quasar | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Size

3.1MB
MD5

a813f565b05ee9df7e5db8dbbcc0fa43
SHA1

f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256

ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512

adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
SSDEEP

98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/536-1-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral2/files/0x000400000001e4e1-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe

Executes dropped EXE 15 IoCs

pid	Process
5060	PerfWatson1.exe
1712	PerfWatson1.exe
2148	PerfWatson1.exe
4124	PerfWatson1.exe
1292	PerfWatson1.exe
1568	PerfWatson1.exe
1372	PerfWatson1.exe
2376	PerfWatson1.exe
2324	PerfWatson1.exe
4700	PerfWatson1.exe
4692	PerfWatson1.exe
4696	PerfWatson1.exe
4852	PerfWatson1.exe
3512	PerfWatson1.exe
2560	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
544	PING.EXE
552	PING.EXE
4232	PING.EXE
3240	PING.EXE
844	PING.EXE
4788	PING.EXE
2884	PING.EXE
3516	PING.EXE
1532	PING.EXE
3664	PING.EXE
732	PING.EXE
1308	PING.EXE
4700	PING.EXE
1052	PING.EXE
1972	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1308	PING.EXE
2884	PING.EXE
844	PING.EXE
4232	PING.EXE
3516	PING.EXE
544	PING.EXE
1052	PING.EXE
552	PING.EXE
1532	PING.EXE
732	PING.EXE
3240	PING.EXE
4788	PING.EXE
1972	PING.EXE
3664	PING.EXE
4700	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
512	schtasks.exe
1140	schtasks.exe
2304	schtasks.exe
372	schtasks.exe
3388	schtasks.exe
2292	schtasks.exe
1312	schtasks.exe
1056	schtasks.exe
3972	schtasks.exe
732	schtasks.exe
2168	schtasks.exe
2768	schtasks.exe
3516	schtasks.exe
4428	schtasks.exe
2180	schtasks.exe
5096	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
Token: SeDebugPrivilege	5060	PerfWatson1.exe
Token: SeDebugPrivilege	1712	PerfWatson1.exe
Token: SeDebugPrivilege	2148	PerfWatson1.exe
Token: SeDebugPrivilege	4124	PerfWatson1.exe
Token: SeDebugPrivilege	1292	PerfWatson1.exe
Token: SeDebugPrivilege	1568	PerfWatson1.exe
Token: SeDebugPrivilege	1372	PerfWatson1.exe
Token: SeDebugPrivilege	2376	PerfWatson1.exe
Token: SeDebugPrivilege	2324	PerfWatson1.exe
Token: SeDebugPrivilege	4700	PerfWatson1.exe
Token: SeDebugPrivilege	4692	PerfWatson1.exe
Token: SeDebugPrivilege	4696	PerfWatson1.exe
Token: SeDebugPrivilege	4852	PerfWatson1.exe
Token: SeDebugPrivilege	3512	PerfWatson1.exe
Token: SeDebugPrivilege	2560	PerfWatson1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1056	536	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	85
PID 536 wrote to memory of 1056	536	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	85
PID 536 wrote to memory of 5060	536	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	87
PID 536 wrote to memory of 5060	536	ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe	87
PID 5060 wrote to memory of 3516	5060	PerfWatson1.exe	88
PID 5060 wrote to memory of 3516	5060	PerfWatson1.exe	88
PID 5060 wrote to memory of 4528	5060	PerfWatson1.exe	90
PID 5060 wrote to memory of 4528	5060	PerfWatson1.exe	90
PID 4528 wrote to memory of 1632	4528	cmd.exe	93
PID 4528 wrote to memory of 1632	4528	cmd.exe	93
PID 4528 wrote to memory of 4788	4528	cmd.exe	94
PID 4528 wrote to memory of 4788	4528	cmd.exe	94
PID 4528 wrote to memory of 1712	4528	cmd.exe	102
PID 4528 wrote to memory of 1712	4528	cmd.exe	102
PID 1712 wrote to memory of 3972	1712	PerfWatson1.exe	105
PID 1712 wrote to memory of 3972	1712	PerfWatson1.exe	105
PID 1712 wrote to memory of 4568	1712	PerfWatson1.exe	108
PID 1712 wrote to memory of 4568	1712	PerfWatson1.exe	108
PID 4568 wrote to memory of 4196	4568	cmd.exe	110
PID 4568 wrote to memory of 4196	4568	cmd.exe	110
PID 4568 wrote to memory of 2884	4568	cmd.exe	111
PID 4568 wrote to memory of 2884	4568	cmd.exe	111
PID 4568 wrote to memory of 2148	4568	cmd.exe	117
PID 4568 wrote to memory of 2148	4568	cmd.exe	117
PID 2148 wrote to memory of 732	2148	PerfWatson1.exe	118
PID 2148 wrote to memory of 732	2148	PerfWatson1.exe	118
PID 2148 wrote to memory of 1232	2148	PerfWatson1.exe	121
PID 2148 wrote to memory of 1232	2148	PerfWatson1.exe	121
PID 1232 wrote to memory of 2068	1232	cmd.exe	123
PID 1232 wrote to memory of 2068	1232	cmd.exe	123
PID 1232 wrote to memory of 1052	1232	cmd.exe	124
PID 1232 wrote to memory of 1052	1232	cmd.exe	124
PID 1232 wrote to memory of 4124	1232	cmd.exe	128
PID 1232 wrote to memory of 4124	1232	cmd.exe	128
PID 4124 wrote to memory of 2304	4124	PerfWatson1.exe	129
PID 4124 wrote to memory of 2304	4124	PerfWatson1.exe	129
PID 4124 wrote to memory of 3088	4124	PerfWatson1.exe	132
PID 4124 wrote to memory of 3088	4124	PerfWatson1.exe	132
PID 3088 wrote to memory of 4372	3088	cmd.exe	134
PID 3088 wrote to memory of 4372	3088	cmd.exe	134
PID 3088 wrote to memory of 552	3088	cmd.exe	135
PID 3088 wrote to memory of 552	3088	cmd.exe	135
PID 3088 wrote to memory of 1292	3088	cmd.exe	137
PID 3088 wrote to memory of 1292	3088	cmd.exe	137
PID 1292 wrote to memory of 512	1292	PerfWatson1.exe	138
PID 1292 wrote to memory of 512	1292	PerfWatson1.exe	138
PID 1292 wrote to memory of 3508	1292	PerfWatson1.exe	141
PID 1292 wrote to memory of 3508	1292	PerfWatson1.exe	141
PID 3508 wrote to memory of 5048	3508	cmd.exe	143
PID 3508 wrote to memory of 5048	3508	cmd.exe	143
PID 3508 wrote to memory of 1972	3508	cmd.exe	144
PID 3508 wrote to memory of 1972	3508	cmd.exe	144
PID 3508 wrote to memory of 1568	3508	cmd.exe	145
PID 3508 wrote to memory of 1568	3508	cmd.exe	145
PID 1568 wrote to memory of 4428	1568	PerfWatson1.exe	146
PID 1568 wrote to memory of 4428	1568	PerfWatson1.exe	146
PID 1568 wrote to memory of 408	1568	PerfWatson1.exe	149
PID 1568 wrote to memory of 408	1568	PerfWatson1.exe	149
PID 408 wrote to memory of 3444	408	cmd.exe	151
PID 408 wrote to memory of 3444	408	cmd.exe	151
PID 408 wrote to memory of 844	408	cmd.exe	152
PID 408 wrote to memory of 844	408	cmd.exe	152
PID 408 wrote to memory of 1372	408	cmd.exe	153
PID 408 wrote to memory of 1372	408	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe
"C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1056
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y19SwqOyoimh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1632
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4788
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGCoeWG4ShEH.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4196
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kFmnkDVvnsS1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9zkjf1Xfg2GS.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P0wzOJ0FF7JI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqS1NLQz4ulx.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SFaVZc8SIBYk.bat" "
        15⤵
        
        PID:3992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xxzX2mDP41Gz.bat" "
        17⤵
        
        PID:1124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDz7gDFrDjpJ.bat" "
        19⤵
        
        PID:4688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zgs1BvoS6eWc.bat" "
        21⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2nIP4X5ywEmS.bat" "
        23⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I3G1cGRi9NQ9.bat" "
        25⤵
        
        PID:5068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W3dY2xaI5oAN.bat" "
        27⤵
        
        PID:5076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wL5l23D4Wn4H.bat" "
        29⤵
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEazxGFDJ7e3.bat" "
        31⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nIP4X5ywEmS.bat

Filesize
210B

MD5
4f9687a101378217922f0170382fcd25

SHA1
128c025bdaa6f05e272093987df45643d0cf9da4

SHA256
b66f137f0d624417cd12562a65f2c4735e549a95d2f2b752edfd34dbfe13f40d

SHA512
b4ed07c04596a6079d6e32ab98ff913340ca10b7bf6068084be80886a575431d858f8b3b8f564ba2dcd41646dd4e772532ee0a570b396045baf033acc7bf3327

Download Submit
C:\Users\Admin\AppData\Local\Temp\9zkjf1Xfg2GS.bat

Filesize
210B

MD5
82f26b33fe9fdaf3d4003d75752fe4cf

SHA1
9cb605b87a3e56f969e27b0d1f9fecfc68e7c5af

SHA256
3be5bbb061c226c416e52bb20e9cb7fe4da08f52dc1a7b1f8c1620fa89ac8aa8

SHA512
85e4e6cd57eadd09b4fc4d8f499b4e24db5c75dd6440af2f12bed4019119ff28a055c144306652559e977d24ae58f358303fd66890aacaabe1a762a7917c4359

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDz7gDFrDjpJ.bat

Filesize
210B

MD5
a1f6b2466673a72150cdcc99b5330ee8

SHA1
3e0d568c09a710e7628412bf2a9753c6f2731334

SHA256
e543174c979e563a1c98a5cc109013033f124843479ce3539a5f665bb0054c0a

SHA512
91106ae63e2d9f54832d8b89dbc415722c0abf654ec4603f41af465350bfe18917710c716ffd3b24b1b021504b1c33ef1be6bdd85d6aa2a7ea49d8f932c63724

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3G1cGRi9NQ9.bat

Filesize
210B

MD5
8146daa5d05ee91921f526f499e3d2f0

SHA1
5f9112766cacca32259a3bf49da7af07c159d27d

SHA256
a14ff1d6c63684b8394e1daa51210bae328b50410f2f0707542f351198d382e3

SHA512
841fccd067856ed3fd004a9ba08dc444bdeb9f748f8199326171b078efe0a2ef39396b9898852a0a66253b669b302cb9e472e7f159c0999e053191e52a7c8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\P0wzOJ0FF7JI.bat

Filesize
210B

MD5
9cc56b76a1f3c6c9346a12829ae458db

SHA1
38a5ad6f64d3ac843b45a1f5ff73d7da9f911459

SHA256
64d046ef14155ab86ed193373c576ff0731d8ae6810f26035c3222f9f0025409

SHA512
3eab6b173d9bf8171bd040424b5cbe430c6e81073f0b7bfec641aeda83d0aa4186a01e7ec6363951157c033a37df954283061699f02b614af0e4545a3016433f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFaVZc8SIBYk.bat

Filesize
210B

MD5
e42c7046752801cec95bee90c1057dcb

SHA1
0615253a4aabe64c218f9436171027e774cd12f2

SHA256
5958b600359e5300dead673c4455d669a0c66b2ba2a5f3234f5d3f2a70d0493e

SHA512
f6cf5ba7daf02cc500c2a09d4d611732ee762e5297b2f2afec07b091e92495f25046f03206169b5a6a93bfabbe0bfe13f2b3bd733fb4c696e971573c5306b14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zgs1BvoS6eWc.bat

Filesize
210B

MD5
f11ecf84f9ae8505a9f72111ce07e1aa

SHA1
5dfabb3989a3ea70ab05bb6946c65f8088204e88

SHA256
db4e6a98d30f8cbec875c1758959029bc778190af2d93584a2a797fe2fb7b2ad

SHA512
097fd9bfe1b82af3bcc099112270adf1ddcc659c35e17dacadb72edc8041a59bc2a866ebdaebcae99bc5cd45752f0facf156c300297a572a8f5ec6c4061383a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqS1NLQz4ulx.bat

Filesize
210B

MD5
d2011ca96e9305dbbd0b8045ae477f7d

SHA1
91f26f0ab9325b4f0933eb3bf4663eb4ccd53fd1

SHA256
9800e2abf4a90c000dda9032abaec36be3077bd3acee155b8b652db8a81e7184

SHA512
f1ce2ce5e8e9130c8e9ea6846c6389cc1ca728cb723844b845cca692143cba64b8b2caed0a28c0e5ee8d4824feff65077973e2d2d8f7cb20af874a37faea8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFmnkDVvnsS1.bat

Filesize
210B

MD5
318249c531b885b4f7368ca7619a7229

SHA1
7940068227cedbf5ec65c2fad23e2135acbedf25

SHA256
ce28b92d83d7462813e9205993e9efba7383dd137f3fc377c66a31d0911619d7

SHA512
6c6e2f2fe9d356c0f50584be33d46746d0b33040e61fc0c2a3a45980dae4130677684395a404b5fd438d18deba2842ae23c498dc86ca32a655c0704e1437d0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEazxGFDJ7e3.bat

Filesize
210B

MD5
30f74f7650fbea8966e54f8f2a470713

SHA1
8fc95ef37ad855fef228d46726a93098cdd9405b

SHA256
e42d41616f87d523d478342b8995132457a707eefeaf4ef435f3cfda06c68927

SHA512
5109a630ac8d205672a74d673b6400719ecf45b4724e1986c0e381c7ae8ebeee73626358fdea5aec502c4d134a1cbc47cad91a29b11a461e37f24c30235a530e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wL5l23D4Wn4H.bat

Filesize
210B

MD5
b2ce82cc96ee9c9ca93dbe3ec9609520

SHA1
948bdd98e4f5d724b3706de71207f16f45b67030

SHA256
5a73168be26c06c485523ce9497d1c9a1cc6a2a4dc8c8637b1c9bb6494120875

SHA512
a0b207d6a71b4903a4c690a96c35450ce242d7ec99daffefcbbc3bd88763d051afcb104f659f822baa202df81a147ac9d05da49e06257443a9d5bc4d97bbd200

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxzX2mDP41Gz.bat

Filesize
210B

MD5
26a4a48175785a199b6769c28613e100

SHA1
67bafcd23479d4ec922dc816229947aaeaf04f8a

SHA256
8f2648e488ac2f1c93f7f17a8342bfc105846b0958e49357e9f5909c01b2984b

SHA512
456853544bd0797d3ad75dd7b19db6e5a2b40a725e82a2d1031b825fc9ece17ef2a11120baa94724109b355474e41dc41824d9dd8a0cc95e105bbb8969cfe519

Download Submit
C:\Users\Admin\AppData\Local\Temp\y19SwqOyoimh.bat

Filesize
210B

MD5
a54ba9802f8b126a7fb247b150bcf8a3

SHA1
353c3c2adec28e37220ae7395874b89de79897e9

SHA256
79793af3667448b41bff3b9d5bf04051de3cf3b80059ee58f458359863148cd9

SHA512
3c64ee4d4c1c1486c466ba75fb556fc020461ed9fc62ecda3d4ac98487de28a1c262e86a3ee85472a29620cec6d6131dde383114ad2d0824b52a56f7be750d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGCoeWG4ShEH.bat

Filesize
210B

MD5
a8d7e854910e1310cb29dcfdd0670310

SHA1
f4d0a7c1d3fcdd8d8dd4a0dcb9f75bd469c4052a

SHA256
fcb9faa7afba0bac7fce4dfccdb8d3caef96fdd5c0f7fcc61d95a0a993e34bf8

SHA512
a06113ebc44d856dad20bceb7722a254aa9e94eb4fd10fcaafd1687af56726adafb65af5b50dda5a404136b57a958b1f519c7d9aaadc1debd1f1224d5034be40

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
memory/536-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/536-8-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-2-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-1-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/5060-17-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/5060-12-0x000000001B910000-0x000000001B9C2000-memory.dmp

Filesize
712KB

Download
memory/5060-11-0x000000001B800000-0x000000001B850000-memory.dmp

Filesize
320KB

Download
memory/5060-10-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/5060-9-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads