Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 03:28
Behavioral task
behavioral1
Sample
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
Resource
win7-20240903-en
General
-
Target
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
-
Size
3.2MB
-
MD5
23c072bdc1c5fe6c2290df7cd3e9abf8
-
SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902
-
SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
-
SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
-
SSDEEP
98304:xv642pda6D+/PjlLOlZyQipV2mRJ6Nae:1eOpPU9
Malware Config
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 10 IoCs
resource yara_rule behavioral1/memory/2572-1-0x0000000001140000-0x0000000001480000-memory.dmp family_quasar behavioral1/files/0x0008000000016fdf-6.dat family_quasar behavioral1/memory/2528-9-0x00000000001C0000-0x0000000000500000-memory.dmp family_quasar behavioral1/memory/2668-23-0x0000000000C60000-0x0000000000FA0000-memory.dmp family_quasar behavioral1/memory/2968-34-0x0000000000E70000-0x00000000011B0000-memory.dmp family_quasar behavioral1/memory/480-46-0x00000000003C0000-0x0000000000700000-memory.dmp family_quasar behavioral1/memory/404-57-0x0000000000AF0000-0x0000000000E30000-memory.dmp family_quasar behavioral1/memory/1716-68-0x0000000000DB0000-0x00000000010F0000-memory.dmp family_quasar behavioral1/memory/1932-99-0x0000000000EC0000-0x0000000001200000-memory.dmp family_quasar behavioral1/memory/2980-110-0x0000000001390000-0x00000000016D0000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2528 Win64.exe 2668 Win64.exe 2968 Win64.exe 480 Win64.exe 404 Win64.exe 1716 Win64.exe 1028 Win64.exe 2868 Win64.exe 1932 Win64.exe 2980 Win64.exe 2140 Win64.exe 1772 Win64.exe 2200 Win64.exe 1628 Win64.exe 2092 Win64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1068 PING.EXE 692 PING.EXE 2428 PING.EXE 2824 PING.EXE 2044 PING.EXE 1808 PING.EXE 2328 PING.EXE 2680 PING.EXE 480 PING.EXE 2352 PING.EXE 2380 PING.EXE 2180 PING.EXE 1448 PING.EXE 1768 PING.EXE 2748 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2328 PING.EXE 692 PING.EXE 2044 PING.EXE 2180 PING.EXE 1808 PING.EXE 2748 PING.EXE 1448 PING.EXE 1068 PING.EXE 2824 PING.EXE 2680 PING.EXE 1768 PING.EXE 2428 PING.EXE 480 PING.EXE 2352 PING.EXE 2380 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe 2628 schtasks.exe 1680 schtasks.exe 464 schtasks.exe 1160 schtasks.exe 1492 schtasks.exe 1052 schtasks.exe 1148 schtasks.exe 2456 schtasks.exe 1100 schtasks.exe 956 schtasks.exe 2628 schtasks.exe 2280 schtasks.exe 2428 schtasks.exe 2720 schtasks.exe 2016 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe Token: SeDebugPrivilege 2528 Win64.exe Token: SeDebugPrivilege 2668 Win64.exe Token: SeDebugPrivilege 2968 Win64.exe Token: SeDebugPrivilege 480 Win64.exe Token: SeDebugPrivilege 404 Win64.exe Token: SeDebugPrivilege 1716 Win64.exe Token: SeDebugPrivilege 1028 Win64.exe Token: SeDebugPrivilege 2868 Win64.exe Token: SeDebugPrivilege 1932 Win64.exe Token: SeDebugPrivilege 2980 Win64.exe Token: SeDebugPrivilege 2140 Win64.exe Token: SeDebugPrivilege 1772 Win64.exe Token: SeDebugPrivilege 2200 Win64.exe Token: SeDebugPrivilege 1628 Win64.exe Token: SeDebugPrivilege 2092 Win64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2428 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 30 PID 2572 wrote to memory of 2428 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 30 PID 2572 wrote to memory of 2428 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 30 PID 2572 wrote to memory of 2528 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 32 PID 2572 wrote to memory of 2528 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 32 PID 2572 wrote to memory of 2528 2572 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 32 PID 2528 wrote to memory of 2756 2528 Win64.exe 33 PID 2528 wrote to memory of 2756 2528 Win64.exe 33 PID 2528 wrote to memory of 2756 2528 Win64.exe 33 PID 2528 wrote to memory of 2620 2528 Win64.exe 35 PID 2528 wrote to memory of 2620 2528 Win64.exe 35 PID 2528 wrote to memory of 2620 2528 Win64.exe 35 PID 2620 wrote to memory of 2904 2620 cmd.exe 37 PID 2620 wrote to memory of 2904 2620 cmd.exe 37 PID 2620 wrote to memory of 2904 2620 cmd.exe 37 PID 2620 wrote to memory of 1448 2620 cmd.exe 38 PID 2620 wrote to memory of 1448 2620 cmd.exe 38 PID 2620 wrote to memory of 1448 2620 cmd.exe 38 PID 2620 wrote to memory of 2668 2620 cmd.exe 39 PID 2620 wrote to memory of 2668 2620 cmd.exe 39 PID 2620 wrote to memory of 2668 2620 cmd.exe 39 PID 2668 wrote to memory of 2628 2668 Win64.exe 40 PID 2668 wrote to memory of 2628 2668 Win64.exe 40 PID 2668 wrote to memory of 2628 2668 Win64.exe 40 PID 2668 wrote to memory of 1800 2668 Win64.exe 42 PID 2668 wrote to memory of 1800 2668 Win64.exe 42 PID 2668 wrote to memory of 1800 2668 Win64.exe 42 PID 1800 wrote to memory of 2928 1800 cmd.exe 44 PID 1800 wrote to memory of 2928 1800 cmd.exe 44 PID 1800 wrote to memory of 2928 1800 cmd.exe 44 PID 1800 wrote to memory of 1808 1800 cmd.exe 45 PID 1800 wrote to memory of 1808 1800 cmd.exe 45 PID 1800 wrote to memory of 1808 1800 cmd.exe 45 PID 1800 wrote to memory of 2968 1800 cmd.exe 47 PID 1800 wrote to memory of 2968 1800 cmd.exe 47 PID 1800 wrote to memory of 2968 1800 cmd.exe 47 PID 2968 wrote to memory of 1680 2968 Win64.exe 48 PID 2968 wrote to memory of 1680 2968 Win64.exe 48 PID 2968 wrote to memory of 1680 2968 Win64.exe 48 PID 2968 wrote to memory of 1508 2968 Win64.exe 50 PID 2968 wrote to memory of 1508 2968 Win64.exe 50 PID 2968 wrote to memory of 1508 2968 Win64.exe 50 PID 1508 wrote to memory of 1988 1508 cmd.exe 52 PID 1508 wrote to memory of 1988 1508 cmd.exe 52 PID 1508 wrote to memory of 1988 1508 cmd.exe 52 PID 1508 wrote to memory of 2328 1508 cmd.exe 53 PID 1508 wrote to memory of 2328 1508 cmd.exe 53 PID 1508 wrote to memory of 2328 1508 cmd.exe 53 PID 1508 wrote to memory of 480 1508 cmd.exe 54 PID 1508 wrote to memory of 480 1508 cmd.exe 54 PID 1508 wrote to memory of 480 1508 cmd.exe 54 PID 480 wrote to memory of 1100 480 Win64.exe 55 PID 480 wrote to memory of 1100 480 Win64.exe 55 PID 480 wrote to memory of 1100 480 Win64.exe 55 PID 480 wrote to memory of 1772 480 Win64.exe 57 PID 480 wrote to memory of 1772 480 Win64.exe 57 PID 480 wrote to memory of 1772 480 Win64.exe 57 PID 1772 wrote to memory of 1064 1772 cmd.exe 59 PID 1772 wrote to memory of 1064 1772 cmd.exe 59 PID 1772 wrote to memory of 1064 1772 cmd.exe 59 PID 1772 wrote to memory of 1068 1772 cmd.exe 60 PID 1772 wrote to memory of 1068 1772 cmd.exe 60 PID 1772 wrote to memory of 1068 1772 cmd.exe 60 PID 1772 wrote to memory of 404 1772 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe"C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PNtMcCDeZkZJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\soYMBhMCZCjd.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1808
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1680
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Yhg8CNoVWOKy.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1100
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EySJUbUNHz50.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1068
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZApidT1yA76p.bat" "11⤵PID:1144
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1768
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:956
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F28B5R87dafD.bat" "13⤵PID:1944
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:692
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1052
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\z96TSm0It7Ze.bat" "15⤵PID:2464
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2428
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2720
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wD6jRwarUxJB.bat" "17⤵PID:2904
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2344
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2748
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bIfSYIAPLZhY.bat" "19⤵PID:2024
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2828
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:464
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\j1nSyON2IVcl.bat" "21⤵PID:2968
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qWBJLBkTsxk5.bat" "23⤵PID:1484
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:568
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:480
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1160
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RmMDet3SMBcS.bat" "25⤵PID:2584
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QMId6WjOJLAl.bat" "27⤵PID:840
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7LrWBQ79TqpY.bat" "29⤵PID:1580
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2016
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BKEdPbJ3qX0q.bat" "31⤵PID:2260
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5d3fa3b2945954ba795e0d4761180d52c
SHA121b9f43e3b72200d7e98f6da9a9c53699d1e66a8
SHA25632e7b1210edb9e5d5c57b6a8ffafe7fdd12413030e7e94d18f31e0ffe53ee92d
SHA512c3876c490086db76a6570f819aeec20159091970eac37c2c5b38e60d4ab9b05423d5f43ead2c9fcf014a6209292f03a535e8ff5fd54c5447494b3db329fb15b3
-
Filesize
206B
MD5b2fdea134b8720a8da0dc196dfc80cf1
SHA1a5efd3e58b7c7ddd2137884d9a3badc4101451d8
SHA256b14a6774c05da1c76f398911cbbabd02849bfec43be13728dbde1d10c09f4b96
SHA5120755acbba6e817113dd5d3443c0a719edc25073935640b239eb88b0f5a31cb0cc0d5d04e76078c6d7eb9e8063dfbc7615993856df935b94f5372d821370c57d5
-
Filesize
206B
MD5bd93ec66c16315e0630436d2c0eb4664
SHA149bd6d5281b58743852507df0b70138ac133af9f
SHA2564dce36da0e97dadf61f33b51732dfac93c24e98be8c8e31f58c0f10038cd8af5
SHA5121120f629d8126211878f0bb05a9886ba8c32b9975818321194fa8c7f3f465f46cd0e38df983f6d3debedee6be6246d2e89204efda5685ee16afe237eba5ef7ed
-
Filesize
206B
MD5076b109261e1f62b0998fabbddd57d5b
SHA13ec6c4a9d82ff2527e8ddd6bd21c96b55d17167f
SHA256e855b3a30d28ea2ce220b6ee0319c03e32534e166ea16feddba0c3af6f245161
SHA51279a689433f741d623f6b4f2539eada793cc6cc4ebfdafefd347af470fad3352331c04bcf0d60dba0b121d1d3b3f95d3185407ab989ebfc72a64ec293ecb433cc
-
Filesize
206B
MD541cfc680ee0b6431b50f38b0fc69b978
SHA1a3b6af07a0ecbc174819e8b2124eadfd964cc032
SHA256ff5e32929bf4be383bb08ed7aa96d853e78f7c04122b5f9fce338f16126220b5
SHA512d1c809f6d5134dd0215ce1b42660bf56de33ec802677a25a34a57a75ef9272a7a7a7b363d36d5f2bf3810b5eb36f473955701d64485c41e087feb1165a9ea98d
-
Filesize
206B
MD5df98100bb4d335e7a697cd1997b4518b
SHA1b31a5076b8b062c9369658f249bd5b35ecbf6917
SHA256591b77a123f537a3d8b30249b5dc2a8e87d786a61dd206ca4e1b6e6f60ada444
SHA5122e0fdae66fe549cf09002e28b331975bd7f99ef92593334530d873e67f546b52595dc994680548ee4dd2748bbce32b0452cec31fa91f40e067e5079b9812e913
-
Filesize
206B
MD55f961da55b2f353fad8e1c7d375453f6
SHA1e90a6b7bb84d228cb4f1e997c7ffb7cb44a506a0
SHA2561c90ffab18cbc7013a396fb9a9d351c9c5edd04c461f0631f718aeebfad6c23f
SHA512f696adc5721ad4c14d3a3503d7baebc9a6f42f2f1c1ef5797e16afacd053a0b81d6f9c87b92a372687934a63403151f45b35d00ddc9bbd8a5ad762003808936f
-
Filesize
206B
MD5002c2366e05e326394284f9d42cdb2ea
SHA1c8bbdfcf1cfbef16ea306515dbc6274ddb0d2cd8
SHA2562d4d5b9f87f0598ad742aa8b98ed0dbb8d6aec8ae9721d37ff086e26e0ccf319
SHA512500f0b408d683f47837028875912ab992770284b339ac0db53f4149181e885110c1eabe27c264b8c93dcb4a89ce45cd95b3e8c49fce1d8d5203d343837f24d66
-
Filesize
206B
MD5f99dea38de3104ea7917b24f72fd61a6
SHA1540da5968549f501ee8c58821c029b9b73b69a8a
SHA25667067f1fb2146b20ccefe9a2230224261146788fe10229f8601584a877db2096
SHA51248a0bef74198e292cff459bff4e65b02fcdae26a4bc04f9802a9a5ffbaabc4e048d88d991fc7df98ff4ddf4559a2b2e537516a14f3f8d34fb5e4ae04ff885956
-
Filesize
206B
MD515c75c64ca8d3e68b0d3d8f67377bbcd
SHA16febdc6d14b344185f1a64e68bbd47921d6b62e3
SHA2566fe3188d1610cd635a4293b567cd1c78032f37543f846c737d7f2f7efbe4494a
SHA5126599db79687a6d1fd420ce115244afca292b487e5bea241682f7f37eaf004eb3929ef446e56db95017d0823d9be48d181d5c2045912f42e2841392380437c6e1
-
Filesize
206B
MD53a218faf58461702d7ef65790b780808
SHA1fd3b5c4cf85a0656b585ed6156bef40afb98bc38
SHA256fa26190475164fd4506a40e4ae7c01b139c0b039ca60c10033b28b553094230f
SHA5127fb768d02b83ca82746fda7d5dfffa6aeb08a3de9a6b20592225596466a0685b5eb30b282fff0c787e32a6e6dd78ba51bdd900355e652dd70f5147a5df99b637
-
Filesize
206B
MD59fbbbb1ce23e92bb87b56bfbbd980aba
SHA1661351d852f097efab0aea1908d381f0d78ce7bf
SHA25693cbf35bb348fe22e21a4b1ddcccbe22c783e6621ce6b5db5f57ff51ac4edb16
SHA512a9ca9a522c8140b5eb363acd879e3efe5948a010079169a7b827d2310efa781732ed82b7e8c9ee4d33f91004e3573c47ca4348f8ed428301ecb511d58d9bdd13
-
Filesize
206B
MD52170f49c27f35f47aaf61a1da0b54a43
SHA1ffc64443d6e184250a81ca35aea1dec6ce9c16bc
SHA256835238d51dcd71b7a1012a6313e8c57838c43482f570c5b846cca0a6dce56de8
SHA51269ce7dba6361bb9eb9cee4fd701a92a9a3035da5103c77fce2d65250b6472f5b26964fdb227141d902cf7e3d4feb554566cba220b94de6846622e128676cc2b3
-
Filesize
206B
MD569d34d8a605543603cbef8c8084b6630
SHA1260d3a16ab6a18c307828c3033e88e2d05c2949a
SHA2568e4aaf0506cdd9338995dddb0d60d94a5f2d2ecbab00b10900767553a4ba6ea9
SHA512e680a35121e8d802b2f5e10074cf0de25d4b4e531e675c088d1ba2ab0d945b66b4a0a9c6fd3c7f922360d3043c2bc7f510aec6d77d5f9007a070206a0ec2e756
-
Filesize
206B
MD5b5164224df51bdfe8ddd120affa65426
SHA15958511f7dc40adb386917bbd792e1b7365238d1
SHA25687d1057edf3109feed11df34fe07203ec46728a313dfda7b05bf00ae3b026f27
SHA512c7f340a9eae1bccbb97379bcb1be4210c438e96530fafc39a3918bb88f495ec7d2821f7bdf1ae6a99358331e6b6a72bc57281dfc4e716ea6d30403528bcb1021
-
Filesize
3.2MB
MD523c072bdc1c5fe6c2290df7cd3e9abf8
SHA1e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA2568c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA5125e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e