quasar | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Size

3.1MB
MD5

a813f565b05ee9df7e5db8dbbcc0fa43
SHA1

f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256

ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512

adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
SSDEEP

98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/2196-1-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar
behavioral1/files/0x0016000000018657-5.dat	family_quasar
behavioral1/memory/2652-9-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2896-33-0x00000000011B0000-0x00000000014D4000-memory.dmp	family_quasar
behavioral1/memory/1608-54-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1536-66-0x0000000000870000-0x0000000000B94000-memory.dmp	family_quasar
behavioral1/memory/2472-77-0x0000000000D90000-0x00000000010B4000-memory.dmp	family_quasar
behavioral1/memory/2684-89-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar
behavioral1/memory/1920-110-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2652	PerfWatson1.exe
2732	PerfWatson1.exe
2896	PerfWatson1.exe
2956	PerfWatson1.exe
1608	PerfWatson1.exe
1536	PerfWatson1.exe
2472	PerfWatson1.exe
2684	PerfWatson1.exe
2288	PerfWatson1.exe
1920	PerfWatson1.exe
264	PerfWatson1.exe
1664	PerfWatson1.exe
1468	PerfWatson1.exe
2152	PerfWatson1.exe
2384	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2784	PING.EXE
2828	PING.EXE
1940	PING.EXE
2240	PING.EXE
2628	PING.EXE
2416	PING.EXE
1008	PING.EXE
2644	PING.EXE
2828	PING.EXE
1712	PING.EXE
1900	PING.EXE
1556	PING.EXE
1148	PING.EXE
2012	PING.EXE
2020	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1900	PING.EXE
1940	PING.EXE
1712	PING.EXE
2628	PING.EXE
2020	PING.EXE
2828	PING.EXE
2828	PING.EXE
1556	PING.EXE
1148	PING.EXE
1008	PING.EXE
2644	PING.EXE
2416	PING.EXE
2240	PING.EXE
2784	PING.EXE
2012	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
2376	schtasks.exe
872	schtasks.exe
1668	schtasks.exe
2652	schtasks.exe
2580	schtasks.exe
1904	schtasks.exe
1592	schtasks.exe
2076	schtasks.exe
2312	schtasks.exe
1596	schtasks.exe
1548	schtasks.exe
2236	schtasks.exe
2224	schtasks.exe
2648	schtasks.exe
284	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Token: SeDebugPrivilege	2652	PerfWatson1.exe
Token: SeDebugPrivilege	2732	PerfWatson1.exe
Token: SeDebugPrivilege	2896	PerfWatson1.exe
Token: SeDebugPrivilege	2956	PerfWatson1.exe
Token: SeDebugPrivilege	1608	PerfWatson1.exe
Token: SeDebugPrivilege	1536	PerfWatson1.exe
Token: SeDebugPrivilege	2472	PerfWatson1.exe
Token: SeDebugPrivilege	2684	PerfWatson1.exe
Token: SeDebugPrivilege	2288	PerfWatson1.exe
Token: SeDebugPrivilege	1920	PerfWatson1.exe
Token: SeDebugPrivilege	264	PerfWatson1.exe
Token: SeDebugPrivilege	1664	PerfWatson1.exe
Token: SeDebugPrivilege	1468	PerfWatson1.exe
Token: SeDebugPrivilege	2152	PerfWatson1.exe
Token: SeDebugPrivilege	2384	PerfWatson1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2236	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	31
PID 2196 wrote to memory of 2236	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	31
PID 2196 wrote to memory of 2236	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	31
PID 2196 wrote to memory of 2652	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	33
PID 2196 wrote to memory of 2652	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	33
PID 2196 wrote to memory of 2652	2196	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	33
PID 2652 wrote to memory of 2224	2652	PerfWatson1.exe	34
PID 2652 wrote to memory of 2224	2652	PerfWatson1.exe	34
PID 2652 wrote to memory of 2224	2652	PerfWatson1.exe	34
PID 2652 wrote to memory of 2700	2652	PerfWatson1.exe	36
PID 2652 wrote to memory of 2700	2652	PerfWatson1.exe	36
PID 2652 wrote to memory of 2700	2652	PerfWatson1.exe	36
PID 2700 wrote to memory of 2684	2700	cmd.exe	38
PID 2700 wrote to memory of 2684	2700	cmd.exe	38
PID 2700 wrote to memory of 2684	2700	cmd.exe	38
PID 2700 wrote to memory of 2828	2700	cmd.exe	39
PID 2700 wrote to memory of 2828	2700	cmd.exe	39
PID 2700 wrote to memory of 2828	2700	cmd.exe	39
PID 2700 wrote to memory of 2732	2700	cmd.exe	40
PID 2700 wrote to memory of 2732	2700	cmd.exe	40
PID 2700 wrote to memory of 2732	2700	cmd.exe	40
PID 2732 wrote to memory of 2580	2732	PerfWatson1.exe	41
PID 2732 wrote to memory of 2580	2732	PerfWatson1.exe	41
PID 2732 wrote to memory of 2580	2732	PerfWatson1.exe	41
PID 2732 wrote to memory of 2292	2732	PerfWatson1.exe	43
PID 2732 wrote to memory of 2292	2732	PerfWatson1.exe	43
PID 2732 wrote to memory of 2292	2732	PerfWatson1.exe	43
PID 2292 wrote to memory of 2952	2292	cmd.exe	45
PID 2292 wrote to memory of 2952	2292	cmd.exe	45
PID 2292 wrote to memory of 2952	2292	cmd.exe	45
PID 2292 wrote to memory of 2628	2292	cmd.exe	46
PID 2292 wrote to memory of 2628	2292	cmd.exe	46
PID 2292 wrote to memory of 2628	2292	cmd.exe	46
PID 2292 wrote to memory of 2896	2292	cmd.exe	47
PID 2292 wrote to memory of 2896	2292	cmd.exe	47
PID 2292 wrote to memory of 2896	2292	cmd.exe	47
PID 2896 wrote to memory of 1904	2896	PerfWatson1.exe	48
PID 2896 wrote to memory of 1904	2896	PerfWatson1.exe	48
PID 2896 wrote to memory of 1904	2896	PerfWatson1.exe	48
PID 2896 wrote to memory of 2940	2896	PerfWatson1.exe	50
PID 2896 wrote to memory of 2940	2896	PerfWatson1.exe	50
PID 2896 wrote to memory of 2940	2896	PerfWatson1.exe	50
PID 2940 wrote to memory of 1480	2940	cmd.exe	52
PID 2940 wrote to memory of 1480	2940	cmd.exe	52
PID 2940 wrote to memory of 1480	2940	cmd.exe	52
PID 2940 wrote to memory of 2020	2940	cmd.exe	53
PID 2940 wrote to memory of 2020	2940	cmd.exe	53
PID 2940 wrote to memory of 2020	2940	cmd.exe	53
PID 2940 wrote to memory of 2956	2940	cmd.exe	54
PID 2940 wrote to memory of 2956	2940	cmd.exe	54
PID 2940 wrote to memory of 2956	2940	cmd.exe	54
PID 2956 wrote to memory of 2608	2956	PerfWatson1.exe	55
PID 2956 wrote to memory of 2608	2956	PerfWatson1.exe	55
PID 2956 wrote to memory of 2608	2956	PerfWatson1.exe	55
PID 2956 wrote to memory of 2124	2956	PerfWatson1.exe	57
PID 2956 wrote to memory of 2124	2956	PerfWatson1.exe	57
PID 2956 wrote to memory of 2124	2956	PerfWatson1.exe	57
PID 2124 wrote to memory of 1724	2124	cmd.exe	59
PID 2124 wrote to memory of 1724	2124	cmd.exe	59
PID 2124 wrote to memory of 1724	2124	cmd.exe	59
PID 2124 wrote to memory of 2416	2124	cmd.exe	60
PID 2124 wrote to memory of 2416	2124	cmd.exe	60
PID 2124 wrote to memory of 2416	2124	cmd.exe	60
PID 2124 wrote to memory of 1608	2124	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
"C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2236
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2224
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\amDI5T1ZESdB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2684
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2828
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Licq5EKZyOu.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2952
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2RU12tVl3O7t.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3etZoM0LQodj.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1NsGdSFEpIvs.bat" "
        11⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEZPvjbVwYHz.bat" "
        13⤵
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0izV3gWHC0xL.bat" "
        15⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3iPAXPZMIxyt.bat" "
        17⤵
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\U4m659d9O5eh.bat" "
        19⤵
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYLBnscBbPHN.bat" "
        21⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XLHUXeLY6tFA.bat" "
        23⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiaxiHU27gKd.bat" "
        25⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wss6eudHC0VL.bat" "
        27⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGINJ5LtVQDR.bat" "
        29⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2AgYcSA8Rvlj.bat" "
        31⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0izV3gWHC0xL.bat

Filesize
210B

MD5
d9e7e3e08952a991eb21fb952dba96d6

SHA1
446bc454d8432a1fa49c0aa339ef0c2215c3a5dc

SHA256
e468c4beeb7bf5e8a6091e2f1036273044b9e6d075e55c7be7411bad0cbef2b5

SHA512
f18326e105de366e992ea5212a7a4405ff9fa2d2974c85fb3783a32cbcecf83a0b81ce4be28f4c8b217e6fd18f1d7b98f994af2e5eba9339c5aa384857e4a158

Download Submit
C:\Users\Admin\AppData\Local\Temp\1NsGdSFEpIvs.bat

Filesize
210B

MD5
29a20bd937a322ee5d74c98f33ddc568

SHA1
36b4e3cbbf480d8730f3e7243fe1b70cc15f945e

SHA256
57e1a0d77a4ff422bdcf9467b835404eb4fb7f6df67e05d005168ad57cfb2c33

SHA512
d25488f118d5d659300b63efed483ee93f7fce70c52cdcf5cec340a08600472911a25ac7dbd4b3b52f8cfd735d337deb70f3fc7ad39d0b06264b5b1e1ecefae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AgYcSA8Rvlj.bat

Filesize
210B

MD5
de311f57ac9aaf8c98af2d27b44b8008

SHA1
82bd92d56d59da8d20870eebdae1f9dc4c73e7cc

SHA256
55d9e2b6ae6ef66bd409ec92e4682dd1035e2b12e3bd22e2851b84f23e8abafd

SHA512
b459fda636eaf6b287325cb15ec810027dc66e1cda5838386c8008ddcf4e0de72889beb7d20b5be13fcd37400f724523002da363b93154429dd19bf7717a9710

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Licq5EKZyOu.bat

Filesize
210B

MD5
baf95e9ad68267ed1eee17742edcaee2

SHA1
5325c5e0537f9be6fbf904d614170325ad536036

SHA256
6b63795d3600d7d3be6312126f70896628209365901c2f9f8bc62f5800f8aad5

SHA512
a1bd335116406f476ab4ddfd7c32d293ea6305bc149f4be560dde4e7be24a059189ba0c6e8b3266360c72601e74bd26a5b4ef1a23718317d00f73ba030457449

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RU12tVl3O7t.bat

Filesize
210B

MD5
f0f8f31809110ed34e313ec01d06f37e

SHA1
dd77879e1fc11098d4623c1b29e91464a62f8692

SHA256
5d442fa9ff135160be37f3b73f273e8f987aea39d06d3f7f38740de0a75f2157

SHA512
fb8a3ae0f7581a47b5dadc5cc06bfdb19f5600bcec6e867d7b25cb1e5d72286d4bc11ac9fc9bc01e860f32c7bd964a00b2676e72ea0d543af9340095ff715642

Download Submit
C:\Users\Admin\AppData\Local\Temp\3etZoM0LQodj.bat

Filesize
210B

MD5
4932fb5bd619b4d06a651772be237950

SHA1
2f3589fa691d376699c033033d91cbfd50e52d69

SHA256
151a6660b6d2b54807007e6e9927afde866402f3b09f6e277aa5098eabcd995f

SHA512
df1d15f3c0ac312b18edae36c72a9ef99eab1076cfefddaed65a4b54cdd36af615440e6b3f8cde0b03edfb24f7b83c600f2d2bd767ec9d74d5094a06c9516fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3iPAXPZMIxyt.bat

Filesize
210B

MD5
473d3c4c1b1377089e0f3a75812f4b99

SHA1
dff8c820d4a7e68b758771b6b277971d075f9df7

SHA256
8e13217e027a094ea3081328f3ff7cb3bc5ce372a11b703885c5aad791279149

SHA512
8c81d6cf51152ac66a1045c699232e4813ee67e9139af842cbaba49ef4b3237403435eafe0fe8ac905eb3a94c04dc91ba73406cb7a2a8cc9b5fae7ad5bd8af47

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGINJ5LtVQDR.bat

Filesize
210B

MD5
5f480cb14589a678ad80ec146b4bc56b

SHA1
6679ad7496aa5ebbd415275241fd2d766d0e6add

SHA256
43cc68395e38545eb2184739de2ea856c7abc8475935837f218c10ca36d6db46

SHA512
1efe99d17144036155230e27aa0162994d9662e14ac5e8052b3748f536ff45d552ed49076de8d1b0a791455a0447631ce77a128b6444191c925958304c5b2254

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEZPvjbVwYHz.bat

Filesize
210B

MD5
e7bd4569f852baa6d9cf7752cf744f14

SHA1
3f16387ed515ccd672ed49fb8f7e4252285fda25

SHA256
964c4b41145311dbb3bbc986a98055c31e3e5d93f2c20268b2cb77e983f85c34

SHA512
7b5ca13bbb6c75c696a47cb034552501de2b4a46dd29585cc065b4627f18774ef918ec5ce7f6d442d4502223a40792b49a36ac631af04bd5bc02ba35071a1c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4m659d9O5eh.bat

Filesize
210B

MD5
4a0d9e427e7551d4bd15d0d908449cd5

SHA1
a50cf127bf3dd598c5aef940d35f19d1e78c66f8

SHA256
c363077a4ca65a008364083ee0cfbd46ce0845df111c476a76494e7f69ea068c

SHA512
76e2b9f95a4a5dd9c7573af958d53991aed22524ab5d76ccd61200ffd797a9e2fe61fd1d0f1718739e37cbd4444e49553905ff9bbf44e2f0652bfcca024d864b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLHUXeLY6tFA.bat

Filesize
210B

MD5
444efc31956cab1543f3dd2ec7ea802f

SHA1
25e6fd6c8c35c79c44e1cecc47438a000d6c3a53

SHA256
5ca5423769cd0d3c70aacc2e6f98fa3a16e21e2147f34b8f14b7e6466aad3687

SHA512
833025c4c5c9e6da9b1294a4644afce425d98c9081a24a214cb5c2937d67ac196561d49bf33466ffd82ee99b5484fab48fbd8a8e37999dbbda43d5aeb40ef9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\amDI5T1ZESdB.bat

Filesize
210B

MD5
3733056485b39b2ffd259461f5cca476

SHA1
12e4823566a3e39fdcef14653d411bc69b03aa30

SHA256
9f8821e18fea1c784c2b64581819a661bd6d0407b0db756d4a13a74a9f23ca8c

SHA512
7e46e7a434e5ec1f08b4288b8117a9b94012e25478b92a61886ba917d511cc07a1a6d974d75f88dcc3e1da6c1d866b57df0cedc11b314a5a81fd69d3896d8ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wss6eudHC0VL.bat

Filesize
210B

MD5
e6841707aeb11d0f7dcc189e4da669ec

SHA1
9dca0196d78271e835b6c37485be22908f04e28f

SHA256
53c34dce3427fb695043ac1965c4643cf9070f8be35770fc7e019a0228da6dd7

SHA512
d2a95d3372d9a435c3eac5cba6736dca2346c819edd809ad1fc094d3c94282abc954599bf18db4b01206298a78775265f8f0baa914ea0fe1216ebe66789442ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYLBnscBbPHN.bat

Filesize
210B

MD5
4fb7ce0cc36b6dacb87e9f8b7a569bfd

SHA1
dc847dbad3d625d260fe7d077ed7890ef4f5007e

SHA256
38be4f920cd6539a921269a8f5b8e49306ff98b0d999fe9775892e790abc4a09

SHA512
a7f18b2c7e5263cd93b89e7a4c5ff26314055709c5f185434e94bf2837001442c5fd62e4efa829cbe5059eb1f6ebd7dd2877b57a30349abe22bc6c0234e63c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiaxiHU27gKd.bat

Filesize
210B

MD5
477692a71bfe216008e5c98a296a05a4

SHA1
262d488ffd4b90b34db93dfc709ddef74e505f8d

SHA256
838c88e19837a88ed418e7b13fdd0b9c33cd4c21892f441c9d7ebd16eb21ec86

SHA512
78467b70b8d592504fccd83403f1f3b6e977149945f65c69dfc8a6c56f8fc65ccf5fbc4a6d7d3ae82e27b4a02f78ef52532f97c4776449edce08a51ad33051a8

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
memory/1536-66-0x0000000000870000-0x0000000000B94000-memory.dmp

Filesize
3.1MB

Download
memory/1608-54-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1920-110-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2196-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-7-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-1-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2196-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2472-77-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/2652-10-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-20-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-9-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/2652-8-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-89-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/2896-33-0x00000000011B0000-0x00000000014D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads