quasar | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Size

3.3MB
MD5

f29f701e76e3a435acdd474a41fa60ba
SHA1

10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512

0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
SSDEEP

49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/1904-1-0x00000000003D0000-0x000000000071E000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016c9d-6.dat	family_quasar
behavioral1/memory/1460-9-0x0000000000280000-0x00000000005CE000-memory.dmp	family_quasar
behavioral1/memory/2660-23-0x00000000011C0000-0x000000000150E000-memory.dmp	family_quasar
behavioral1/memory/832-55-0x00000000012D0000-0x000000000161E000-memory.dmp	family_quasar
behavioral1/memory/892-76-0x0000000001340000-0x000000000168E000-memory.dmp	family_quasar
behavioral1/memory/3028-108-0x0000000000180000-0x00000000004CE000-memory.dmp	family_quasar
behavioral1/memory/332-120-0x0000000000080000-0x00000000003CE000-memory.dmp	family_quasar
behavioral1/memory/1684-131-0x0000000000BA0000-0x0000000000EEE000-memory.dmp	family_quasar
behavioral1/memory/2996-163-0x0000000000170000-0x00000000004BE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1460	java.exe
2660	java.exe
2964	java.exe
1368	java.exe
832	java.exe
908	java.exe
892	java.exe
2840	java.exe
2388	java.exe
3028	java.exe
332	java.exe
1684	java.exe
2480	java.exe
2580	java.exe
2996	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2420	PING.EXE
348	PING.EXE
2888	PING.EXE
1708	PING.EXE
2120	PING.EXE
2688	PING.EXE
1860	PING.EXE
1680	PING.EXE
2960	PING.EXE
2028	PING.EXE
2568	PING.EXE
2644	PING.EXE
2708	PING.EXE
2468	PING.EXE
1628	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2960	PING.EXE
2888	PING.EXE
2420	PING.EXE
2568	PING.EXE
2644	PING.EXE
2468	PING.EXE
1628	PING.EXE
1680	PING.EXE
2028	PING.EXE
2120	PING.EXE
1708	PING.EXE
1860	PING.EXE
348	PING.EXE
2708	PING.EXE
2688	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3000	schtasks.exe
696	schtasks.exe
1624	schtasks.exe
2684	schtasks.exe
2412	schtasks.exe
2336	schtasks.exe
1748	schtasks.exe
2912	schtasks.exe
2820	schtasks.exe
2064	schtasks.exe
2488	schtasks.exe
1796	schtasks.exe
1584	schtasks.exe
1276	schtasks.exe
2224	schtasks.exe
2600	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Token: SeDebugPrivilege	1460	java.exe
Token: SeDebugPrivilege	2660	java.exe
Token: SeDebugPrivilege	2964	java.exe
Token: SeDebugPrivilege	1368	java.exe
Token: SeDebugPrivilege	832	java.exe
Token: SeDebugPrivilege	908	java.exe
Token: SeDebugPrivilege	892	java.exe
Token: SeDebugPrivilege	2840	java.exe
Token: SeDebugPrivilege	2388	java.exe
Token: SeDebugPrivilege	3028	java.exe
Token: SeDebugPrivilege	332	java.exe
Token: SeDebugPrivilege	1684	java.exe
Token: SeDebugPrivilege	2480	java.exe
Token: SeDebugPrivilege	2580	java.exe
Token: SeDebugPrivilege	2996	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1460	java.exe
2660	java.exe
2964	java.exe
1368	java.exe
832	java.exe
908	java.exe
892	java.exe
2840	java.exe
2388	java.exe
3028	java.exe
332	java.exe
1684	java.exe
2480	java.exe
2580	java.exe
2996	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1460	java.exe
2660	java.exe
2964	java.exe
1368	java.exe
832	java.exe
908	java.exe
892	java.exe
2840	java.exe
2388	java.exe
3028	java.exe
332	java.exe
1684	java.exe
2480	java.exe
2580	java.exe
2996	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1624	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 1904 wrote to memory of 1624	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 1904 wrote to memory of 1624	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 1904 wrote to memory of 1460	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 1904 wrote to memory of 1460	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 1904 wrote to memory of 1460	1904	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 1460 wrote to memory of 2488	1460	java.exe	33
PID 1460 wrote to memory of 2488	1460	java.exe	33
PID 1460 wrote to memory of 2488	1460	java.exe	33
PID 1460 wrote to memory of 2832	1460	java.exe	35
PID 1460 wrote to memory of 2832	1460	java.exe	35
PID 1460 wrote to memory of 2832	1460	java.exe	35
PID 2832 wrote to memory of 2904	2832	cmd.exe	37
PID 2832 wrote to memory of 2904	2832	cmd.exe	37
PID 2832 wrote to memory of 2904	2832	cmd.exe	37
PID 2832 wrote to memory of 2888	2832	cmd.exe	38
PID 2832 wrote to memory of 2888	2832	cmd.exe	38
PID 2832 wrote to memory of 2888	2832	cmd.exe	38
PID 2832 wrote to memory of 2660	2832	cmd.exe	39
PID 2832 wrote to memory of 2660	2832	cmd.exe	39
PID 2832 wrote to memory of 2660	2832	cmd.exe	39
PID 2660 wrote to memory of 2684	2660	java.exe	40
PID 2660 wrote to memory of 2684	2660	java.exe	40
PID 2660 wrote to memory of 2684	2660	java.exe	40
PID 2660 wrote to memory of 2688	2660	java.exe	42
PID 2660 wrote to memory of 2688	2660	java.exe	42
PID 2660 wrote to memory of 2688	2660	java.exe	42
PID 2688 wrote to memory of 1224	2688	cmd.exe	44
PID 2688 wrote to memory of 1224	2688	cmd.exe	44
PID 2688 wrote to memory of 1224	2688	cmd.exe	44
PID 2688 wrote to memory of 2960	2688	cmd.exe	45
PID 2688 wrote to memory of 2960	2688	cmd.exe	45
PID 2688 wrote to memory of 2960	2688	cmd.exe	45
PID 2688 wrote to memory of 2964	2688	cmd.exe	47
PID 2688 wrote to memory of 2964	2688	cmd.exe	47
PID 2688 wrote to memory of 2964	2688	cmd.exe	47
PID 2964 wrote to memory of 2412	2964	java.exe	48
PID 2964 wrote to memory of 2412	2964	java.exe	48
PID 2964 wrote to memory of 2412	2964	java.exe	48
PID 2964 wrote to memory of 2880	2964	java.exe	50
PID 2964 wrote to memory of 2880	2964	java.exe	50
PID 2964 wrote to memory of 2880	2964	java.exe	50
PID 2880 wrote to memory of 2016	2880	cmd.exe	52
PID 2880 wrote to memory of 2016	2880	cmd.exe	52
PID 2880 wrote to memory of 2016	2880	cmd.exe	52
PID 2880 wrote to memory of 2028	2880	cmd.exe	53
PID 2880 wrote to memory of 2028	2880	cmd.exe	53
PID 2880 wrote to memory of 2028	2880	cmd.exe	53
PID 2880 wrote to memory of 1368	2880	cmd.exe	54
PID 2880 wrote to memory of 1368	2880	cmd.exe	54
PID 2880 wrote to memory of 1368	2880	cmd.exe	54
PID 1368 wrote to memory of 1796	1368	java.exe	55
PID 1368 wrote to memory of 1796	1368	java.exe	55
PID 1368 wrote to memory of 1796	1368	java.exe	55
PID 1368 wrote to memory of 2380	1368	java.exe	57
PID 1368 wrote to memory of 2380	1368	java.exe	57
PID 1368 wrote to memory of 2380	1368	java.exe	57
PID 2380 wrote to memory of 2620	2380	cmd.exe	59
PID 2380 wrote to memory of 2620	2380	cmd.exe	59
PID 2380 wrote to memory of 2620	2380	cmd.exe	59
PID 2380 wrote to memory of 2420	2380	cmd.exe	60
PID 2380 wrote to memory of 2420	2380	cmd.exe	60
PID 2380 wrote to memory of 2420	2380	cmd.exe	60
PID 2380 wrote to memory of 832	2380	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
"C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1624
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2488
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\W9WnBEn7QmkZ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2904
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2888
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4QGMhB9uCURG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1224
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2412
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4YJu7GF5zRoR.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcNxQnXlyhNF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:832
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g1YiaZYvpvl6.bat" "
        11⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LuH77jEvJZ7A.bat" "
        13⤵
        
        PID:1424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7K4bEHRpWMz7.bat" "
        15⤵
        
        PID:1100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgiXyU3lwIKw.bat" "
        17⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2388
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IWedlmDxfsnG.bat" "
        19⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGtUnQQVvV8T.bat" "
        21⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:332
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X0JC0R0axjyj.bat" "
        23⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOMgWAuUcBqj.bat" "
        25⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2480
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e4eRuGAWfOxs.bat" "
        27⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKXpLPC3tskS.bat" "
        29⤵
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\T2szefm0JJnL.bat" "
        31⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4QGMhB9uCURG.bat

Filesize
211B

MD5
52f8ba9b513d2c1577b2b345a365adc7

SHA1
19eae130a0dc01ceec3c3174239198f83314155c

SHA256
01fa3ea60428d9c64427a7af948b2f68cd9b0979e713635b17605ca19d9dfb3a

SHA512
1729ae0f14a3341450b9a5d56d4dfdb51c41926b9da7aaaf8bad75bc82f2cc18d48cf15c0c73c73111d732c05783af22b937ea304e1133e0d33b480d9c961c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4YJu7GF5zRoR.bat

Filesize
211B

MD5
4df9facf85760f8b8cb252769e48e908

SHA1
caeee3b340dab1e7769f118ee5ccb0dbec02ed22

SHA256
685416efd4540c80b5249fc3e22a7e13cf64e363dfefb439af981fcf21e7874e

SHA512
ff406c44ee01b91f284bacc5c3ea19d3878fc530261341116c6baa8acf4eaf92d85506a1919a3e58447740d64f535f1f6b525c4021bad19598781e3bc3e06d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7K4bEHRpWMz7.bat

Filesize
211B

MD5
eec7736737c40e2405b885f32fc0b123

SHA1
d8aa81ca35f98ad659f4b674c5a7dd2c6c975d06

SHA256
e69951913b983b7492c3374949054e669e0c0b2b15db0256b3504828822d70c8

SHA512
2b4c7fc63bf1620a94aa52bdba4248e91656a1d95e36ea79b701bb6077bbc19c43954742bcc99f50fdd4aa2e06a4a2457da3e2d4411cec9c51d062ee298720b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DKXpLPC3tskS.bat

Filesize
211B

MD5
194090fdd6d14e0248b49c938fc37df0

SHA1
65e169a93396e45e8143a097e3cb0c9b14077b04

SHA256
0bb6819a25798611c56673363f88eb3a7763c6697fe2c4a20c849d827b1cf4f8

SHA512
195f44705d1c0d0207b27755cfb46232569118dc7973aad267794534faab0143a4d40474d8f5c42f7f0108ac02add08b736b5034a75f2a9aa0148286bcbf729c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWedlmDxfsnG.bat

Filesize
211B

MD5
47f64827ffeaddd1a463a251354f7a6e

SHA1
d149732bda57a2c8dec71a795c42c98fa3e65259

SHA256
7179ea83797982161b2df23f84b7082cd8ba51a370277b734891a901455a0772

SHA512
e310c222da390243ead1382f847607fffdb086df292b4da3a1f7556505207eb7c37ac7ed15d9ca6b07d83030a2e8b78c961f5f3914dd219099ee8c3c128172ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOMgWAuUcBqj.bat

Filesize
211B

MD5
7ef50cca0d7d6224d99a2c768cf54c1c

SHA1
ff913e3e02a9f9014665ac201afc5b67bd9d678b

SHA256
268343d1d51f3633593d7cfca9d28041105f5e84f105c642e3f6fb9d4040e4c6

SHA512
0ec3cc503f7190c721aefadb87f6f6e9d3fdf281a0bae1c7c29d46868158af71119434d93ae9824d011f0b2ab9af8951df4ba91cd7615fb051fdad76ac0ea693

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuH77jEvJZ7A.bat

Filesize
211B

MD5
a41f871a830002546e3c43759705efbe

SHA1
5b876212c20df956460923e5168c03324e3801da

SHA256
0279df075cbc3907a68fcdeb57c319cd4fb9bf26613809b38961b33236a15cc7

SHA512
44b6b7f8a8fdcb29496b8afe244deae013c1619f855a9dc1b38c93cba71d3a4a4fae69794cc9f48a5ef45871579ea5d1ea39dbd70ead9077ae8b709d66bc8964

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGtUnQQVvV8T.bat

Filesize
211B

MD5
54511e5036fa419d5b8615fb3210237f

SHA1
ecd2b55aa4f6055a773e5ce1c69e3d1eafaf5192

SHA256
8626ff13ce464e44276969372d69f734f074eafdf9a59455fb40d2e89de6c6fe

SHA512
ee8f90f693b11bd3344b330f7085d7e7afa0b33630b4d1cf6830213bfe278032d3e1327266a217b9e8d73968bb2c4e99fb9629bb05e46356ec120586dffe26d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2szefm0JJnL.bat

Filesize
211B

MD5
fe8574c9122ffac67342fde3b8e76012

SHA1
b942d458bf0fc240a4c0e2f01b5833e68425a6be

SHA256
2a2215364bf4c66eab6ad39a5afbbeb7140c539554a5d6c89b1176e64a27fed4

SHA512
f86488fb327001e5ddf654af55eb5c2aefbd2d28bedc8b269638fb2941c01295331f354b32b4690303873172d372aa1880ac6f69a2f64b4e406c4ffe60fbcc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W9WnBEn7QmkZ.bat

Filesize
211B

MD5
e4a57b76203083d5fbffa9ed6c2fc20c

SHA1
81c555029f59d4e318d19207422996df9f524e05

SHA256
a1811ea75eb7e07023e73519d74bdec07b4d7c7f621d6fed660ccdd7dc627ad1

SHA512
589c5a0f81ac282fda95e111cb38e8ec077ebbcc8bf16abc9d359e6999fb8c6951df04bc2741548f274fe969b8a8541e4ba652342217b5536d5e0c0709b2e75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0JC0R0axjyj.bat

Filesize
211B

MD5
8cb5a410037b47fa8ee2427e42a2e6ef

SHA1
fbb6a83ed0dcb53a5fc7bd5e22a9bb0a9fc7ff92

SHA256
925665d2d76043beed02ee1824041421cad8fa36f27e38ab2aa0e6a83af5db58

SHA512
685aa62745d6ed97299ee3bfe9d445d7f2083c6f07e8f74ae0bc2e89182e494b06e4e4d4defb94a9c3c25ddb2a92b7611625fd7b925d95a2e7a2a50432b292bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4eRuGAWfOxs.bat

Filesize
211B

MD5
6b3f587e5f26ae49b9ac861419126d8e

SHA1
66b872a9b2c25790dca96889b1727a984a881d1c

SHA256
5233d643ae897960409e5a545022764827cba416391a9841409b588696dc8528

SHA512
98b805c740472e32213fc3207635ee744bb69f412878ff742d84179e547049c311e868f6d63e31ed2d90c5d32924eaae3723dbd87a818e8f7e1abf874b53dc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1YiaZYvpvl6.bat

Filesize
211B

MD5
f5ad520d46c3aa99124422b3f66b2ecf

SHA1
0d47085573b1d8f331b45d8d154226a31bb3ff50

SHA256
390545f9aded8e9476d70b1c6da6bbf69de12b160bcfd64ad98991bc5ff35558

SHA512
fc2a355c0967cd1a8ef0c9f330e86fdf3a78e6de10eb590e65cb510ee598fab143a18c657a59ebf6b7f9c03bcaa6aa466f6844fc64d617bc80557d1f6ea3e408

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgiXyU3lwIKw.bat

Filesize
211B

MD5
ab0eeccc3946980bcb92e9140150f185

SHA1
18ff4b3d4ad155b21b73349f5373b7acaf451ad8

SHA256
a04bc56c4731eb03d74007052d9816f8a8ba402c35e003546240942d2976f9b7

SHA512
d85e88228d8562219e425a681f1b8a36e7359a44ffe91f92d09cfe70a23de6e4bf59956eeda56dac5e17727fc0ab3a64e0e34342c16ee30450c36ef0ba05d871

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcNxQnXlyhNF.bat

Filesize
211B

MD5
fc88fe264ba702f4a0961ba9c2c22aaf

SHA1
e3f990f901630ba83952502a7b17a6121f2398f7

SHA256
9d335992f6d1d8851d84338dfe588eeef7fd5e850157ec1bb4335f4ba04144d5

SHA512
faff5bfa62dfd3913cbc447a115857a090b8810a131b90f4f2e4c4f4b0407c3b7247ce4047ad376c1f4beb317becccbb07d7dbc724447a7755aad6b5de24721a

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
memory/332-120-0x0000000000080000-0x00000000003CE000-memory.dmp

Filesize
3.3MB

Download
memory/832-55-0x00000000012D0000-0x000000000161E000-memory.dmp

Filesize
3.3MB

Download
memory/892-76-0x0000000001340000-0x000000000168E000-memory.dmp

Filesize
3.3MB

Download
memory/1460-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-11-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-9-0x0000000000280000-0x00000000005CE000-memory.dmp

Filesize
3.3MB

Download
memory/1684-131-0x0000000000BA0000-0x0000000000EEE000-memory.dmp

Filesize
3.3MB

Download
memory/1904-8-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-1-0x00000000003D0000-0x000000000071E000-memory.dmp

Filesize
3.3MB

Download
memory/2660-23-0x00000000011C0000-0x000000000150E000-memory.dmp

Filesize
3.3MB

Download
memory/2996-163-0x0000000000170000-0x00000000004BE000-memory.dmp

Filesize
3.3MB

Download
memory/3028-108-0x0000000000180000-0x00000000004CE000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads