quasar | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Java.exe
Size

3.3MB
MD5

f29f701e76e3a435acdd474a41fa60ba
SHA1

10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512

0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
SSDEEP

49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4180-1-0x00000000005E0000-0x000000000092E000-memory.dmp	family_quasar
behavioral2/files/0x000d000000023a68-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 15 IoCs

pid	Process
2008	java.exe
4360	java.exe
3300	java.exe
2116	java.exe
4312	java.exe
2576	java.exe
4056	java.exe
1988	java.exe
1772	java.exe
4300	java.exe
4608	java.exe
4976	java.exe
3528	java.exe
2768	java.exe
3868	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
704	PING.EXE
1188	PING.EXE
1680	PING.EXE
4992	PING.EXE
4660	PING.EXE
1272	PING.EXE
1472	PING.EXE
3044	PING.EXE
4584	PING.EXE
536	PING.EXE
2196	PING.EXE
4536	PING.EXE
4572	PING.EXE
4496	PING.EXE
744	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4536	PING.EXE
744	PING.EXE
1472	PING.EXE
3044	PING.EXE
2196	PING.EXE
4496	PING.EXE
1188	PING.EXE
1680	PING.EXE
4584	PING.EXE
536	PING.EXE
4572	PING.EXE
4992	PING.EXE
4660	PING.EXE
1272	PING.EXE
704	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1680	schtasks.exe
1332	schtasks.exe
4224	schtasks.exe
5020	schtasks.exe
1444	schtasks.exe
2232	schtasks.exe
1956	schtasks.exe
2576	schtasks.exe
1620	schtasks.exe
3980	schtasks.exe
2844	schtasks.exe
1500	schtasks.exe
3952	schtasks.exe
2448	schtasks.exe
4264	schtasks.exe
1928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	Java.exe
Token: SeDebugPrivilege	2008	java.exe
Token: SeDebugPrivilege	4360	java.exe
Token: SeDebugPrivilege	3300	java.exe
Token: SeDebugPrivilege	2116	java.exe
Token: SeDebugPrivilege	4312	java.exe
Token: SeDebugPrivilege	2576	java.exe
Token: SeDebugPrivilege	4056	java.exe
Token: SeDebugPrivilege	1988	java.exe
Token: SeDebugPrivilege	1772	java.exe
Token: SeDebugPrivilege	4300	java.exe
Token: SeDebugPrivilege	4608	java.exe
Token: SeDebugPrivilege	4976	java.exe
Token: SeDebugPrivilege	3528	java.exe
Token: SeDebugPrivilege	2768	java.exe
Token: SeDebugPrivilege	3868	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2008	java.exe
4360	java.exe
3300	java.exe
2116	java.exe
4312	java.exe
2576	java.exe
4056	java.exe
1988	java.exe
1772	java.exe
4300	java.exe
4608	java.exe
4976	java.exe
3528	java.exe
2768	java.exe
3868	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2008	java.exe
4360	java.exe
3300	java.exe
2116	java.exe
4312	java.exe
2576	java.exe
4056	java.exe
1988	java.exe
1772	java.exe
4300	java.exe
4608	java.exe
4976	java.exe
3528	java.exe
2768	java.exe
3868	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1956	4180	Java.exe	84
PID 4180 wrote to memory of 1956	4180	Java.exe	84
PID 4180 wrote to memory of 2008	4180	Java.exe	86
PID 4180 wrote to memory of 2008	4180	Java.exe	86
PID 2008 wrote to memory of 1500	2008	java.exe	87
PID 2008 wrote to memory of 1500	2008	java.exe	87
PID 2008 wrote to memory of 1272	2008	java.exe	89
PID 2008 wrote to memory of 1272	2008	java.exe	89
PID 1272 wrote to memory of 4952	1272	cmd.exe	91
PID 1272 wrote to memory of 4952	1272	cmd.exe	91
PID 1272 wrote to memory of 4584	1272	cmd.exe	92
PID 1272 wrote to memory of 4584	1272	cmd.exe	92
PID 1272 wrote to memory of 4360	1272	cmd.exe	102
PID 1272 wrote to memory of 4360	1272	cmd.exe	102
PID 4360 wrote to memory of 2576	4360	java.exe	103
PID 4360 wrote to memory of 2576	4360	java.exe	103
PID 4360 wrote to memory of 2448	4360	java.exe	106
PID 4360 wrote to memory of 2448	4360	java.exe	106
PID 2448 wrote to memory of 2628	2448	cmd.exe	109
PID 2448 wrote to memory of 2628	2448	cmd.exe	109
PID 2448 wrote to memory of 4660	2448	cmd.exe	110
PID 2448 wrote to memory of 4660	2448	cmd.exe	110
PID 2448 wrote to memory of 3300	2448	cmd.exe	113
PID 2448 wrote to memory of 3300	2448	cmd.exe	113
PID 3300 wrote to memory of 5020	3300	java.exe	114
PID 3300 wrote to memory of 5020	3300	java.exe	114
PID 3300 wrote to memory of 4428	3300	java.exe	117
PID 3300 wrote to memory of 4428	3300	java.exe	117
PID 4428 wrote to memory of 1188	4428	cmd.exe	119
PID 4428 wrote to memory of 1188	4428	cmd.exe	119
PID 4428 wrote to memory of 4496	4428	cmd.exe	120
PID 4428 wrote to memory of 4496	4428	cmd.exe	120
PID 4428 wrote to memory of 2116	4428	cmd.exe	124
PID 4428 wrote to memory of 2116	4428	cmd.exe	124
PID 2116 wrote to memory of 1620	2116	java.exe	126
PID 2116 wrote to memory of 1620	2116	java.exe	126
PID 2116 wrote to memory of 2032	2116	java.exe	129
PID 2116 wrote to memory of 2032	2116	java.exe	129
PID 2032 wrote to memory of 1772	2032	cmd.exe	131
PID 2032 wrote to memory of 1772	2032	cmd.exe	131
PID 2032 wrote to memory of 744	2032	cmd.exe	132
PID 2032 wrote to memory of 744	2032	cmd.exe	132
PID 2032 wrote to memory of 4312	2032	cmd.exe	133
PID 2032 wrote to memory of 4312	2032	cmd.exe	133
PID 4312 wrote to memory of 1680	4312	java.exe	134
PID 4312 wrote to memory of 1680	4312	java.exe	134
PID 4312 wrote to memory of 440	4312	java.exe	137
PID 4312 wrote to memory of 440	4312	java.exe	137
PID 440 wrote to memory of 684	440	cmd.exe	139
PID 440 wrote to memory of 684	440	cmd.exe	139
PID 440 wrote to memory of 1272	440	cmd.exe	140
PID 440 wrote to memory of 1272	440	cmd.exe	140
PID 440 wrote to memory of 2576	440	cmd.exe	141
PID 440 wrote to memory of 2576	440	cmd.exe	141
PID 2576 wrote to memory of 3952	2576	java.exe	142
PID 2576 wrote to memory of 3952	2576	java.exe	142
PID 2576 wrote to memory of 3632	2576	java.exe	145
PID 2576 wrote to memory of 3632	2576	java.exe	145
PID 3632 wrote to memory of 380	3632	cmd.exe	147
PID 3632 wrote to memory of 380	3632	cmd.exe	147
PID 3632 wrote to memory of 704	3632	cmd.exe	148
PID 3632 wrote to memory of 704	3632	cmd.exe	148
PID 3632 wrote to memory of 4056	3632	cmd.exe	150
PID 3632 wrote to memory of 4056	3632	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Java.exe
"C:\Users\Admin\AppData\Local\Temp\Java.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1956
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQEF6MRPY4wd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4952
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4584
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZFKOYuOfNFvj.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2628
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JLavn8KvJ8PB.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4496
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U4kUnAviNu1h.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mn3C6soAZzDg.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTcINiRyFbM9.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XBaIRRIwPD7p.bat" "
        15⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUcEuKpLcS9X.bat" "
        17⤵
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mNWLCTjY24kP.bat" "
        19⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQPHqXKWGKvG.bat" "
        21⤵
        
        PID:4176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9w5CheB1b9DE.bat" "
        23⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEy5ODlD85Bd.bat" "
        25⤵
        
        PID:4436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BPJWsPWEvSgk.bat" "
        27⤵
        
        PID:512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ok7tZUYB24HP.bat" "
        29⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Bjv0JIjL6ap.bat" "
        31⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\java.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Bjv0JIjL6ap.bat

Filesize
211B

MD5
be49d8f510b8ffaa60f84f85c5f63010

SHA1
c0c06110da9430260ab602e46d00c1c11ba8232f

SHA256
a154d2e28a107e9a5a1e95b82c9df465b6c3d824f72a598e76a50adc127e5cf1

SHA512
192f7abf2c1eca9a90b8d4d9d4a984e84d2eeec8f53edfc9c529377de3c89ddb35bd4a6e2560c2ec31a3ad7b7c8e4222525afa99cf4ed49774e26dd1c298ea2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9w5CheB1b9DE.bat

Filesize
211B

MD5
047248aeaebd237d112bf5066f2d7cff

SHA1
afc22479d51e44e359d73eae9fd20a3d0f06ed96

SHA256
6e7c3dca811cc0475576396b18ffbe897a9a4fc6f85f0cf5e14c1d17d6a953f2

SHA512
78b0e758ca294e4d0d9c286d9e7b211e2c1b365c0a408962943f2ac06d7ed77fbba8f8f095f77b6b9adabf13c754f08b59dc19c06301513a5ec03eb9229722e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPJWsPWEvSgk.bat

Filesize
211B

MD5
37ce6ba090638085d27a0db1d8aee7af

SHA1
beb8e471788b8567d9c02c1e878534fe695a79ba

SHA256
b89edd46e011812258ca2323a589c643d5ba3ae5e0404880a9460a102983ebef

SHA512
d80b43e9f08780c5fe1c800841e9a121803e89c9e79ae1adaaec73502cfe8253f19c67cfe402704d98c2007a899b70266aa57f2ce29612ac4f35fb7fb1ed6c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEy5ODlD85Bd.bat

Filesize
211B

MD5
bc50f510eb91b16e1e0b49c1733a36a8

SHA1
e749a3ab9c572a72b617946f6faaa79ce482987a

SHA256
a27927ba5164db8b3275a367803efbac53643be2fa7a8d4082920ce8ee8d8319

SHA512
5825a47977f32d881cd838cd03b68edbc696e3aad4abb4281f858eef3267e49c0f2a72a3737311bc165e997fddd749cb8f69ca2844965b3075b746155a0fe580

Download Submit
C:\Users\Admin\AppData\Local\Temp\JLavn8KvJ8PB.bat

Filesize
211B

MD5
71162427c65765c1e542ea99019991a7

SHA1
e656dc14bfdd92e5a4c97a34696485bace40b9d9

SHA256
da1c32c204039954ebfdc43e4b9288568a190c9a123c140a60a015e99988f008

SHA512
78f13bd4fa874c98d2235ee6b652adf36477dbbc63b18688e58898cd17a4b768bd0d98674afcf7295961ed8e2182b564491028244a365a620acd9b55693915bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUcEuKpLcS9X.bat

Filesize
211B

MD5
03ff6dd8a77efdae341973ee61e13fab

SHA1
21650549afa04642190e436777055a98650226d3

SHA256
3f3214ae90f593259853e7dbd01cf3e85c61db3a3d913f1627adb0119c8b2138

SHA512
0dd5df01a1e3e710425a67b96e7dbcc99be5749ae511daea062a517588706748aea2063ef4abe42d9eb8e2362fcff7fc5b7f063a060eb78920f15285c4fe2a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQEF6MRPY4wd.bat

Filesize
211B

MD5
8d4dbe32ccfb9e7cbf38c91f62dffb86

SHA1
5ece2494a4b9714253ea9cbee5da6a672f667b36

SHA256
621a087d79196b93da5083032641bd9d00ec29574093114ca330a075ef3a2329

SHA512
4d618ef29c7a469e39bf34c7c393bfafc7afcc98380515bfd7af315079279abbd9872985407fedf4c90906ad91179473d85f86cac4bc32c601415daf5841825a

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4kUnAviNu1h.bat

Filesize
211B

MD5
f074afd858787c943e13bf0d6177756f

SHA1
b9b2f531de1d521e1608fa2b3c2f273d8bd2f8bf

SHA256
e151ff7f26e7ebb374cdfc48d934935a27fb98a88f142e64f19caf8412d2565f

SHA512
2cf219a2758881ea1dd4bafa02423a09a0dd54b362817a7e6acca9fe7754f5bba2be17938343b6c4da7e456a1572ebb44f065a4077d36ca30c58fd75d410b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBaIRRIwPD7p.bat

Filesize
211B

MD5
4010d282e1590bfd5fa5bd3b0bce8eae

SHA1
8ca7876a1983a15a27631728bd67568c2987feb5

SHA256
4378480ac31aadb10b3e57c707a12250a89add4369aa1e4df4623621f93b248d

SHA512
61fa963baab4da72d54379bc647950e52f26ce69488067b71e1e05af1f976e4ceb295226559271e5d3fb24e01f251dfd52ff5688538311d98c5bfb50886bb825

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFKOYuOfNFvj.bat

Filesize
211B

MD5
3250cbef1e2ff00020c4b2f8e3011bb6

SHA1
f1c68ec0b455d0c07e4c049ae3947ba3d7c3798d

SHA256
d4c31491d6ad369ed6d340dcc1224e56c38cd9067648b31a636512f960d969fd

SHA512
91e73a1aaae96d789dd886cba6420a4407877f5baf69e06b04bd94d2d8d70c9159b43539c2d17574069cc37543313d03f8c85e0eb0962e9654b37f1e3b227157

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQPHqXKWGKvG.bat

Filesize
211B

MD5
6e8d8a67ede9d086cfde11f1301448d5

SHA1
52ca490be72327e7892c34357ba522916592b1c3

SHA256
e8760f06e5e216d1a07b33107615a13838493d0585a206bd53c9ff650e0efa40

SHA512
8f31baf23db9ea11a43c586daf8b1088e1aa4e57361ce59239e38421db544a1d89953bfd49c07b6a9f096b962094669f4755f72725e9998ae337dbbceb6fbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNWLCTjY24kP.bat

Filesize
211B

MD5
f7ef342c7fa113b48c844f33d49140a8

SHA1
ccc6db76711c055fa990b960174718c826cbe05d

SHA256
494a64d9176d08a71196e69fefe7ca410bf5aa18a2642330e0dcfd064c6221cf

SHA512
2764a08a41cabe40ea2891b0538aae4cb67dc796be42dbe0021fca9363bc117fb4e475fe65f71ecde542f1d88656b0c7f50e2ae800812de56555348b59d997db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mn3C6soAZzDg.bat

Filesize
211B

MD5
70c15662cfc082ef861fc1e6127b4ca6

SHA1
3d9a6517b013d694aa02eb7851cb9f04311bdd99

SHA256
0318f2e68d015134ad9cd93018d5399c71f3345cd7e51ac4e3741aa9434e0d5a

SHA512
f1f394dbe546b0096820b4434c0b4e5f0583c48633b008b02343f8f9feb0580165ebb346019b5639de53c75a0aaf90b93497ce59acc0bc07aa319189918bdd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ok7tZUYB24HP.bat

Filesize
211B

MD5
7cdc022bc101a4668b0cb7f08fa48543

SHA1
068ba7d8d8d2de3579278b9b080cde2d4e21226b

SHA256
71b921b4d3547e5da2731345310062f298c49c4f1a5564ef6f92c7b77460d8d3

SHA512
18882b995d4672bc28a06af6e9e9721cde334ee1ebfc06e43b73b6646050f382eb35601168434ff202cbaec0c7b98d3a569b7cdc6ea862b528c08002de19d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\rTcINiRyFbM9.bat

Filesize
211B

MD5
9888b5c01e0a7f6f289482d1557845e1

SHA1
e83fad419a495b26a54f6a259546a51df676651c

SHA256
057e6ead9733fb0f34772f37e22daa54504482e59f9dd92c8073b42976a07fd5

SHA512
0e7e6b8e89fffac41706dc72d507008ffe89a307ab146ce1646bd4a5fea6e21439178ffc0bb94fba579b49a65a27ae99f4a42c1ab7088be614281dda94a197a9

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
memory/2008-14-0x000000001BC00000-0x000000001BCB2000-memory.dmp

Filesize
712KB

Download
memory/2008-12-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-13-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/2008-10-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-18-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-0-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/4180-11-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-2-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-1-0x00000000005E0000-0x000000000092E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads