quasar | 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Size

6.1MB
MD5

03778d811f241e83ccad830372313b3c
SHA1

11962399abf7fc0981f324e4aa5271f36f50c5ba
SHA256

95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
SHA512

2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
SSDEEP

98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q

Score

10^/10

quasar chrome agilenet discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d3f-32.dat	family_quasar
behavioral1/memory/2488-42-0x0000000000940000-0x00000000009C4000-memory.dmp	family_quasar
behavioral1/memory/2748-47-0x0000000001310000-0x0000000001394000-memory.dmp	family_quasar
behavioral1/memory/2940-60-0x0000000000290000-0x0000000000314000-memory.dmp	family_quasar
behavioral1/memory/2468-71-0x00000000003B0000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/memory/1784-82-0x0000000001050000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/2388-104-0x0000000000370000-0x00000000003F4000-memory.dmp	family_quasar
behavioral1/memory/2740-116-0x00000000000F0000-0x0000000000174000-memory.dmp	family_quasar
behavioral1/memory/2504-127-0x00000000008A0000-0x0000000000924000-memory.dmp	family_quasar
behavioral1/memory/2940-138-0x0000000000230000-0x00000000002B4000-memory.dmp	family_quasar
behavioral1/memory/1128-150-0x0000000000D50000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/memory/2124-161-0x0000000000E70000-0x0000000000EF4000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Executes dropped EXE 14 IoCs

pid	Process
2488	chrome.exe
2084	S^X.exe
2748	chrome.exe
2940	chrome.exe
2468	chrome.exe
1784	chrome.exe
1360	chrome.exe
2388	chrome.exe
2740	chrome.exe
2504	chrome.exe
2940	chrome.exe
1128	chrome.exe
2124	chrome.exe
2560	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2056-1-0x0000000000060000-0x0000000000674000-memory.dmp	agile_net
behavioral1/memory/2056-2-0x00000000050E0000-0x00000000056F2000-memory.dmp	agile_net
behavioral1/memory/2056-16-0x00000000050E0000-0x00000000056EC000-memory.dmp	agile_net
behavioral1/memory/2056-18-0x00000000050E0000-0x00000000056EC000-memory.dmp	agile_net
behavioral1/memory/2056-15-0x00000000050E0000-0x00000000056EC000-memory.dmp	agile_net
behavioral1/memory/2056-20-0x00000000050E0000-0x00000000056EC000-memory.dmp	agile_net
behavioral1/memory/2056-22-0x00000000050E0000-0x00000000056EC000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000016d9f-7.dat	themida
behavioral1/memory/2056-10-0x0000000074390000-0x0000000074998000-memory.dmp	themida
behavioral1/memory/2056-11-0x0000000074390000-0x0000000074998000-memory.dmp	themida
behavioral1/memory/2056-13-0x0000000074390000-0x0000000074998000-memory.dmp	themida
behavioral1/memory/2056-40-0x0000000074390000-0x0000000074998000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1724	PING.EXE
1480	PING.EXE
1180	PING.EXE
596	PING.EXE
1548	PING.EXE
2900	PING.EXE
1868	PING.EXE
3068	PING.EXE
1848	PING.EXE
2884	PING.EXE
2648	PING.EXE
2184	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3068	PING.EXE
1480	PING.EXE
2884	PING.EXE
1180	PING.EXE
2648	PING.EXE
2900	PING.EXE
1868	PING.EXE
2184	PING.EXE
596	PING.EXE
1548	PING.EXE
1724	PING.EXE
1848	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
1588	schtasks.exe
1520	schtasks.exe
3008	schtasks.exe
2148	schtasks.exe
620	schtasks.exe
1484	schtasks.exe
2660	schtasks.exe
2896	schtasks.exe
2340	schtasks.exe
2008	schtasks.exe
2700	schtasks.exe
1604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	chrome.exe
Token: SeDebugPrivilege	2748	chrome.exe
Token: SeDebugPrivilege	2084	S^X.exe
Token: SeDebugPrivilege	2940	chrome.exe
Token: SeDebugPrivilege	2468	chrome.exe
Token: SeDebugPrivilege	1784	chrome.exe
Token: SeDebugPrivilege	1360	chrome.exe
Token: SeDebugPrivilege	2388	chrome.exe
Token: SeDebugPrivilege	2740	chrome.exe
Token: SeDebugPrivilege	2504	chrome.exe
Token: SeDebugPrivilege	2940	chrome.exe
Token: SeDebugPrivilege	1128	chrome.exe
Token: SeDebugPrivilege	2124	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2748	chrome.exe
2940	chrome.exe
2468	chrome.exe
1784	chrome.exe
1360	chrome.exe
2388	chrome.exe
2740	chrome.exe
2504	chrome.exe
2940	chrome.exe
1128	chrome.exe
2124	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2488	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	30
PID 2056 wrote to memory of 2488	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	30
PID 2056 wrote to memory of 2488	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	30
PID 2056 wrote to memory of 2488	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	30
PID 2056 wrote to memory of 2084	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	31
PID 2056 wrote to memory of 2084	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	31
PID 2056 wrote to memory of 2084	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	31
PID 2056 wrote to memory of 2084	2056	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	31
PID 2488 wrote to memory of 3008	2488	chrome.exe	33
PID 2488 wrote to memory of 3008	2488	chrome.exe	33
PID 2488 wrote to memory of 3008	2488	chrome.exe	33
PID 2488 wrote to memory of 2748	2488	chrome.exe	35
PID 2488 wrote to memory of 2748	2488	chrome.exe	35
PID 2488 wrote to memory of 2748	2488	chrome.exe	35
PID 2748 wrote to memory of 2620	2748	chrome.exe	36
PID 2748 wrote to memory of 2620	2748	chrome.exe	36
PID 2748 wrote to memory of 2620	2748	chrome.exe	36
PID 2748 wrote to memory of 268	2748	chrome.exe	38
PID 2748 wrote to memory of 268	2748	chrome.exe	38
PID 2748 wrote to memory of 268	2748	chrome.exe	38
PID 268 wrote to memory of 1928	268	cmd.exe	40
PID 268 wrote to memory of 1928	268	cmd.exe	40
PID 268 wrote to memory of 1928	268	cmd.exe	40
PID 268 wrote to memory of 2900	268	cmd.exe	41
PID 268 wrote to memory of 2900	268	cmd.exe	41
PID 268 wrote to memory of 2900	268	cmd.exe	41
PID 268 wrote to memory of 2940	268	cmd.exe	42
PID 268 wrote to memory of 2940	268	cmd.exe	42
PID 268 wrote to memory of 2940	268	cmd.exe	42
PID 2940 wrote to memory of 2700	2940	chrome.exe	43
PID 2940 wrote to memory of 2700	2940	chrome.exe	43
PID 2940 wrote to memory of 2700	2940	chrome.exe	43
PID 2940 wrote to memory of 1912	2940	chrome.exe	45
PID 2940 wrote to memory of 1912	2940	chrome.exe	45
PID 2940 wrote to memory of 1912	2940	chrome.exe	45
PID 1912 wrote to memory of 800	1912	cmd.exe	47
PID 1912 wrote to memory of 800	1912	cmd.exe	47
PID 1912 wrote to memory of 800	1912	cmd.exe	47
PID 1912 wrote to memory of 1868	1912	cmd.exe	48
PID 1912 wrote to memory of 1868	1912	cmd.exe	48
PID 1912 wrote to memory of 1868	1912	cmd.exe	48
PID 1912 wrote to memory of 2468	1912	cmd.exe	49
PID 1912 wrote to memory of 2468	1912	cmd.exe	49
PID 1912 wrote to memory of 2468	1912	cmd.exe	49
PID 2468 wrote to memory of 2148	2468	chrome.exe	50
PID 2468 wrote to memory of 2148	2468	chrome.exe	50
PID 2468 wrote to memory of 2148	2468	chrome.exe	50
PID 2468 wrote to memory of 3052	2468	chrome.exe	52
PID 2468 wrote to memory of 3052	2468	chrome.exe	52
PID 2468 wrote to memory of 3052	2468	chrome.exe	52
PID 3052 wrote to memory of 1116	3052	cmd.exe	54
PID 3052 wrote to memory of 1116	3052	cmd.exe	54
PID 3052 wrote to memory of 1116	3052	cmd.exe	54
PID 3052 wrote to memory of 1724	3052	cmd.exe	55
PID 3052 wrote to memory of 1724	3052	cmd.exe	55
PID 3052 wrote to memory of 1724	3052	cmd.exe	55
PID 3052 wrote to memory of 1784	3052	cmd.exe	56
PID 3052 wrote to memory of 1784	3052	cmd.exe	56
PID 3052 wrote to memory of 1784	3052	cmd.exe	56
PID 1784 wrote to memory of 1588	1784	chrome.exe	57
PID 1784 wrote to memory of 1588	1784	chrome.exe	57
PID 1784 wrote to memory of 1588	1784	chrome.exe	57
PID 1784 wrote to memory of 748	1784	chrome.exe	59
PID 1784 wrote to memory of 748	1784	chrome.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03778d811f241e83ccad830372313b3c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3008
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2620
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\a5oPm51CVfJC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1928
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGRPq4hPRezU.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\COQqOQDI1iA9.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7vwrwdA1x4Yi.bat" "
        10⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dBSUokXyWYX0.bat" "
        12⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xIIQVTfACeZm.bat" "
        14⤵
        
        PID:1488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i2kUMM9ubIwQ.bat" "
        16⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEexzkYaezeI.bat" "
        18⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EHkCMyj6mFqC.bat" "
        20⤵
        
        PID:1836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SRcG4pSe60HY.bat" "
        22⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6jpX1yp631dr.bat" "
        24⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\THCCOrqUW4mF.bat" "
        26⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6jpX1yp631dr.bat

Filesize
207B

MD5
4873adbc7425f1d6633cf6caddcd0737

SHA1
6ef3327dc2fde330ab2f446bc60bfd1cda9705dd

SHA256
45b2825c5ccfdfca3e3d1dc14b4003ed558c09b0a651b4719edc0fd749436c5a

SHA512
90c84b800e1f3f2cca1a249ad18eea14b69a72bfdbb328fa0e8f7ac27aaa9f9dc5796af3fcddd169598afbfa4b9acfceca7e9851d4b866e87447d7d24bbf4eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vwrwdA1x4Yi.bat

Filesize
207B

MD5
957d45cadbd912cea5ebb2df6fee8847

SHA1
9d67630d0737a783b828fe042ee0357a3cfd3bee

SHA256
05727b35907393cfc3c382f8923dd89e0644b76cc7a31d2365e5ea9ae7484ec6

SHA512
e733c5b022d4c6d1485a6d690412feb93b55c24a8b438fce94122af68c323bbbed2accf832f0aac21f2d4c39a36b6084ab22ac4fa7fd59f922c3c9455efdb013

Download Submit
C:\Users\Admin\AppData\Local\Temp\COQqOQDI1iA9.bat

Filesize
207B

MD5
ecd8bdf83ee265ce3bec28fdc820c028

SHA1
615bfbc3961f991a3564ff9b3463cac6a9417a51

SHA256
efd9821cae93e8dd045e09a840eedfc2ee2e1e825fd283779d3efcb853f0ea23

SHA512
ca1f14654755038f393438490b0c393d418f96a314d43509a929f399ecedf55f5223a2f1cd8a25cce8f2bb8e0e5d9c281161129044c3f8152e2e162ac25df9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHkCMyj6mFqC.bat

Filesize
207B

MD5
821415ce770b6fbb1e93f508cbf50bdc

SHA1
dc48010a1ab1747f611a495cb8112b972db479b1

SHA256
db12aa7c0a2eb3a85176f1896e0fefbe92885999dbb49dbfa69252b8e99a7933

SHA512
87842a167610668529a87184a635996d14fdc6ad50cd995ff3dd0ef3ffb6f12851bc78cc1e520a0dc742491eb02c17a97380e488d5f70f3948cd899d5be2a80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRcG4pSe60HY.bat

Filesize
207B

MD5
9784fe4eb747ef35f681e0705438bbe3

SHA1
3276c4c54bce2293c6f834fdf11b3ec8cb22f376

SHA256
80a6639792c0983688a651e7de4975b1344d5315d497f4f8bf208b104f38d230

SHA512
ff6a3948aebbbc937448f717b2f91bd82546be7055a2baa14697c56d96f05a73c17c79e0c6aa062b74b4cc6469bab7a36843fc9700a6fa52b2dab29205f49f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGRPq4hPRezU.bat

Filesize
207B

MD5
ee7c2d030deee42367f2e9656959980d

SHA1
eb0f274ffc4d16b216359b163d97bdba73ec2116

SHA256
9a6471f69393b7c65cc7728df3f6ff61d3b979054ab5e547ce30f5b192e35f99

SHA512
9a4425ce0f4f0a6ab4694b018e67f82306483632816502c355b901a9f5e8ea48828df31ae1bdfa82bf79228ec23da299169d99ef1431d108bbef2dbabe8a36fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5oPm51CVfJC.bat

Filesize
207B

MD5
8555827c6a60eef32b301bd190265f45

SHA1
49a56b51b61150aa4b2230c3c8f215862a6cb4a9

SHA256
05ae5cdd9f9bf522515677e7454c28b45b4f816bcbaedb0caa47c46baa36c3aa

SHA512
1a5bd4b3e5138e1a6903794ccf69fac26a4d8d8f869e4cd6dc53a8b241726f1b5efd863fdc9958fbd35a3bb027c92c448594a0eeddc4b2d9f2d47b6703b76e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\dBSUokXyWYX0.bat

Filesize
207B

MD5
82e14c2f4f6b3a4bf626093e493c3f0b

SHA1
fa420970639962f4fda49d349fb3969f24220dec

SHA256
89dd740c0b2b5e396ea67c7910de907220b1a103da31fc5eb5a33c368f743bd7

SHA512
2d1c6e8957d7d3b93cd2209eab84d48233c9cc1d50f40e78ba444a1c40ae47eee43144a4a2a2a90cfbc5d96767def945438c15e23179565d8ca7bc196e5a0a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2kUMM9ubIwQ.bat

Filesize
207B

MD5
d3591828a3e5fbf06fc6b72e8d02bb26

SHA1
4bcfc8ec6ad07408148159cfc75c1d2258cee382

SHA256
691c2418bdb391602b61a67b3c568fd93b93ae50365a41c66421001620a75739

SHA512
438978e129268f31210afdc5deb1d4a6c63c34c6eff97343c90675a4ce7d5c7db460c65715366482020c406ef202d1c96871eb2d7bc9f1e102f4e7007600d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEexzkYaezeI.bat

Filesize
207B

MD5
506c16b2a18d587694946a98b4a772f4

SHA1
504c3c5e99c1d0d196a1614c934237ccb6e61dc2

SHA256
f4cdd001912c934da4f60fa9a26ea7fca8007422d286be1dc33fada4826afa21

SHA512
664776bf9e7b10b2c46ca3c751ceadc1690395d904a09cbbc489b2311bfc5c928b59e3e3f54dcbcb3db311e1b0917fb3a3bae55671f6455e771b4625c1ac9501

Download Submit
C:\Users\Admin\AppData\Local\Temp\xIIQVTfACeZm.bat

Filesize
207B

MD5
d6207a68d185aebf75ae5eb941787771

SHA1
7a0812500e1fc545030f4b2f024a95b4e65006c5

SHA256
03c68f86b1bfb9368db99db0180f9c34ef6a465d30222e0ff3f67634786e35cd

SHA512
86a085bc31196cb256abdf55ccf57eb8d9dece7c1239135b9f4567eacfdda312047b02b5061ade0f6b771594e9fa3fc2745e5655371168bb5537c0c7b005a10f

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
memory/1128-150-0x0000000000D50000-0x0000000000DD4000-memory.dmp

Filesize
528KB

Download
memory/1784-82-0x0000000001050000-0x00000000010D4000-memory.dmp

Filesize
528KB

Download
memory/2056-16-0x00000000050E0000-0x00000000056EC000-memory.dmp

Filesize
6.0MB

Download
memory/2056-20-0x00000000050E0000-0x00000000056EC000-memory.dmp

Filesize
6.0MB

Download
memory/2056-1-0x0000000000060000-0x0000000000674000-memory.dmp

Filesize
6.1MB

Download
memory/2056-40-0x0000000074390000-0x0000000074998000-memory.dmp

Filesize
6.0MB

Download
memory/2056-2-0x00000000050E0000-0x00000000056F2000-memory.dmp

Filesize
6.1MB

Download
memory/2056-24-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2056-41-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-6-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-22-0x00000000050E0000-0x00000000056EC000-memory.dmp

Filesize
6.0MB

Download
memory/2056-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/2056-10-0x0000000074390000-0x0000000074998000-memory.dmp

Filesize
6.0MB

Download
memory/2056-23-0x00000000056F0000-0x00000000057A2000-memory.dmp

Filesize
712KB

Download
memory/2056-15-0x00000000050E0000-0x00000000056EC000-memory.dmp

Filesize
6.0MB

Download
memory/2056-18-0x00000000050E0000-0x00000000056EC000-memory.dmp

Filesize
6.0MB

Download
memory/2056-14-0x00000000749F0000-0x0000000074A70000-memory.dmp

Filesize
512KB

Download
memory/2056-13-0x0000000074390000-0x0000000074998000-memory.dmp

Filesize
6.0MB

Download
memory/2056-12-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-11-0x0000000074390000-0x0000000074998000-memory.dmp

Filesize
6.0MB

Download
memory/2084-58-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-57-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-39-0x0000000001140000-0x000000000120C000-memory.dmp

Filesize
816KB

Download
memory/2084-38-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-161-0x0000000000E70000-0x0000000000EF4000-memory.dmp

Filesize
528KB

Download
memory/2388-104-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2468-71-0x00000000003B0000-0x0000000000434000-memory.dmp

Filesize
528KB

Download
memory/2488-42-0x0000000000940000-0x00000000009C4000-memory.dmp

Filesize
528KB

Download
memory/2504-127-0x00000000008A0000-0x0000000000924000-memory.dmp

Filesize
528KB

Download
memory/2560-174-0x000007FEF7680000-0x000007FEF76F4000-memory.dmp

Filesize
464KB

Download
memory/2740-116-0x00000000000F0000-0x0000000000174000-memory.dmp

Filesize
528KB

Download
memory/2748-47-0x0000000001310000-0x0000000001394000-memory.dmp

Filesize
528KB

Download
memory/2940-138-0x0000000000230000-0x00000000002B4000-memory.dmp

Filesize
528KB

Download
memory/2940-60-0x0000000000290000-0x0000000000314000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads