quasar | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Size

3.3MB
MD5

f29f701e76e3a435acdd474a41fa60ba
SHA1

10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512

0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
SSDEEP

49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2176-1-0x0000000000630000-0x000000000097E000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b9a-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 14 IoCs

pid	Process
1332	java.exe
4868	java.exe
2260	java.exe
1480	java.exe
812	java.exe
1892	java.exe
1120	java.exe
4440	java.exe
2248	java.exe
4760	java.exe
4060	java.exe
4520	java.exe
2024	java.exe
2892	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1192	PING.EXE
4420	PING.EXE
2332	PING.EXE
4788	PING.EXE
4952	PING.EXE
3620	PING.EXE
2316	PING.EXE
1020	PING.EXE
2408	PING.EXE
2704	PING.EXE
4040	PING.EXE
2192	PING.EXE
3344	PING.EXE
3244	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2408	PING.EXE
2704	PING.EXE
3344	PING.EXE
1020	PING.EXE
2192	PING.EXE
4040	PING.EXE
3244	PING.EXE
4952	PING.EXE
1192	PING.EXE
4788	PING.EXE
4420	PING.EXE
2332	PING.EXE
3620	PING.EXE
2316	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
2128	schtasks.exe
4268	schtasks.exe
3980	schtasks.exe
2020	schtasks.exe
4728	schtasks.exe
3332	schtasks.exe
1168	schtasks.exe
2232	schtasks.exe
3160	schtasks.exe
3332	schtasks.exe
2396	schtasks.exe
3348	schtasks.exe
2788	schtasks.exe
2308	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Token: SeDebugPrivilege	1332	java.exe
Token: SeDebugPrivilege	4868	java.exe
Token: SeDebugPrivilege	2260	java.exe
Token: SeDebugPrivilege	1480	java.exe
Token: SeDebugPrivilege	812	java.exe
Token: SeDebugPrivilege	1892	java.exe
Token: SeDebugPrivilege	1120	java.exe
Token: SeDebugPrivilege	4440	java.exe
Token: SeDebugPrivilege	2248	java.exe
Token: SeDebugPrivilege	4760	java.exe
Token: SeDebugPrivilege	4060	java.exe
Token: SeDebugPrivilege	4520	java.exe
Token: SeDebugPrivilege	2024	java.exe
Token: SeDebugPrivilege	2892	java.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1332	java.exe
4868	java.exe
2260	java.exe
1480	java.exe
812	java.exe
1892	java.exe
1120	java.exe
4440	java.exe
2248	java.exe
4760	java.exe
4060	java.exe
4520	java.exe
2024	java.exe
2892	java.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1332	java.exe
4868	java.exe
2260	java.exe
1480	java.exe
812	java.exe
1892	java.exe
1120	java.exe
4440	java.exe
2248	java.exe
4760	java.exe
4060	java.exe
4520	java.exe
2024	java.exe
2892	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2396	2176	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	82
PID 2176 wrote to memory of 2396	2176	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	82
PID 2176 wrote to memory of 1332	2176	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	84
PID 2176 wrote to memory of 1332	2176	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	84
PID 1332 wrote to memory of 3332	1332	java.exe	85
PID 1332 wrote to memory of 3332	1332	java.exe	85
PID 1332 wrote to memory of 644	1332	java.exe	87
PID 1332 wrote to memory of 644	1332	java.exe	87
PID 644 wrote to memory of 3304	644	cmd.exe	89
PID 644 wrote to memory of 3304	644	cmd.exe	89
PID 644 wrote to memory of 1020	644	cmd.exe	90
PID 644 wrote to memory of 1020	644	cmd.exe	90
PID 644 wrote to memory of 4868	644	cmd.exe	93
PID 644 wrote to memory of 4868	644	cmd.exe	93
PID 4868 wrote to memory of 1168	4868	java.exe	94
PID 4868 wrote to memory of 1168	4868	java.exe	94
PID 4868 wrote to memory of 2524	4868	java.exe	97
PID 4868 wrote to memory of 2524	4868	java.exe	97
PID 2524 wrote to memory of 3032	2524	cmd.exe	100
PID 2524 wrote to memory of 3032	2524	cmd.exe	100
PID 2524 wrote to memory of 4952	2524	cmd.exe	101
PID 2524 wrote to memory of 4952	2524	cmd.exe	101
PID 2524 wrote to memory of 2260	2524	cmd.exe	105
PID 2524 wrote to memory of 2260	2524	cmd.exe	105
PID 2260 wrote to memory of 2232	2260	java.exe	106
PID 2260 wrote to memory of 2232	2260	java.exe	106
PID 2260 wrote to memory of 4800	2260	java.exe	108
PID 2260 wrote to memory of 4800	2260	java.exe	108
PID 4800 wrote to memory of 3524	4800	cmd.exe	110
PID 4800 wrote to memory of 3524	4800	cmd.exe	110
PID 4800 wrote to memory of 1192	4800	cmd.exe	111
PID 4800 wrote to memory of 1192	4800	cmd.exe	111
PID 4800 wrote to memory of 1480	4800	cmd.exe	114
PID 4800 wrote to memory of 1480	4800	cmd.exe	114
PID 1480 wrote to memory of 4268	1480	java.exe	115
PID 1480 wrote to memory of 4268	1480	java.exe	115
PID 1480 wrote to memory of 5080	1480	java.exe	117
PID 1480 wrote to memory of 5080	1480	java.exe	117
PID 5080 wrote to memory of 5020	5080	cmd.exe	119
PID 5080 wrote to memory of 5020	5080	cmd.exe	119
PID 5080 wrote to memory of 2192	5080	cmd.exe	120
PID 5080 wrote to memory of 2192	5080	cmd.exe	120
PID 5080 wrote to memory of 812	5080	cmd.exe	121
PID 5080 wrote to memory of 812	5080	cmd.exe	121
PID 812 wrote to memory of 3160	812	java.exe	122
PID 812 wrote to memory of 3160	812	java.exe	122
PID 812 wrote to memory of 764	812	java.exe	124
PID 812 wrote to memory of 764	812	java.exe	124
PID 764 wrote to memory of 3312	764	cmd.exe	126
PID 764 wrote to memory of 3312	764	cmd.exe	126
PID 764 wrote to memory of 2408	764	cmd.exe	127
PID 764 wrote to memory of 2408	764	cmd.exe	127
PID 764 wrote to memory of 1892	764	cmd.exe	128
PID 764 wrote to memory of 1892	764	cmd.exe	128
PID 1892 wrote to memory of 3980	1892	java.exe	129
PID 1892 wrote to memory of 3980	1892	java.exe	129
PID 1892 wrote to memory of 4668	1892	java.exe	131
PID 1892 wrote to memory of 4668	1892	java.exe	131
PID 4668 wrote to memory of 3288	4668	cmd.exe	133
PID 4668 wrote to memory of 3288	4668	cmd.exe	133
PID 4668 wrote to memory of 2704	4668	cmd.exe	134
PID 4668 wrote to memory of 2704	4668	cmd.exe	134
PID 4668 wrote to memory of 1120	4668	cmd.exe	135
PID 4668 wrote to memory of 1120	4668	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
"C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2396
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6WYWocVPxgTi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3304
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1020
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o8HK5jTkdvqB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3032
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4952
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OZEWuyviwm3u.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1mEGkTIyZjFt.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEeBOUfhqsTm.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XxdqanAnRdYj.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqED5OeHUDQp.bat" "
        15⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wq1MEceCx8Sl.bat" "
        17⤵
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYFfZqmkfMio.bat" "
        19⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJOjodnnBZrC.bat" "
        21⤵
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NrruTZHTOI5m.bat" "
        23⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaJ2GkGLeSDP.bat" "
        25⤵
        
        PID:3848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaj7Px1tOcBB.bat" "
        27⤵
        
        PID:5108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\re44wWHnrStr.bat" "
        29⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\java.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mEGkTIyZjFt.bat

Filesize
211B

MD5
658ce31964af9a60a05429a34d38781b

SHA1
47b214cdca2a5b4127df413a39a8f6242fd11abc

SHA256
be47b0d27d792d271c3cabc6ec697ee4abc1cb185f2cbadc7ad27b205d5c257f

SHA512
e74b28dab6972341ab16143ab4c12e762ed7aaab0e8437706c4c4dce8ede1d4ab0f556dd50cdb5f07d3d9dfa7d304ec7234afce6baf26d964cb8fa5012bbc0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6WYWocVPxgTi.bat

Filesize
211B

MD5
ab35062c0b15b8826fc3518809f68263

SHA1
0b470972786f6f345c35edd8c9723eaf00ab3e57

SHA256
7f3ef8222f7059a2b671705c613354958bf1adf56cb7befff67a8fcec85fe2d6

SHA512
3c7e16e3e16cd38025ddeed03af08491be47fa3fab74fe7460c21f8fd87233bf243b456aea2d50545b6b9c2c4068ace37316787b17e1da5582a332d904a7d36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJOjodnnBZrC.bat

Filesize
211B

MD5
4b45d3c16ce17245b9a5c14336b81df7

SHA1
9d3f6483fe1312057ff3cbdfe76c53d8d7b6e843

SHA256
edee8ed7254d2ce430125ad5b22d0408d9ff8155cf0964ff5283278888cc8d9b

SHA512
d2b7e52b18cf34fbb34bfe4c5c145131c17afbef7e3fa0776d2c58698f3d28aab0d2e5c2be82a263774b9caa13dc9a0facd2fc677d587a20159727f46020a25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NrruTZHTOI5m.bat

Filesize
211B

MD5
5ab72d1d427c00ce8dbcd5c48ac123fd

SHA1
6cec596557692ccf927b081cf75f524223f51df1

SHA256
f5b95a2fa8079e8fdf267cd0a3413470d8be5e953b14749e4641eadcc92b64df

SHA512
9c7589c2ac26d214161cbc9fd3fcb2ff0547c2963e3840905c7edcc72fc0db559318f6743d00d0a2028bf115d3bb213e50f345d036990dd2d9dd8dbc48246431

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZEWuyviwm3u.bat

Filesize
211B

MD5
116184fcc9d2c730bb56b7b954e94148

SHA1
053823665b41ef126465782bdafcb3dd1c11afed

SHA256
395e250e2fb3f8e2186672e3fa069c83e491e3c2a084510a513de792cfde644e

SHA512
7e631614faba5ce8fce08273f7c75dd80d9693dad0d23de36db01d0cf32a0055bd02f10c9ba0e622524cf95624c2f16507c6d53c156463192a390f94791841b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaJ2GkGLeSDP.bat

Filesize
211B

MD5
24dd95724def5cde9d8b118c107d4e96

SHA1
d1757e1151186420e18317fbb9441e199ac39003

SHA256
2561a9ec329fa0b122d8cde7ec5960b764fa6e119333617a64e4c3865d0e8219

SHA512
1f2fabebcf907b5e7f190e2c720a4968c36de4a96f9a10f55bf623bc84401d30ca2f9a3a3e00b27f413be53ce72e4b0a151dc0b8a03745f407fe537ec455deb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxdqanAnRdYj.bat

Filesize
211B

MD5
43913fb01163d89fb4ea11cfeade4efe

SHA1
52b87a660f23fb9f090938ad77edcf1ae8e71a04

SHA256
f7eeb2af4b49b29f44f3891612336610e05f31fcd4a0b2cf2d0484f0a012498e

SHA512
77d2410c1ba13e3a0f02191bb869f59eee3b98ad0e58dfd697406faff7858325bb3526ab53c4452cc91a0c1a86c12183e43e0447ade58dadebcdaa621cfb9702

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaj7Px1tOcBB.bat

Filesize
211B

MD5
fb164f90803606fe33dcd35a73d25c65

SHA1
6554bd3febd11a40464f30c50bd97a3765cedd44

SHA256
34b37fe327902aae05341ea63496eeef4f7f6136ef1ddc1622fc803f211d5ba2

SHA512
6bba5e3518f2c64e10afe1bdfd75d0f90fad6cdb8361c27d493d703fda3d43bbd162e25a9b138da37fc469fc4ebeec302054efc123321bd4bf5f239060b5e431

Download Submit
C:\Users\Admin\AppData\Local\Temp\o8HK5jTkdvqB.bat

Filesize
211B

MD5
7fb4937e8fe93acc0384e6b426491e75

SHA1
6410b6f72f0fb9163adef30430e0b3c3ffbc5a6e

SHA256
78ba85fcf13c96c1d77f3b1c33c8201487010326c6bb6bfdb4ea03646b9fc087

SHA512
535ecd65e2efb0c530b1fe6e8c1c7d0cf23d24a166e40ef9394213efeeb26b06fdb20cd24ec78059ed0167de5eb3e55bb879f539a441debc26908d2b61f61ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEeBOUfhqsTm.bat

Filesize
211B

MD5
38dfeb03a999c88d7a0eb5a6a117fcc1

SHA1
9921e11e59cdb06f979e6d7df7a35293431dfaa9

SHA256
8e73bfa16800c62076da041dfed769c7ff937d14ec16a5e1d6856b6b96a941d2

SHA512
3cbbe06a5dad36a240789f73e014ea515156fd07b3993199fd9b315b70f34545182dd17d26bd6ec6d11c505797e27beede533df74be80794a8fefdfeb800193d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYFfZqmkfMio.bat

Filesize
211B

MD5
a2938c0efbb53673ced8bdd4e64abc73

SHA1
5f6c7e4924df2316529c7b46317da5338e3e7959

SHA256
97b88d15e0c0491c1ee0f6a158e480cb93335619705b38d2ce15ae59c67fac18

SHA512
8616cd8e385c7f667aafae2cbcc77f8740f62e9744daed555fcc0967b08d42c4ef314682b4ef94c9aff60bfac819821d59af94357cd10c4caf02dab1b3ddae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\re44wWHnrStr.bat

Filesize
211B

MD5
a70120ab56bf96ddbc1d2cd7b2c2b764

SHA1
f76b305449c6f409ab21c82321d5924e8d303641

SHA256
2f997804fa791f3cd968054c1e580d3f0b6a54897d1e00570d26c4b59c486561

SHA512
8643b46d84b2626aa52ca259deb14d1f1fd47b3cc933d01744bef789768280c99fc401618f881d36edbde1acf9d5e19f0ab38f754bd2678f5c9f03acf9cbc94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wq1MEceCx8Sl.bat

Filesize
211B

MD5
4efeba6113a03d669d6a04d576261c19

SHA1
1061e946717ff82ca18c07d25e661bee102f93f2

SHA256
a203891bb883c7537a8079b91d31947242e5407a60f925e8f77f8decf2a44c97

SHA512
a571c56037318dfbf6741bc83d1be17604e05ffe61f0849784a5af031b704390ec0df605b26aee8eebe95fd3f2dc5d77378924ca54474394fb181dc16ee5fe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqED5OeHUDQp.bat

Filesize
211B

MD5
4b00cdd90727ed9c21d81a91008ddd9f

SHA1
761fc6159f0b6812a5c0c87ea43d139145198384

SHA256
39ac3b7108446db44f7aa60797334cfa557a1056090c90d2ee9209a2cd86d3fb

SHA512
92f59f2d09ae990541bb50a13a77981ced6d1d5216fda1becccab446f83917c246d45586c11820d8b45d9f302b398c5cdfe97ec21b5db49dde0d42eb9da74455

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
memory/1332-18-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-13-0x000000001C730000-0x000000001C7E2000-memory.dmp

Filesize
712KB

Download
memory/1332-12-0x000000001BEA0000-0x000000001BEF0000-memory.dmp

Filesize
320KB

Download
memory/1332-11-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-10-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-0-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

Filesize
8KB

Download
memory/2176-9-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-2-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-1-0x0000000000630000-0x000000000097E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads