quasar | 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
Size

3.2MB
MD5

23c072bdc1c5fe6c2290df7cd3e9abf8
SHA1

e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA256

8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA512

5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
SSDEEP

98304:xv642pda6D+/PjlLOlZyQipV2mRJ6Nae:1eOpPU9

Score

10^/10

quasar main discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2056-1-0x00000000012D0000-0x0000000001610000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016593-6.dat	family_quasar
behavioral1/memory/2388-9-0x0000000000D10000-0x0000000001050000-memory.dmp	family_quasar
behavioral1/memory/1788-34-0x0000000001160000-0x00000000014A0000-memory.dmp	family_quasar
behavioral1/memory/1080-65-0x0000000001280000-0x00000000015C0000-memory.dmp	family_quasar
behavioral1/memory/1852-77-0x0000000001370000-0x00000000016B0000-memory.dmp	family_quasar
behavioral1/memory/2348-149-0x0000000001390000-0x00000000016D0000-memory.dmp	family_quasar
behavioral1/memory/1492-160-0x0000000000380000-0x00000000006C0000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2388	Win64.exe
2856	Win64.exe
1788	Win64.exe
1040	Win64.exe
2584	Win64.exe
1080	Win64.exe
1852	Win64.exe
2140	Win64.exe
2796	Win64.exe
264	Win64.exe
1832	Win64.exe
2996	Win64.exe
1432	Win64.exe
2348	Win64.exe
1492	Win64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2456	PING.EXE
820	PING.EXE
856	PING.EXE
1700	PING.EXE
1160	PING.EXE
2576	PING.EXE
596	PING.EXE
1576	PING.EXE
2240	PING.EXE
1792	PING.EXE
772	PING.EXE
2632	PING.EXE
3008	PING.EXE
1096	PING.EXE
2904	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
596	PING.EXE
1096	PING.EXE
2904	PING.EXE
1700	PING.EXE
2456	PING.EXE
1576	PING.EXE
3008	PING.EXE
2240	PING.EXE
1792	PING.EXE
856	PING.EXE
1160	PING.EXE
772	PING.EXE
2632	PING.EXE
2576	PING.EXE
820	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2292	schtasks.exe
1580	schtasks.exe
2940	schtasks.exe
1052	schtasks.exe
348	schtasks.exe
1796	schtasks.exe
1900	schtasks.exe
1168	schtasks.exe
2872	schtasks.exe
1416	schtasks.exe
2688	schtasks.exe
1976	schtasks.exe
1052	schtasks.exe
2716	schtasks.exe
492	schtasks.exe
2756	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
Token: SeDebugPrivilege	2388	Win64.exe
Token: SeDebugPrivilege	2856	Win64.exe
Token: SeDebugPrivilege	1788	Win64.exe
Token: SeDebugPrivilege	1040	Win64.exe
Token: SeDebugPrivilege	2584	Win64.exe
Token: SeDebugPrivilege	1080	Win64.exe
Token: SeDebugPrivilege	1852	Win64.exe
Token: SeDebugPrivilege	2140	Win64.exe
Token: SeDebugPrivilege	2796	Win64.exe
Token: SeDebugPrivilege	264	Win64.exe
Token: SeDebugPrivilege	1832	Win64.exe
Token: SeDebugPrivilege	2996	Win64.exe
Token: SeDebugPrivilege	1432	Win64.exe
Token: SeDebugPrivilege	2348	Win64.exe
Token: SeDebugPrivilege	1492	Win64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1416	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	30
PID 2056 wrote to memory of 1416	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	30
PID 2056 wrote to memory of 1416	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	30
PID 2056 wrote to memory of 2388	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	32
PID 2056 wrote to memory of 2388	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	32
PID 2056 wrote to memory of 2388	2056	8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe	32
PID 2388 wrote to memory of 1900	2388	Win64.exe	33
PID 2388 wrote to memory of 1900	2388	Win64.exe	33
PID 2388 wrote to memory of 1900	2388	Win64.exe	33
PID 2388 wrote to memory of 2760	2388	Win64.exe	35
PID 2388 wrote to memory of 2760	2388	Win64.exe	35
PID 2388 wrote to memory of 2760	2388	Win64.exe	35
PID 2760 wrote to memory of 2976	2760	cmd.exe	37
PID 2760 wrote to memory of 2976	2760	cmd.exe	37
PID 2760 wrote to memory of 2976	2760	cmd.exe	37
PID 2760 wrote to memory of 2240	2760	cmd.exe	38
PID 2760 wrote to memory of 2240	2760	cmd.exe	38
PID 2760 wrote to memory of 2240	2760	cmd.exe	38
PID 2760 wrote to memory of 2856	2760	cmd.exe	39
PID 2760 wrote to memory of 2856	2760	cmd.exe	39
PID 2760 wrote to memory of 2856	2760	cmd.exe	39
PID 2856 wrote to memory of 2716	2856	Win64.exe	40
PID 2856 wrote to memory of 2716	2856	Win64.exe	40
PID 2856 wrote to memory of 2716	2856	Win64.exe	40
PID 2856 wrote to memory of 2272	2856	Win64.exe	42
PID 2856 wrote to memory of 2272	2856	Win64.exe	42
PID 2856 wrote to memory of 2272	2856	Win64.exe	42
PID 2272 wrote to memory of 1968	2272	cmd.exe	44
PID 2272 wrote to memory of 1968	2272	cmd.exe	44
PID 2272 wrote to memory of 1968	2272	cmd.exe	44
PID 2272 wrote to memory of 1700	2272	cmd.exe	45
PID 2272 wrote to memory of 1700	2272	cmd.exe	45
PID 2272 wrote to memory of 1700	2272	cmd.exe	45
PID 2272 wrote to memory of 1788	2272	cmd.exe	47
PID 2272 wrote to memory of 1788	2272	cmd.exe	47
PID 2272 wrote to memory of 1788	2272	cmd.exe	47
PID 1788 wrote to memory of 492	1788	Win64.exe	48
PID 1788 wrote to memory of 492	1788	Win64.exe	48
PID 1788 wrote to memory of 492	1788	Win64.exe	48
PID 1788 wrote to memory of 600	1788	Win64.exe	50
PID 1788 wrote to memory of 600	1788	Win64.exe	50
PID 1788 wrote to memory of 600	1788	Win64.exe	50
PID 600 wrote to memory of 2936	600	cmd.exe	52
PID 600 wrote to memory of 2936	600	cmd.exe	52
PID 600 wrote to memory of 2936	600	cmd.exe	52
PID 600 wrote to memory of 1792	600	cmd.exe	53
PID 600 wrote to memory of 1792	600	cmd.exe	53
PID 600 wrote to memory of 1792	600	cmd.exe	53
PID 600 wrote to memory of 1040	600	cmd.exe	54
PID 600 wrote to memory of 1040	600	cmd.exe	54
PID 600 wrote to memory of 1040	600	cmd.exe	54
PID 1040 wrote to memory of 2940	1040	Win64.exe	55
PID 1040 wrote to memory of 2940	1040	Win64.exe	55
PID 1040 wrote to memory of 2940	1040	Win64.exe	55
PID 1040 wrote to memory of 2404	1040	Win64.exe	57
PID 1040 wrote to memory of 2404	1040	Win64.exe	57
PID 1040 wrote to memory of 2404	1040	Win64.exe	57
PID 2404 wrote to memory of 1148	2404	cmd.exe	59
PID 2404 wrote to memory of 1148	2404	cmd.exe	59
PID 2404 wrote to memory of 1148	2404	cmd.exe	59
PID 2404 wrote to memory of 856	2404	cmd.exe	60
PID 2404 wrote to memory of 856	2404	cmd.exe	60
PID 2404 wrote to memory of 856	2404	cmd.exe	60
PID 2404 wrote to memory of 2584	2404	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
"C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1416
- C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1900
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\sjqASEZ8y6Iw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2976
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2240
  - - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lVWpZN6p1acD.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1968
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1700
      - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8wYV7pij0pz2.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BacBVpbszwjY.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NarCizRuPZww.bat" "
        11⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQbZvC9MT6YI.bat" "
        13⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MX40Pk7lMclR.bat" "
        15⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmZW6vmD4D9E.bat" "
        17⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7RBSnmev7oed.bat" "
        19⤵
        
        PID:108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwiQcNpjFVCc.bat" "
        21⤵
        
        PID:1352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gO9Oc9M707Wo.bat" "
        23⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\al3ingfm2bm6.bat" "
        25⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9XYA0qsBfjh3.bat" "
        27⤵
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xw0HpMta5Ent.bat" "
        29⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMzliyb0RZ8A.bat" "
        31⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7RBSnmev7oed.bat

Filesize
206B

MD5
1e497c0a7cfcbb58ccfff318a0ca2e54

SHA1
1740bb068b8dc94c35a23d56e3835139a6da580c

SHA256
de688dd7cc3112d15e1ac9de79763d7f493edb7c143aaae3cf51b248f26fd124

SHA512
191e39c3dc69f3d8ecf86603fb293cac37a3e71a9a1e8dc2613753036ba6ece50e434135e33b230c5cc5bd74d1f16642786f568055a0c62ab5d5b8bae7e01c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wYV7pij0pz2.bat

Filesize
206B

MD5
973257c636581f3a2027d3e2942f8725

SHA1
68ecad3fd2a5a3e4d1cb015d7cdfa3114c22c7c6

SHA256
ccf59131473fecb15e78c2765818d93711f8301c56b471c34e2a1bdc8e8cb03b

SHA512
92f9f4d603a0081a9007d6c974940173d953ca8942d16c86fdd8a7d87faed2865a95ea5aa82da8d021eb9ac774f1e1d04bf071d2af268b49944b1b3707474c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9XYA0qsBfjh3.bat

Filesize
206B

MD5
dd06341419060025237e71b458dad061

SHA1
a7b671f3f1e398e0e27aa172e68d91a4676276f0

SHA256
2a25598375023b7de76171fec704f7a54cc5171dc4b00cb02996015a684ea72b

SHA512
e839cda761b1f0ab1106eac51cc72cc8833ccd38273a4d3b22753829f8f58b2725451588366ca78e1bdd30717bad2e39570e41d80d83507baba042b4181574f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BacBVpbszwjY.bat

Filesize
206B

MD5
da9c10549aee1a4f1df2d0c7a554416e

SHA1
3c07e270d6f92044d2e1111f9eef4e7f85d43991

SHA256
bc338fbb6298756b4dc6b261fbcc80ff9bb784259d39719ef28c37533b3b4e7a

SHA512
8ab8c686dfb2a7b94052e2069fcf88e4e2e102132a7863e0ec4af1b856006170015617dfcfbf169857ad89af8c6c60a443b3653b38cd9b779a50f2ace7c470d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MX40Pk7lMclR.bat

Filesize
206B

MD5
8f26fbe33c5ec00167e1f262f893f994

SHA1
a0ef1c50e0121e04f6cf3950824f692dc03b3a95

SHA256
6b772f9a1d7b6ce02257cdc26bd00865df648dff055545efc6d94783b6cfdcfe

SHA512
5b1b84d928def10e591ffee9ed41aa429dc9536731800f5fbc518fe14a76e7e3e07a06db2f8a0bb9770d50b2110cbfccde7e97a370c3ca881d09e284ed0ef3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmZW6vmD4D9E.bat

Filesize
206B

MD5
9b28a7e5de5a09c036e92851782b6ad2

SHA1
cd1592ddc5523e2e8bea62b0c3a589984f528872

SHA256
769927e94155ec2093b547c4290ad9dd9f14b829b2f53cf7d03b03d9ea98cfcb

SHA512
ae0fc8c8e469fb20ee8d94cd628f207edfddd9db03fafe90b8d752cf4e2d1c7bcff92c1496ead55d3f984bb029203d876eb720ee6509fca05a38814e19dc6e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\NarCizRuPZww.bat

Filesize
206B

MD5
833d31648d73e3f50090e98a3137f16b

SHA1
384009879e0e9864c9bf52075c6346c54013a0e9

SHA256
68a7408edd530de01fcea97623847647be07196afecc8ee58246faf345816661

SHA512
2c276481478a4f4ebbfe80f82f493d8c36bfca07c6e5dcb309c91b65db6ea9a47dbd673d31ee7452134d1d57fc7c9618b3e1c9a403d98e19bf3adb4e5cd00cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xw0HpMta5Ent.bat

Filesize
206B

MD5
be0bbcd695535f989e15bb3d497f6223

SHA1
d5549539511e2e810073b7a7e5b376e3815e3d13

SHA256
d4265e5efd11e11a9b43fedd70aecae1cf542f9fcabe3a63704fe0a1fe04583c

SHA512
6f4ef4d34d7c26c68044f99938907de57e9b376af3e95eed4d328f294d7f7cfea18a4fef02567462c473684ce48699afd2c4c149e8069dd237c0fe9f0051663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\al3ingfm2bm6.bat

Filesize
206B

MD5
085b795e0b8586b5252028cfc27822fd

SHA1
0d87cf927e61b22248ca5d3f5717cf713c24c305

SHA256
725e095944a62efab6667190948103124c74cd6f288622f58851fe10514ea2d6

SHA512
8694e5e84f45758851364908d8e917f98a4883e153a6287637db65b7dcc383e647b396dd6f22e2158568f3de32ae2f3f4b4454a6612b50379ff08cf13e6b2a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQbZvC9MT6YI.bat

Filesize
206B

MD5
e8f0c7a3fbd6bef56f8188818829251b

SHA1
cafef7edf2767fb7e1bdd40b7a8f2971013033d0

SHA256
394c7a2db271eafcfe5fe41e962d679a8c03a95afd815ee36186356238c4e8b2

SHA512
5942ab6b3dab1fe8f3eb1316292272a0fe79f0901a0e6637f3ab623bd52a6b5a294ea59a5edfc0f0236ec04326f5c47eea4285fd2e4a6f7f752667bb8bff8e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gO9Oc9M707Wo.bat

Filesize
206B

MD5
8026c32066c0c7f84abd579e97487852

SHA1
baacba7f8e9e7d0e75b6832f747033c79e8242c4

SHA256
360e6b52683bc5e451548ce1b0599dc0ef75e266299ba23b23b4f3d69da4179e

SHA512
7060e3cd9866ed92ba06bc9ec341ac93f55dba30f211942ed0863835ceb8d8fd8ed272d06dfb06304b2def6363ed97f5f48e89917b105ded13262e78d2a28640

Download Submit
C:\Users\Admin\AppData\Local\Temp\lVWpZN6p1acD.bat

Filesize
206B

MD5
d60948a70bbb282980ea29f217da4ad1

SHA1
9b5bf89d8a49cad496f2fb3b550aab9ed4800849

SHA256
9c0200dfde90c82da6693e3b873c8b166c792f79673353bbdf9a404badf9499e

SHA512
9cc8190b52584d2929e38ff0d7b7728c476817d85a8b2854e9d32705e3f0b0c7523d6753d37c6434ffc7b7f0f247843336d17e366a6eed9b89c44d98d5a40102

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMzliyb0RZ8A.bat

Filesize
206B

MD5
1731b33328a5adb2682b3cc82c38b54a

SHA1
9014731965d9e5664a5bd443d6ed80d6d4007778

SHA256
056e5edb0906dc34f2c0ffa15923d8c64cc50c718fe2f4c59917b522da5aed83

SHA512
7517aba708de479e2f8491bc80fde6d854bdfcc6bedbc84cd6bf740a776b2362f83cc7748681fec8f5c1a598644108a93d44450eb613a3b05c4254a9078b988a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwiQcNpjFVCc.bat

Filesize
206B

MD5
fbe5cb564a797d9add134e8ff62c037b

SHA1
ea8e917efe6a9e51bf0e821f79dc9306c63c2214

SHA256
cc09fbc400cd35b78520a36ec3bd2dbfaa25813d430b4772c26d977f1e14acdd

SHA512
b3908910ea255780e8312379f577c695dbfceebabf30f448772d72ae1f51bf9111bb1d81505c385e83533b382043d50bebcc04d08e5c78c7ac266114bf9fe029

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjqASEZ8y6Iw.bat

Filesize
206B

MD5
dc43d16430d207ba0463210c63e55094

SHA1
3937eeaeb4b481d65d5991b0089d0c9acf5311b6

SHA256
62e52cf06c15a8ecd032342e62244021c82bf86440ea44a5927766e8e1a307fc

SHA512
483d4e18a124a12eed689fab03ad41b7b0ea82bbb72707a0be7ba852793e530ff54fd448520b6096f50b039c907225024b17607871fe42cc29580c7e26b9bd41

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
memory/1080-65-0x0000000001280000-0x00000000015C0000-memory.dmp

Filesize
3.2MB

Download
memory/1492-160-0x0000000000380000-0x00000000006C0000-memory.dmp

Filesize
3.2MB

Download
memory/1788-34-0x0000000001160000-0x00000000014A0000-memory.dmp

Filesize
3.2MB

Download
memory/1852-77-0x0000000001370000-0x00000000016B0000-memory.dmp

Filesize
3.2MB

Download
memory/2056-1-0x00000000012D0000-0x0000000001610000-memory.dmp

Filesize
3.2MB

Download
memory/2056-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2056-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-8-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-149-0x0000000001390000-0x00000000016D0000-memory.dmp

Filesize
3.2MB

Download
memory/2388-11-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-21-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-10-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-9-0x0000000000D10000-0x0000000001050000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads