quasar | 033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Size

3.1MB
MD5

82222cff36f2c338159b23a7f18a4815
SHA1

8beccbb99e38248a080d5de1de8d87617ca428c2
SHA256

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512

ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
SSDEEP

49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus

Score

10^/10

quasar rat1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1800-1-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c56-5.dat	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	System32.exe

Executes dropped EXE 13 IoCs

pid	Process
1032	System32.exe
2208	System32.exe
2252	System32.exe
3516	System32.exe
4772	System32.exe
656	System32.exe
3464	System32.exe
1524	System32.exe
4676	System32.exe
932	System32.exe
2212	System32.exe
888	System32.exe
4676	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2192	PING.EXE
4260	PING.EXE
1256	PING.EXE
4680	PING.EXE
3472	PING.EXE
3676	PING.EXE
3892	PING.EXE
1576	PING.EXE
3736	PING.EXE
2864	PING.EXE
4904	PING.EXE
4176	PING.EXE
1656	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
4680	PING.EXE
3676	PING.EXE
1576	PING.EXE
3736	PING.EXE
2864	PING.EXE
2192	PING.EXE
4904	PING.EXE
4260	PING.EXE
3472	PING.EXE
1256	PING.EXE
4176	PING.EXE
1656	PING.EXE
3892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4636	schtasks.exe
2096	schtasks.exe
5024	schtasks.exe
1960	schtasks.exe
3496	schtasks.exe
1936	schtasks.exe
3820	schtasks.exe
780	schtasks.exe
2568	schtasks.exe
1824	schtasks.exe
468	schtasks.exe
1484	schtasks.exe
1248	schtasks.exe
3660	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Token: SeDebugPrivilege	1032	System32.exe
Token: SeDebugPrivilege	2208	System32.exe
Token: SeDebugPrivilege	2252	System32.exe
Token: SeDebugPrivilege	3516	System32.exe
Token: SeDebugPrivilege	4772	System32.exe
Token: SeDebugPrivilege	656	System32.exe
Token: SeDebugPrivilege	3464	System32.exe
Token: SeDebugPrivilege	1524	System32.exe
Token: SeDebugPrivilege	4676	System32.exe
Token: SeDebugPrivilege	932	System32.exe
Token: SeDebugPrivilege	2212	System32.exe
Token: SeDebugPrivilege	888	System32.exe
Token: SeDebugPrivilege	4676	System32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1032	System32.exe
2208	System32.exe
3516	System32.exe
656	System32.exe
3464	System32.exe
888	System32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1960	1800	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	83
PID 1800 wrote to memory of 1960	1800	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	83
PID 1800 wrote to memory of 1032	1800	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	85
PID 1800 wrote to memory of 1032	1800	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	85
PID 1032 wrote to memory of 780	1032	System32.exe	86
PID 1032 wrote to memory of 780	1032	System32.exe	86
PID 1032 wrote to memory of 1924	1032	System32.exe	89
PID 1032 wrote to memory of 1924	1032	System32.exe	89
PID 1924 wrote to memory of 2968	1924	cmd.exe	91
PID 1924 wrote to memory of 2968	1924	cmd.exe	91
PID 1924 wrote to memory of 3736	1924	cmd.exe	92
PID 1924 wrote to memory of 3736	1924	cmd.exe	92
PID 1924 wrote to memory of 2208	1924	cmd.exe	94
PID 1924 wrote to memory of 2208	1924	cmd.exe	94
PID 2208 wrote to memory of 1248	2208	System32.exe	95
PID 2208 wrote to memory of 1248	2208	System32.exe	95
PID 2208 wrote to memory of 3252	2208	System32.exe	98
PID 2208 wrote to memory of 3252	2208	System32.exe	98
PID 3252 wrote to memory of 3560	3252	cmd.exe	100
PID 3252 wrote to memory of 3560	3252	cmd.exe	100
PID 3252 wrote to memory of 2864	3252	cmd.exe	101
PID 3252 wrote to memory of 2864	3252	cmd.exe	101
PID 3252 wrote to memory of 2252	3252	cmd.exe	106
PID 3252 wrote to memory of 2252	3252	cmd.exe	106
PID 2252 wrote to memory of 3660	2252	System32.exe	107
PID 2252 wrote to memory of 3660	2252	System32.exe	107
PID 2252 wrote to memory of 2640	2252	System32.exe	110
PID 2252 wrote to memory of 2640	2252	System32.exe	110
PID 2640 wrote to memory of 4848	2640	cmd.exe	112
PID 2640 wrote to memory of 4848	2640	cmd.exe	112
PID 2640 wrote to memory of 2192	2640	cmd.exe	113
PID 2640 wrote to memory of 2192	2640	cmd.exe	113
PID 2640 wrote to memory of 3516	2640	cmd.exe	115
PID 2640 wrote to memory of 3516	2640	cmd.exe	115
PID 3516 wrote to memory of 3496	3516	System32.exe	116
PID 3516 wrote to memory of 3496	3516	System32.exe	116
PID 3516 wrote to memory of 3112	3516	System32.exe	119
PID 3516 wrote to memory of 3112	3516	System32.exe	119
PID 3112 wrote to memory of 4844	3112	cmd.exe	121
PID 3112 wrote to memory of 4844	3112	cmd.exe	121
PID 3112 wrote to memory of 4904	3112	cmd.exe	122
PID 3112 wrote to memory of 4904	3112	cmd.exe	122
PID 3112 wrote to memory of 4772	3112	cmd.exe	124
PID 3112 wrote to memory of 4772	3112	cmd.exe	124
PID 4772 wrote to memory of 1824	4772	System32.exe	125
PID 4772 wrote to memory of 1824	4772	System32.exe	125
PID 4772 wrote to memory of 4492	4772	System32.exe	128
PID 4772 wrote to memory of 4492	4772	System32.exe	128
PID 4492 wrote to memory of 3488	4492	cmd.exe	130
PID 4492 wrote to memory of 3488	4492	cmd.exe	130
PID 4492 wrote to memory of 4260	4492	cmd.exe	131
PID 4492 wrote to memory of 4260	4492	cmd.exe	131
PID 4492 wrote to memory of 656	4492	cmd.exe	132
PID 4492 wrote to memory of 656	4492	cmd.exe	132
PID 656 wrote to memory of 4636	656	System32.exe	133
PID 656 wrote to memory of 4636	656	System32.exe	133
PID 656 wrote to memory of 2032	656	System32.exe	136
PID 656 wrote to memory of 2032	656	System32.exe	136
PID 2032 wrote to memory of 4656	2032	cmd.exe	138
PID 2032 wrote to memory of 4656	2032	cmd.exe	138
PID 2032 wrote to memory of 1256	2032	cmd.exe	139
PID 2032 wrote to memory of 1256	2032	cmd.exe	139
PID 2032 wrote to memory of 3464	2032	cmd.exe	141
PID 2032 wrote to memory of 3464	2032	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1960
- C:\Users\Admin\AppData\Roaming\System32\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9ZUvI8ZyWdf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2968
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3736
  - - C:\Users\Admin\AppData\Roaming\System32\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v0zcab9LSXwG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3560
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
      - C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L0e5c08SR21c.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C6QpyhKDibZ6.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wtNbNhCyE61R.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TETllSnq0QQ4.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PrBwSoUqSB9G.bat" "
        15⤵
        
        PID:452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4680
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\23QN3oqyfea6.bat" "
        17⤵
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BNEJjpQO1hFA.bat" "
        19⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocmgT5EXuAcv.bat" "
        21⤵
        
        PID:3568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3676
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F0z9HbIpozKr.bat" "
        23⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kz4PvdkMh9m4.bat" "
        25⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P5uiHUkmCBuw.bat" "
        27⤵
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\23QN3oqyfea6.bat

Filesize
211B

MD5
806c4aa018469963f37f1daf9a408c53

SHA1
12f47c597a64ab30ee8a717de0fc8d5484506c46

SHA256
98615ce55fe9482f2a702d0e178deca96e47c7d1c3a3f96bf56da96294c316c9

SHA512
6d66d586385d7331b0c8b8c09a1b6e3a3434c7d87cce754bdf01e1120e5c5b527cc15686373244fedbc44a1d1d34f505178cba3ff3c80fb4487fd1f95320cbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BNEJjpQO1hFA.bat

Filesize
211B

MD5
f8ffb70acb363e144895e7ab5926b570

SHA1
c63c0620adc6ef5c4bb2b9f3b98cf47239c0c25e

SHA256
1b8c0848380ff84d822158537593cdc273aabba960d450eecee892226b85d2f1

SHA512
a10b55467f3212689f25d183d9382dafed7601a475aebfb307806071df4134541a976ef0c8b11c787c4fd758e1ecdde446298fff19c67ae54236d38b59dea5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6QpyhKDibZ6.bat

Filesize
211B

MD5
5a8eeddbdbd0c13df8ea4a6bcfab9a7a

SHA1
06d3b587599318035a0af0c09135918ad4003d6b

SHA256
b5e67a526e3e0915b4efddeaff055142f6b0f8b6d029e37b579544c975a70837

SHA512
5575cf324fe8f7da81a1f1d2dc30fb71f40eb7fbd6b24c4e6980eee2fae6c3a22238d5b44f898cbe91bf90f34fd1127924efa8c7181990abcdc4e638ecacbf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0z9HbIpozKr.bat

Filesize
211B

MD5
be2bc01b7e5f11a1577e8e1e62d9bc59

SHA1
d525c2464b4fe28ed8486917c6723ff00448f367

SHA256
8f0a27fa6568304a4a093afce08ba8ec4ab5c5cc4b6010b7fb983be43f63c5e2

SHA512
5265cf7c9d12d54c3f6f02edce29a4742c516e9ebfae39ba1341fd272f333240cf90a387b39bfe2c44b57c465b98d95a68c412261e999a47aff3bb332be26424

Download Submit
C:\Users\Admin\AppData\Local\Temp\L0e5c08SR21c.bat

Filesize
211B

MD5
a40e50cb6e18e55280f4aeb6e3824cb4

SHA1
ce767ad32b97831880c4f6b69389bdfd5b22d94f

SHA256
e85410caf45930e4154b0675ece591d7410c48d0c54295292ea01266ad06999c

SHA512
5384c197680003d27ff95c1e1bd9f2d3cca12faa44ffad988c078d748f9271e4413a04a708e4a05be2e4c4c5e50a33a7276567e9eed9411a4abe61072cb12741

Download Submit
C:\Users\Admin\AppData\Local\Temp\P5uiHUkmCBuw.bat

Filesize
211B

MD5
98bee998f4de738e949a734615ed81bb

SHA1
1935ee33ee6e5125991d3ca25ac8b639f3569409

SHA256
cb75834e547e50102b0a304923b2afd97152c104ce8efd22305549fcc3505b7e

SHA512
7235a44121ae434e01623d44c0b803335955141f06932d2b25aff4f37168d7b22c4b04598673338eee90868c88fe5f10f4942c41ec4e1a2073f392f71eaee28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrBwSoUqSB9G.bat

Filesize
211B

MD5
b8e3120e4ca8cf1a6636385ec80b9c74

SHA1
5ceecfe50dfaf883ee3d88678a4abb823a4e04a5

SHA256
71ac69bf40d8d649715adc204d397163f0fedfb7a346ca665d572b73265188d9

SHA512
399790d8924aef8ad624b4716ec77d3661f386e2f68699508a01c760f80fdb92868815bf27159c10d3110c4bb75db58b5a48341fe3eb01a1907f77183b1e8fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TETllSnq0QQ4.bat

Filesize
211B

MD5
30710854e79fc0e14e173fd2e178f5de

SHA1
4171039801ffb53f2cca9dd251b877db6c55c306

SHA256
9d5c36e98aa03c8316a33c1ac1e681583fa39165f5bfe1ca7b4bb8a19a073139

SHA512
c5d10f8380628514c6c9e336fc16bc13e5b4f43a63bb2e9ce8b85a0151112698a283c357c996f5798c1f770428fbfd77ee18e781ba2428afd9c88d1126a5b677

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4PvdkMh9m4.bat

Filesize
211B

MD5
c38b3ab2621ed5aa2c80309e2f7868b0

SHA1
7ae036ca5fcf02ca0798cbb7e2fb3d44f8f741d5

SHA256
60dc554a88bbdb065461e507b00eb16736ee97b424b0c56b19ab450420bbf729

SHA512
94b2526ed0544cdc1bc8cd32d6ed09a3c6ded285c6dd49480112cb7ec4cb4840585a99d7357583caf1f2440d5b1b7f1115fa10033188ea4b6ffc42157d66cc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocmgT5EXuAcv.bat

Filesize
211B

MD5
388034871e89d9a5ecbb8060283a3d63

SHA1
f2f9d36b04f1a656bbdb70a2e6f71c5a3cdb48f8

SHA256
a6037371615fd45254a65cd91117d0d55ebb422da0151ef17873ca753d96b447

SHA512
489c94028c76581d47599b779c814fffbcfd1f94ce384c3f8b2018443c190b56595d8650bd7f0bad92a0276a612850f1e4194ddbbd413139155575202b804531

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0zcab9LSXwG.bat

Filesize
211B

MD5
ef33c0c3243ba7ef3e56f71abd5de2f1

SHA1
3c7f94630fe8b52bfc2fcd0af44505fc4fb46595

SHA256
b4ca8a5571d1a9b83cdafdca5205c7db5a7c29387ac8a3be64c866063fa4429f

SHA512
30ab7db192314766739def097efbfcb624f8c10de99f0d70e420762722c35fe5ac7c9458c539b1027647e527355fb734be0e411391dfdf9b3c05be84a76740b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtNbNhCyE61R.bat

Filesize
211B

MD5
09fe32a1181b258a570f2f5324749bb2

SHA1
544f09aa2664f6944f60d154f8d505f2ba08a091

SHA256
f741d3c6648818e390420e3c589d2af27e482b8aaba1d6904aafc86959df3b9f

SHA512
a5a9da33f6a10083cbcfe64d96cef46d0b2d64d96560401d3592b1238ddf90f6fbe8d18ac15b3427b3019d26305a4d9884e3c1d5fb2ac226b23fcffe9595f6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9ZUvI8ZyWdf.bat

Filesize
211B

MD5
58546fa4f9ab17db8c3b78a3ccf1bcd8

SHA1
e17b4d3efe8c1322c728290aaa43fbd4416a02ea

SHA256
9f650b79879f10ffe2a50673769517620d59ee34ffae45805e05297514c1d410

SHA512
0c3aa665cbf86bb03f13a45acbae248a50c69589881b41b270cd84eb043872412316307e1a51c894d394399a2babbb85dec99c151f4e3d936a29559774bfdd9f

Download Submit
C:\Users\Admin\AppData\Roaming\System32\System32.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
memory/1032-17-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/1032-12-0x000000001B860000-0x000000001B912000-memory.dmp

Filesize
712KB

Download
memory/1032-11-0x000000001B750000-0x000000001B7A0000-memory.dmp

Filesize
320KB

Download
memory/1032-10-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/1032-9-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/1800-0-0x00007FFC6E593000-0x00007FFC6E595000-memory.dmp

Filesize
8KB

Download
memory/1800-8-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/1800-2-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/1800-1-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads