quasar | ecce2755fb5ea36f5c5c204d2f289a87909a1affcb3cebe7310d39617d860981

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ANYX-client-build/AnyLoaderV4.9.exe
Size

3.1MB
MD5

9a99be1ac8e21a3c4959702a02b25d6e
SHA1

55d6230481e90c8a2f9d09956c07e3db1d03a96d
SHA256

e26918aac1a313925a7aecdaeb1990788cd2e09e439cd3e5fe8d6babb89df0f1
SHA512

46ae9d4d95c89afb3ed987445dcf72c71e770e99c35759a724e963952784d518530b2829b856b7818a8bc226e35fa8f243e18e35da4d7169c44edc5303159ea4
SSDEEP

49152:rvelL26AaNeWgPhlmVqvMQ7XSKodL5mzSooGdw9THHB72eh2NT:rvOL26AaNeWgPhlmVqkQ7XSKodL0A

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

rolok44419-55109.portmap.host:55109

Mutex

0bcbf378-c5c6-4d35-b7db-11442a750cf2

Attributes

encryption_key
A1C7F8E92E515420A946C210E4F8C886810ADBFD
install_name
AnyLoaderV4.9.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1872-1-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015d7f-6.dat	family_quasar
behavioral1/memory/1020-9-0x0000000000320000-0x0000000000644000-memory.dmp	family_quasar
behavioral1/memory/2800-23-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/memory/796-35-0x0000000000FA0000-0x00000000012C4000-memory.dmp	family_quasar
behavioral1/memory/1452-67-0x0000000001070000-0x0000000001394000-memory.dmp	family_quasar
behavioral1/memory/2384-88-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2668-100-0x0000000000BF0000-0x0000000000F14000-memory.dmp	family_quasar
behavioral1/memory/1144-131-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/memory/1672-152-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/1532-163-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
1020	AnyLoaderV4.9.exe
2800	AnyLoaderV4.9.exe
796	AnyLoaderV4.9.exe
2024	AnyLoaderV4.9.exe
1256	AnyLoaderV4.9.exe
1452	AnyLoaderV4.9.exe
3016	AnyLoaderV4.9.exe
2384	AnyLoaderV4.9.exe
2668	AnyLoaderV4.9.exe
2572	AnyLoaderV4.9.exe
2020	AnyLoaderV4.9.exe
1144	AnyLoaderV4.9.exe
1004	AnyLoaderV4.9.exe
1672	AnyLoaderV4.9.exe
1532	AnyLoaderV4.9.exe
2540	AnyLoaderV4.9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2624	PING.EXE
2272	PING.EXE
2108	PING.EXE
2064	PING.EXE
2360	PING.EXE
868	PING.EXE
2184	PING.EXE
2432	PING.EXE
2468	PING.EXE
1872	PING.EXE
2548	PING.EXE
3028	PING.EXE
592	PING.EXE
3000	PING.EXE
1604	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1604	PING.EXE
2432	PING.EXE
592	PING.EXE
2624	PING.EXE
3000	PING.EXE
2360	PING.EXE
3028	PING.EXE
2184	PING.EXE
2468	PING.EXE
2272	PING.EXE
1872	PING.EXE
2548	PING.EXE
868	PING.EXE
2108	PING.EXE
2064	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe
1560	schtasks.exe
2568	schtasks.exe
920	schtasks.exe
896	schtasks.exe
1552	schtasks.exe
1288	schtasks.exe
1824	schtasks.exe
1924	schtasks.exe
308	schtasks.exe
2796	schtasks.exe
1608	schtasks.exe
3052	schtasks.exe
2336	schtasks.exe
976	schtasks.exe
2504	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1020	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2800	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	796	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2024	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1256	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1452	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	3016	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2384	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2668	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2572	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2020	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1144	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1004	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1672	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	1532	AnyLoaderV4.9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	AnyLoaderV4.9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1924	1872	AnyLoaderV4.9.exe	28
PID 1872 wrote to memory of 1924	1872	AnyLoaderV4.9.exe	28
PID 1872 wrote to memory of 1924	1872	AnyLoaderV4.9.exe	28
PID 1872 wrote to memory of 1020	1872	AnyLoaderV4.9.exe	30
PID 1872 wrote to memory of 1020	1872	AnyLoaderV4.9.exe	30
PID 1872 wrote to memory of 1020	1872	AnyLoaderV4.9.exe	30
PID 1020 wrote to memory of 3052	1020	AnyLoaderV4.9.exe	31
PID 1020 wrote to memory of 3052	1020	AnyLoaderV4.9.exe	31
PID 1020 wrote to memory of 3052	1020	AnyLoaderV4.9.exe	31
PID 1020 wrote to memory of 2296	1020	AnyLoaderV4.9.exe	33
PID 1020 wrote to memory of 2296	1020	AnyLoaderV4.9.exe	33
PID 1020 wrote to memory of 2296	1020	AnyLoaderV4.9.exe	33
PID 2296 wrote to memory of 3036	2296	cmd.exe	35
PID 2296 wrote to memory of 3036	2296	cmd.exe	35
PID 2296 wrote to memory of 3036	2296	cmd.exe	35
PID 2296 wrote to memory of 3000	2296	cmd.exe	36
PID 2296 wrote to memory of 3000	2296	cmd.exe	36
PID 2296 wrote to memory of 3000	2296	cmd.exe	36
PID 2296 wrote to memory of 2800	2296	cmd.exe	37
PID 2296 wrote to memory of 2800	2296	cmd.exe	37
PID 2296 wrote to memory of 2800	2296	cmd.exe	37
PID 2800 wrote to memory of 2568	2800	AnyLoaderV4.9.exe	38
PID 2800 wrote to memory of 2568	2800	AnyLoaderV4.9.exe	38
PID 2800 wrote to memory of 2568	2800	AnyLoaderV4.9.exe	38
PID 2800 wrote to memory of 2620	2800	AnyLoaderV4.9.exe	40
PID 2800 wrote to memory of 2620	2800	AnyLoaderV4.9.exe	40
PID 2800 wrote to memory of 2620	2800	AnyLoaderV4.9.exe	40
PID 2620 wrote to memory of 2604	2620	cmd.exe	42
PID 2620 wrote to memory of 2604	2620	cmd.exe	42
PID 2620 wrote to memory of 2604	2620	cmd.exe	42
PID 2620 wrote to memory of 2548	2620	cmd.exe	43
PID 2620 wrote to memory of 2548	2620	cmd.exe	43
PID 2620 wrote to memory of 2548	2620	cmd.exe	43
PID 2620 wrote to memory of 796	2620	cmd.exe	46
PID 2620 wrote to memory of 796	2620	cmd.exe	46
PID 2620 wrote to memory of 796	2620	cmd.exe	46
PID 796 wrote to memory of 308	796	AnyLoaderV4.9.exe	47
PID 796 wrote to memory of 308	796	AnyLoaderV4.9.exe	47
PID 796 wrote to memory of 308	796	AnyLoaderV4.9.exe	47
PID 796 wrote to memory of 1040	796	AnyLoaderV4.9.exe	49
PID 796 wrote to memory of 1040	796	AnyLoaderV4.9.exe	49
PID 796 wrote to memory of 1040	796	AnyLoaderV4.9.exe	49
PID 1040 wrote to memory of 2232	1040	cmd.exe	51
PID 1040 wrote to memory of 2232	1040	cmd.exe	51
PID 1040 wrote to memory of 2232	1040	cmd.exe	51
PID 1040 wrote to memory of 2360	1040	cmd.exe	52
PID 1040 wrote to memory of 2360	1040	cmd.exe	52
PID 1040 wrote to memory of 2360	1040	cmd.exe	52
PID 1040 wrote to memory of 2024	1040	cmd.exe	53
PID 1040 wrote to memory of 2024	1040	cmd.exe	53
PID 1040 wrote to memory of 2024	1040	cmd.exe	53
PID 2024 wrote to memory of 2336	2024	AnyLoaderV4.9.exe	54
PID 2024 wrote to memory of 2336	2024	AnyLoaderV4.9.exe	54
PID 2024 wrote to memory of 2336	2024	AnyLoaderV4.9.exe	54
PID 2024 wrote to memory of 2744	2024	AnyLoaderV4.9.exe	56
PID 2024 wrote to memory of 2744	2024	AnyLoaderV4.9.exe	56
PID 2024 wrote to memory of 2744	2024	AnyLoaderV4.9.exe	56
PID 2744 wrote to memory of 2612	2744	cmd.exe	58
PID 2744 wrote to memory of 2612	2744	cmd.exe	58
PID 2744 wrote to memory of 2612	2744	cmd.exe	58
PID 2744 wrote to memory of 1604	2744	cmd.exe	59
PID 2744 wrote to memory of 1604	2744	cmd.exe	59
PID 2744 wrote to memory of 1604	2744	cmd.exe	59
PID 2744 wrote to memory of 1256	2744	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ANYX-client-build\AnyLoaderV4.9.exe
"C:\Users\Admin\AppData\Local\Temp\ANYX-client-build\AnyLoaderV4.9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1924
- C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3052
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jpq2oio6s3AI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3036
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3000
  - - C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\H6th7FKrQf5d.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2604
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
      - C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xrDZj6ZNBMRC.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cTdFmrO0woRb.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BzHWPK6tCWTa.bat" "
        11⤵
        
        PID:1220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQlgznpie0bh.bat" "
        13⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\k4pjC2M1qw4e.bat" "
        15⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUd8JodRHez8.bat" "
        17⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqCEWnKW0m5w.bat" "
        19⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IE8PDrGtRcxR.bat" "
        21⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vl2f2Dw6KtKy.bat" "
        23⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aH2VsoeAaYB4.bat" "
        25⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\moGoY0hoCngW.bat" "
        27⤵
        
        PID:3020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fp7Mh3aMUBlx.bat" "
        29⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i7cDZ1mWakjP.bat" "
        31⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        32⤵
        Executes dropped EXE
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BzHWPK6tCWTa.bat

Filesize
214B

MD5
0ea0e960de57208366ebf40fd83b28bc

SHA1
7a6fac86ed0f3cc665d49243d96c7be28749b08c

SHA256
d6208fe9151ab601914baff6a6087d26ff84590f849f467d101a112c74ebfe23

SHA512
49cc6c13dc82b8e11c8714303413b22cb53371b28ff3793bdc8f090027263a1db7fc06e6a3cc0bb66974dc13b923b81675002070d489d1454b687ce86ffe37bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqCEWnKW0m5w.bat

Filesize
214B

MD5
dc5fae771f5fedb0c30ce8f72ce4e434

SHA1
7c508ef8f65aa03dea34b56e5f0e27f681ed8fe3

SHA256
d97340fb476d5e5317c43b3131a42780c080846356a29a02c75b2718262be068

SHA512
b6bf78c8b8e64e34201ed979297cb9b813dca68ed9f7e1212ef429ee3a774d6aaf14d9615ff49b40bd538454a66a30adfa574117170d87f736206f5e298591fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fp7Mh3aMUBlx.bat

Filesize
214B

MD5
5f3ad7575e9d4eb21e21240a621ee7c1

SHA1
7c2b2eb0dff75bf69d118bd4c0dbe40c85dabd69

SHA256
7c33009dd93059e157b28902a098e9e448452879855437c287e4c5d489ee89ce

SHA512
13a3152922fe67ffc099c91cfb6e77886cd97f1536901f39a452341487da803b01021ae290e59279ed0b78a0b1e23f3184f494d8f421309516931c83742ef844

Download Submit
C:\Users\Admin\AppData\Local\Temp\H6th7FKrQf5d.bat

Filesize
214B

MD5
ad5d8eb97a2e5550d99f32aec1918403

SHA1
6586bbdbff81fdf6c7161fa9d412e02d88a567fc

SHA256
871d2b77f6cbc2b160c8a059c10791a2851fbdb98d4f004387b51ebc7f52b835

SHA512
85a931e276cbbdfbb96b88394ec7369843bd5e90136d800e8903ff6cfa54ad65b6f64250f824539305b7b6130628c1fb732fb521d2cf61e7f9895ce928c24914

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE8PDrGtRcxR.bat

Filesize
214B

MD5
b306d19c7fe11aa978244aa721ae5204

SHA1
64bdec5b26984971998780193919040180a3f5af

SHA256
5099e67d1738b2748756e71fdbe1572afddb0afaca3a11ee8c699ba5ca77d759

SHA512
8148a73858f1475f5023e21bfe891665d095681f5e0a06a4e3cb8bd94741187bf3c6dfdebbfd89e9b5cf9c868a18c9ef5e3b5cadd7115dd1947cc19f09f29fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQlgznpie0bh.bat

Filesize
214B

MD5
872f741615547644d507f6a169e99720

SHA1
21228bb25da4d3f47e65b80533353c9acac368fa

SHA256
60790dff0d3ba433c8a241aab77debdccaafbe48bdce011352397d6e3b7dc2b0

SHA512
6515ed671e1170b31a80eee457ce3535bb686c38fa3f043e2a9f401a42086c93160675e415b87c6f9995e4576f17ae3d2c6355e37715dfc995f686cbd157b89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aH2VsoeAaYB4.bat

Filesize
214B

MD5
a0525b11d8f1caea2ef61431d6761276

SHA1
856d255d93409ad297a50ff2f797b71fb9396a1e

SHA256
dcb9065e240d5ea8b2e0206a421ba62c67febdd62e0d9aa0f2cee25790914f9e

SHA512
2377af69cc39f88b95a92865fe5873298145c66f79281e63b0353a085af6355822c8612f18f4b2c5666433fb6a73bd2cc96f379bf250379254a0a26f7dbda269

Download Submit
C:\Users\Admin\AppData\Local\Temp\cTdFmrO0woRb.bat

Filesize
214B

MD5
52e557a5cab63ff716fb3ea85262d2fc

SHA1
e91b2c3b6582a35029fbfbe3e1b60d0ae931a131

SHA256
d8ce562b02dc1c203fba36a0682e843270a0b2aa6ab336536248dae9a08f0619

SHA512
20e352496bf25a3117366978c3890cc1cead6ab339f7d48207f404d19e006fdd9b1ca64c8999015543f05b760829093987e31f58b5439338a86b2fd2e1e8e363

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7cDZ1mWakjP.bat

Filesize
214B

MD5
4665eacda1e6bbc172950efde012e572

SHA1
eb17adcd4f4150b1bd91024cfbe644c6d078f942

SHA256
229d10765c593147bcf9c1eeba02e5bd91361e1a5064d4d6a1ee5e26cc3f6f3e

SHA512
ead92b87ef10cfd837ca0156e720a34600402f552fe1f23ac44d80a20d8ac41726d6863e84f8d54b154d1d54083cc8597a1019424dec9b3c547ef5de1437e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpq2oio6s3AI.bat

Filesize
214B

MD5
e5153078c1de3fc7e5ec181fea75e3fd

SHA1
7165f2946d288b1dd5e594c73e2c7b6097723b14

SHA256
4f85b8e155a0e0d3be4aa9057c249de5111c1d2e6d8418ab7f09c76b3f74f2bc

SHA512
0f450bf208374214f8e4a20dd8b87e5a2934b327db5779aa23170c3c7ca682b96c7646a87868add34a0e9b885c1247f383db87886709f02f2bccd207e3f31cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4pjC2M1qw4e.bat

Filesize
214B

MD5
b1e6c570d00a32b28a039b26a58b2110

SHA1
511f984131b8c2280405451a13b93dcc98e5be98

SHA256
e0016fbfad4e1a60e27e99580a758f3997a98dd3d7117f0b069276f7917e67c2

SHA512
6fccb1857fb01c92b6f664bbd202de99fb0f4901446d7c0333328754adb7a432f2d4e146150e8414d770eeab1b8bc6cf6994d0bf0585f976f415d167594e1ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\moGoY0hoCngW.bat

Filesize
214B

MD5
3d2d566a23cf6e0a933303a2ed521312

SHA1
d55c45321ae334b02da2f94c81f3ec53cdcd3959

SHA256
e9393d3a2681ada49d4efc20a00eec8344d5e68237b0d83a7a284994022f2f7d

SHA512
c9f8c3fd048dd70d48983af9ae1ec3d2c6a16b6c0cd4e81dbaf5f28c62838ad55f7bd49b07ad2ae2695fb3f4144433cc6df8b83389db4997fd7311f5dfceb48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vl2f2Dw6KtKy.bat

Filesize
214B

MD5
9c211090ee2f9857e5aeca07b417b008

SHA1
e6a2caa477a3a79ec5ed89f6e9104229c218aedc

SHA256
cbcd6bfc2cb502c9ce6a991dec52c8b07599b4e345254fed909284f05346770f

SHA512
5e58829e4b6a9e3d408b70df1e283509ee4d1ee9d5159c493017e3e3ebb532811a897251dd161dfe1d5b07093889290309e6631cccf4ac420b8494792fc7b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrDZj6ZNBMRC.bat

Filesize
214B

MD5
ea2bad1087b2f73d86fc0d6e9fc4b546

SHA1
a86e26ea12232976f89860ee81d14e4aa6059d4e

SHA256
0f081df2a05146493daeeb6fdffa51b475d5fa78669d60d6785602eca7bd23b9

SHA512
94d3916536b96aaade91c7c3d7a69fd50ce367465e2523db0b73ba50413f44191981c576b3314a291c4642de0d9fffd6b30384df6a352e0006d7d9479e4f33a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUd8JodRHez8.bat

Filesize
214B

MD5
c8919d884b66036cfe77e365229bd332

SHA1
b65e9787874096d0b17a2f7a9cc797b0d676dd52

SHA256
fa679bbfa3d485b14a78d61109740cd01588c5dd2e167373843a06ba846ff8b5

SHA512
c69b7aca2200fcb2f596b335dd6891d767bb9343e22ae90c6feb88f58517a504728bc53958b35d50d495f87d3ad824053125e7c0ca1eb12b569eb4584bf32466

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe

Filesize
1.1MB

MD5
935a2da1b272463b329582efd0d5e59d

SHA1
e4361c3780a9c8093258b88727fafc5b4b558355

SHA256
28f76722bb5ae283c22244805cbab566fe3e2d78bc15c7d9e32d537bf86fb062

SHA512
5fe7e988aed1802c920e8a1112bc6987b05dc4e6ec125e2c24b45709edb75142b900b3b148b131ac0e8d859d6ebda1640a1968c5d1cbdab37f7c99cd3c197145

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe

Filesize
3.1MB

MD5
9a99be1ac8e21a3c4959702a02b25d6e

SHA1
55d6230481e90c8a2f9d09956c07e3db1d03a96d

SHA256
e26918aac1a313925a7aecdaeb1990788cd2e09e439cd3e5fe8d6babb89df0f1

SHA512
46ae9d4d95c89afb3ed987445dcf72c71e770e99c35759a724e963952784d518530b2829b856b7818a8bc226e35fa8f243e18e35da4d7169c44edc5303159ea4

Download Submit
memory/796-35-0x0000000000FA0000-0x00000000012C4000-memory.dmp

Filesize
3.1MB

Download
memory/1020-10-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-11-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-20-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1020-9-0x0000000000320000-0x0000000000644000-memory.dmp

Filesize
3.1MB

Download
memory/1144-131-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/1452-67-0x0000000001070000-0x0000000001394000-memory.dmp

Filesize
3.1MB

Download
memory/1532-163-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1672-152-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/1872-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download
memory/1872-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-8-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-88-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2540-174-0x0000000000950000-0x0000000000C74000-memory.dmp

Filesize
3.1MB

Download
memory/2668-100-0x0000000000BF0000-0x0000000000F14000-memory.dmp

Filesize
3.1MB

Download
memory/2800-23-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads