5143c83afdeeb49
SHA12a7b2a06abeecff78881bd80f02e7b997a112744
SHA256fb386aed4e532ddac7ccc7c432d8e108de68321ef982972b2cf8f6fd339e6b0e
SHA512b70dde93a99109c3ec6f2dac07835e150ab09cb804e3e82cf68cc86bef78d8d321a2f3c808666595a24b00f400a3348d663db3ba8bf32e1f4f5e6b932e95b7e6
-
Filesize
206B
MD5d01ea04b1081a5c4c8672ee05ac52845
SHA138bfad825ab12627153bc6a75c2e8b37bce1a96d
SHA2566f301464ff72a7d009b6ea9857bde797b18d3fec7c43da4f8f5df975c5953b77
SHA5120869cce6e99d8b4f6fc059dc80dc46da7b3ae8b724c049d41d0d9af6c6e1c9994260a78582bd6a12451cecdae65276762e9a2aef5f218c9be06d5c31fda00f91
-
Filesize
206B
MD59a8590fd49301d613a14f0f852c4972d
SHA1afce374d3dd6f2edf3d13cadb43b94e2234719dd
SHA2563e4c039e84cc942e3b6decab86b839d99bf422181782734c03591aee809519c1
SHA5126a7cfd0c6901380d71088d70b8b8779a554d9608b14860471e85732401f666e454b624956cf53fcfc65bcaf7565c8db8fafbaa318fa79981b66682729276e45b
-
Filesize
206B
MD51db8fdfc1b8aef719634e7b89f2defa1
SHA133985780477561c4bc5472847d97a47c26872ded
SHA256f573210c16af9c833b9bbb2811a86216de644a211b751d12f98e54bccb611af1
SHA5125c990e62bbc48639162e6b0c4f76af0e545324e4ea5e5cc052c9cc2d93b72788cc2fea626205b89a048b466437abddd315a37abbd9865a274badb2e2070c9fb7
-
Filesize
206B
MD5f997e726184480ef28e0461e5547f4c6
SHA167cd2d23c5058b635fd8254732dd62318cc0ad73
SHA2567dc3f68633584607101e12fe5f83988abebec3a8f217a765ebdd2982aea5d0df
SHA512980b85ec20c4cf0e557927b886d19bba66192f28974e24986837251c7b8a0b8522974e17035722da15da990c907dd8b0462af4dd9e893557a42113c5160ab968
-
Filesize
206B
MD50db07a4534f6f563a54644302f72a3c5
SHA1fb8dcdaacaeff75a3b9f67852c795c425209f3bc
SHA2569c9c26606a9427674e5d45e10fda6d0d085aade9cc07e72029c24668c923e2ba
SHA512b197ab4364c45a461999e7c1bc45b1223dd87a77483c7afb06c9d3273c6a93b26b450a571e881acfbd61082483ba6dbd45dab6b7fd76f05e1b54d10857da2c37
-
Filesize
206B
MD50ed64240cb7c79847086b473766084c9
SHA12a88af8224f591e58bb6ede038ebae714e5a923d
SHA25627c76ed262bc6dc457fc5a5adec2bb0292ae4fceca27ef8fa665bdf149906fdd
SHA512bd72df542ab38c140dfbc692986263c4dee1d2f62deef558138dc79cf478b902476ee676b719c691edf00d3e1651b625b8fb7925c7781029e93235e181316c31
-
Filesize
206B
MD5c94538cdfc1859ff79485317ef25a5ad
SHA1a46aae2eb5a683baaa8f3eed5cc03e2c79bd0810
SHA2562ecbaf8855e1b276ee828866ab0bb41c6da8f1b94d08c5d93a212b1091997fec
SHA512601d73e8c2e009f7bf0750741b7364f0ea6c170476d3171327c5c69d78707fcb772fc152ab11703f3f2f612eb41b5a9d6c8d8b161f7b0cdd91ceeeef6ad77303
-
Filesize
206B
MD5bbdb8dd51aecf9a235ccd1a0760e2cd9
SHA1492ac6670fad3506d184666ddac501931056d2b9
SHA2563e370826c3e9933b1decb59131d4757dda8325af64f8c9464a11aeb0c70056a4
SHA512de9ef7881f5d7fcd89d6b39cdb2c647bc1ee1fd5e81182276d7952d9563f558fcac0098fedf40d08228516a5e98a862af25eb448caf71ddd3ae911d222f4bf20
-
Filesize
3.2MB
MD523c072bdc1c5fe6c2290df7cd3e9abf8
SHA1e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA2568c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA5125e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e