quasar | 033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Size

3.1MB
MD5

82222cff36f2c338159b23a7f18a4815
SHA1

8beccbb99e38248a080d5de1de8d87617ca428c2
SHA256

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512

ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
SSDEEP

49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus

Score

10^/10

quasar rat1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d0e-5.dat	family_quasar
behavioral1/memory/688-8-0x0000000001170000-0x0000000001494000-memory.dmp	family_quasar
behavioral1/memory/2956-22-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar
behavioral1/memory/1288-33-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/1592-44-0x0000000000C10000-0x0000000000F34000-memory.dmp	family_quasar
behavioral1/memory/556-55-0x0000000000FD0000-0x00000000012F4000-memory.dmp	family_quasar
behavioral1/memory/296-76-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/580-87-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
behavioral1/memory/2828-158-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
688	System32.exe
2956	System32.exe
1288	System32.exe
1592	System32.exe
556	System32.exe
884	System32.exe
296	System32.exe
580	System32.exe
2740	System32.exe
1664	System32.exe
2592	System32.exe
2236	System32.exe
576	System32.exe
696	System32.exe
2828	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	PING.EXE
2844	PING.EXE
2500	PING.EXE
1000	PING.EXE
1044	PING.EXE
1988	PING.EXE
2776	PING.EXE
284	PING.EXE
2256	PING.EXE
1648	PING.EXE
2844	PING.EXE
2484	PING.EXE
1432	PING.EXE
2516	PING.EXE
2400	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2484	PING.EXE
2292	PING.EXE
2516	PING.EXE
2844	PING.EXE
2400	PING.EXE
2776	PING.EXE
2844	PING.EXE
284	PING.EXE
1000	PING.EXE
2500	PING.EXE
2256	PING.EXE
1648	PING.EXE
1044	PING.EXE
1988	PING.EXE
1432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2996	schtasks.exe
324	schtasks.exe
2820	schtasks.exe
2868	schtasks.exe
324	schtasks.exe
3032	schtasks.exe
2480	schtasks.exe
1400	schtasks.exe
2780	schtasks.exe
2108	schtasks.exe
1536	schtasks.exe
676	schtasks.exe
2052	schtasks.exe
612	schtasks.exe
2020	schtasks.exe
612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Token: SeDebugPrivilege	688	System32.exe
Token: SeDebugPrivilege	2956	System32.exe
Token: SeDebugPrivilege	1288	System32.exe
Token: SeDebugPrivilege	1592	System32.exe
Token: SeDebugPrivilege	556	System32.exe
Token: SeDebugPrivilege	884	System32.exe
Token: SeDebugPrivilege	296	System32.exe
Token: SeDebugPrivilege	580	System32.exe
Token: SeDebugPrivilege	2740	System32.exe
Token: SeDebugPrivilege	1664	System32.exe
Token: SeDebugPrivilege	2592	System32.exe
Token: SeDebugPrivilege	2236	System32.exe
Token: SeDebugPrivilege	576	System32.exe
Token: SeDebugPrivilege	696	System32.exe
Token: SeDebugPrivilege	2828	System32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1536	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 2408 wrote to memory of 1536	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 2408 wrote to memory of 1536	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 2408 wrote to memory of 688	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 2408 wrote to memory of 688	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 2408 wrote to memory of 688	2408	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 688 wrote to memory of 2480	688	System32.exe	33
PID 688 wrote to memory of 2480	688	System32.exe	33
PID 688 wrote to memory of 2480	688	System32.exe	33
PID 688 wrote to memory of 2980	688	System32.exe	35
PID 688 wrote to memory of 2980	688	System32.exe	35
PID 688 wrote to memory of 2980	688	System32.exe	35
PID 2980 wrote to memory of 2968	2980	cmd.exe	37
PID 2980 wrote to memory of 2968	2980	cmd.exe	37
PID 2980 wrote to memory of 2968	2980	cmd.exe	37
PID 2980 wrote to memory of 2844	2980	cmd.exe	38
PID 2980 wrote to memory of 2844	2980	cmd.exe	38
PID 2980 wrote to memory of 2844	2980	cmd.exe	38
PID 2980 wrote to memory of 2956	2980	cmd.exe	40
PID 2980 wrote to memory of 2956	2980	cmd.exe	40
PID 2980 wrote to memory of 2956	2980	cmd.exe	40
PID 2956 wrote to memory of 2996	2956	System32.exe	41
PID 2956 wrote to memory of 2996	2956	System32.exe	41
PID 2956 wrote to memory of 2996	2956	System32.exe	41
PID 2956 wrote to memory of 2432	2956	System32.exe	43
PID 2956 wrote to memory of 2432	2956	System32.exe	43
PID 2956 wrote to memory of 2432	2956	System32.exe	43
PID 2432 wrote to memory of 2352	2432	cmd.exe	45
PID 2432 wrote to memory of 2352	2432	cmd.exe	45
PID 2432 wrote to memory of 2352	2432	cmd.exe	45
PID 2432 wrote to memory of 1432	2432	cmd.exe	46
PID 2432 wrote to memory of 1432	2432	cmd.exe	46
PID 2432 wrote to memory of 1432	2432	cmd.exe	46
PID 2432 wrote to memory of 1288	2432	cmd.exe	47
PID 2432 wrote to memory of 1288	2432	cmd.exe	47
PID 2432 wrote to memory of 1288	2432	cmd.exe	47
PID 1288 wrote to memory of 1400	1288	System32.exe	48
PID 1288 wrote to memory of 1400	1288	System32.exe	48
PID 1288 wrote to memory of 1400	1288	System32.exe	48
PID 1288 wrote to memory of 1384	1288	System32.exe	50
PID 1288 wrote to memory of 1384	1288	System32.exe	50
PID 1288 wrote to memory of 1384	1288	System32.exe	50
PID 1384 wrote to memory of 1972	1384	cmd.exe	52
PID 1384 wrote to memory of 1972	1384	cmd.exe	52
PID 1384 wrote to memory of 1972	1384	cmd.exe	52
PID 1384 wrote to memory of 284	1384	cmd.exe	53
PID 1384 wrote to memory of 284	1384	cmd.exe	53
PID 1384 wrote to memory of 284	1384	cmd.exe	53
PID 1384 wrote to memory of 1592	1384	cmd.exe	54
PID 1384 wrote to memory of 1592	1384	cmd.exe	54
PID 1384 wrote to memory of 1592	1384	cmd.exe	54
PID 1592 wrote to memory of 324	1592	System32.exe	55
PID 1592 wrote to memory of 324	1592	System32.exe	55
PID 1592 wrote to memory of 324	1592	System32.exe	55
PID 1592 wrote to memory of 2728	1592	System32.exe	57
PID 1592 wrote to memory of 2728	1592	System32.exe	57
PID 1592 wrote to memory of 2728	1592	System32.exe	57
PID 2728 wrote to memory of 2280	2728	cmd.exe	59
PID 2728 wrote to memory of 2280	2728	cmd.exe	59
PID 2728 wrote to memory of 2280	2728	cmd.exe	59
PID 2728 wrote to memory of 2256	2728	cmd.exe	60
PID 2728 wrote to memory of 2256	2728	cmd.exe	60
PID 2728 wrote to memory of 2256	2728	cmd.exe	60
PID 2728 wrote to memory of 556	2728	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1536
- C:\Users\Admin\AppData\Roaming\System32\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2480
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcvZHN69HyK2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2968
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2844
  - - C:\Users\Admin\AppData\Roaming\System32\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MagSZQ1alKMq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2352
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
      - C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\G7riIPDB7zlF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:284
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eLiDGrvbsz7Z.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYEV4prNWaA7.bat" "
        11⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DVZve5khBKG1.bat" "
        13⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\n3OVIhIc63vZ.bat" "
        15⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LEa57MHCs8bD.bat" "
        17⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2feDGxHgzaaH.bat" "
        19⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RhjSYsG9qeSS.bat" "
        21⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E75TDbUiFV6q.bat" "
        23⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqAPIaXTlulS.bat" "
        25⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AYsosSSb06EL.bat" "
        27⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NW6Dpb1NXkRC.bat" "
        29⤵
        
        PID:296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQYD3offHX53.bat" "
        31⤵
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2feDGxHgzaaH.bat

Filesize
211B

MD5
bc542433785139f8d3945a12467afc5a

SHA1
f8d01802858655663b57df92a37e947bf836581d

SHA256
678024af52b83eb7c397bd2e1cefa18381121f15897d8e6df00b976404abb759

SHA512
a4f03e77f5937bb665ddc53b56d39837b6197c80446f0795b4b9040b500b36b54dafe35139eb4b1ce4e0915e1e7dff287aef4a6cab8d9992745690a31af6a75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYsosSSb06EL.bat

Filesize
211B

MD5
aa67f9cc221b9d3b0f754e2bd03b0aed

SHA1
a25bb9776db00bce3fc3fe1c06ec3402c4227d12

SHA256
246a3f1ea5aee422d81a5323420f8053d8548e5d969529c01296c0b70d1041ac

SHA512
f854f7bc6f40710fe76f4f15fa49ba240593877e02fa47039a44bbb6c24182ee3744c468cb1dac72e3eff9c7c78a324fcda68ba99c6efbe73db0f04d6c48f465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQYD3offHX53.bat

Filesize
211B

MD5
c4b867acff2cd90bc65aa35b6987a199

SHA1
5eab48b46b66be17a9fbd9dfb3bb557cd3100dab

SHA256
b830af4d15efafa18fb872282cacfc88ff13ac5b958683cad0b9c13f4c153dd3

SHA512
77e6dc48df0a9706babb8676c3eab9e65155c612c2241f5f8303069c70b4c05f675e428be22555ca10209290f93fb31af525451265b976d7bb182630800d4656

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVZve5khBKG1.bat

Filesize
211B

MD5
f3cfc391b9fce335609e10f1670cb457

SHA1
4c002f0ac2119b644a0696a28391facb40e46120

SHA256
cfb80105e3727b9819235f2218f5d3737ccb71fc43568aac3e5435806917f822

SHA512
4d347462bbe54631cc0652c61e1defafb1e34f0f02235a43978f78443875af1475ec4cd7f2d22484cda45ab97a0d8334eb01dffeca609a421bc88b6d951fcd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\E75TDbUiFV6q.bat

Filesize
211B

MD5
3c4dd2ccb6ee4cdba2be758935f964e3

SHA1
ccd8c03380c8c6a2ec2415de298862c5579b0dbf

SHA256
eaea75dc3d15ac4c17ca6835859fcc534260d0321771701d2fa912d57f96c800

SHA512
b3cbbc8c2c0f44b8920e51c4a2cdf208ce528a1b85f7202341922ece7f42e09684256ae618cdd28a79491534800b999886ce27cb70f0f729a51051d4be216f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G7riIPDB7zlF.bat

Filesize
211B

MD5
9bb8178e59883d396686f20dd39e98fb

SHA1
9367ce647e2680a11a58124f08a637e4c3dab662

SHA256
a8341f4c65e7de92fec93cf7eaadfff9c4dfcd9e81b1ed409e78dadc767987d0

SHA512
980dfd0cad7f97e4527220c2e547e55161099dd2d81d2005fcb6730263cd4a9e0372f53303f584e3f3eb8b77156c5f020de4482b5bafb226e551cfc8a2050219

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEa57MHCs8bD.bat

Filesize
211B

MD5
9d43a04867b7cae9a3e648bb146e146f

SHA1
b64f3b3d38f36bbcd8fde30800eccd3be1266f8e

SHA256
7cc465554f7f4616d8a2a87f6d64505b420164aa6dbc41d3f2b5b3cd9eb9827d

SHA512
1af31e15ecfd67b1c51f82c84f97fb08f43eb53e7413205c006e1a96da678d78cda707da0e950f0c8d9b3e3ab236de3a6a9e87950b1e1043cf122a2aefb794fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MagSZQ1alKMq.bat

Filesize
211B

MD5
618d46657765d5644d3f2128d754102c

SHA1
3984428673d6b2154f2a8528d7f572bcc1b00dbb

SHA256
3b8a435e867fda48e4a520d7e572ed460b994a05cf4196f13c4d6ac916519462

SHA512
3e51ae36c0f9eef34d32598e805457243d8d2b1ae3623b9835a9974e6a62a700306a67dab42e6bcc254bee457109b8f93679d374eb497c42cc9aff279c282fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW6Dpb1NXkRC.bat

Filesize
211B

MD5
7b4e0d25222e47c81459c1a6ce6a598d

SHA1
62f9e6ee815ad08c971188786b30a94763636f21

SHA256
93135402a0943616da08eb7f406724a2415b3550761d752e82a041313a340aec

SHA512
36ef6d53e7210f19cf51a59f73e316b665b780eae82845d68975227479c768cf33f4f5abda40ff14eb85b322d1027450d37237af89d4917f18977db4af2e4d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYEV4prNWaA7.bat

Filesize
211B

MD5
1bf4022fbc5fc8f90461a5933fd2d5e6

SHA1
416257ae39e39f69dc1ec5b1f0d04a017b97fb0b

SHA256
f9e8c01ff2156d13b25271b736c3859ef664ca94a1139375a6abfcb92b19aa9d

SHA512
a4f3288e6ca73c0a11b708b1a616817711c8470ee8c8307f2697d42126aa1a6178fb053895fd2a86a8836fbaa33eda879fa5fcf6d2bba785138bb9e8f2aee337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RhjSYsG9qeSS.bat

Filesize
211B

MD5
0cb1b7b4c7ee4dfff6d788cd60388c97

SHA1
9b83063e074383af0a80ecafb3b7b5575bc2d5e8

SHA256
d8ae4c43d9f36167381b379f2f3e50e3b2656d38b043a49ca2b0ce87e5ee799d

SHA512
6926175d111e4345cc7bc9fe0e3b0e9f5c3f00e409113aed6edcf6e406f11c677557e59e4ebb1907e6b31ee2087640f41860b483701c6c7912e5ce7c8e3dbaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcvZHN69HyK2.bat

Filesize
211B

MD5
1a59f38f5bdab295577a72948e469676

SHA1
f4bd1cfd732ed5c18d49e84e95909a0f33aad067

SHA256
eaa8016a88cc66f8d4b7b7d784ab38790bef81d16a225777b5f1d0b52a978270

SHA512
078e6d76234787f848863162810388bf099461f082847f4dc0009d4c8e7076de72ed5d4f1a98aef305913b8f04f6c512b5fd00980cf0d23f933c82bd2883ead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eLiDGrvbsz7Z.bat

Filesize
211B

MD5
aaef9023bcc8e4a60eb238906d3fe32e

SHA1
155049c45e2e842cf9ca8058705579350322badc

SHA256
b4aa2c949316148f56d377528f4252ab9b383057e6d4dd95fd9586c00964aa7c

SHA512
b30c917459b189dde06e39ee6bcaa3bea6a0176ba2dd6f681868e4fd084b1e2293ff6f7666b7575a400b7e2734b7c5e711e079adc7a8171e1ad0a59bfe210c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3OVIhIc63vZ.bat

Filesize
211B

MD5
a990301b55e7ba2ad99bab258b87ffb0

SHA1
fdf884191d44493b02091f817f91fcb8d164ef49

SHA256
ff551d0a9f6572ffb9064b9c31a12e4eeb5b82bd874b73bc594a741b3e6c869f

SHA512
0baf2170419806d972de709c7ebe7a677d8b0ec727d78e4cffa4ac77eceb808103bdd4e34c2bdd2406d9c57853463d8a417917b03bb42dca57ea8f75699bd4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqAPIaXTlulS.bat

Filesize
211B

MD5
61bb90a7594cc8adb74a5d003897df25

SHA1
48525eebbc8b5d5633c97f864b92c0cbcd833ae2

SHA256
e65e66947f07347852dfac4d3b0cc881c16d28148f73f439ab583399c32e2e56

SHA512
2476c436a5c214e5ae28383058ddbb6a0893bff27c75be7c5d45a2adbdc1bcb4b872e14c89413c9b7e60ba886deb2001d388a5fcd9a8cf337b2eb27afe0da519

Download Submit
C:\Users\Admin\AppData\Roaming\System32\System32.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
memory/296-76-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/556-55-0x0000000000FD0000-0x00000000012F4000-memory.dmp

Filesize
3.1MB

Download
memory/580-87-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/688-10-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/688-20-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/688-8-0x0000000001170000-0x0000000001494000-memory.dmp

Filesize
3.1MB

Download
memory/688-9-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-33-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/1592-44-0x0000000000C10000-0x0000000000F34000-memory.dmp

Filesize
3.1MB

Download
memory/2408-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2408-7-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2408-1-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2828-158-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/2956-22-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads