quasar | 27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Size

6.7MB
MD5

178ea6b2fe4a5d53f40b4c4ef74f7448
SHA1

27581d9ec136e2cc3de4b5f6ed91cbee3ee86108
SHA256

27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35
SHA512

cfce210fb940b4fb4f58946925d81a14d905644a80113194cb75eed087109f9ebb21da3edfaffeee5ecc56105dfd6eef38bbb3dfb897ecbde85624a29ec4e4ed
SSDEEP

196608:sHtgOOkds8GSt6cg53HRVu7vHDpS1IqBRU7kCs2q:sNa8GSQv53xVu7vHhqBa4Cs

Score

10^/10

quasar chrome discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/files/0x00090000000165c7-18.dat	family_quasar
behavioral1/memory/1876-30-0x0000000001350000-0x00000000013E0000-memory.dmp	family_quasar
behavioral1/memory/2880-36-0x0000000000180000-0x0000000000210000-memory.dmp	family_quasar
behavioral1/memory/2080-47-0x00000000003F0000-0x0000000000480000-memory.dmp	family_quasar
behavioral1/memory/2908-58-0x00000000013D0000-0x0000000001460000-memory.dmp	family_quasar
behavioral1/memory/2112-69-0x0000000000300000-0x0000000000390000-memory.dmp	family_quasar
behavioral1/memory/2372-80-0x0000000000340000-0x00000000003D0000-memory.dmp	family_quasar
behavioral1/memory/2256-91-0x0000000000E80000-0x0000000000F10000-memory.dmp	family_quasar
behavioral1/memory/1016-123-0x00000000013C0000-0x0000000001450000-memory.dmp	family_quasar
behavioral1/memory/872-154-0x00000000001E0000-0x0000000000270000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Executes dropped EXE 14 IoCs

pid	Process
1876	chrome.exe
2272	S^X.exe
2880	chrome.exe
2080	chrome.exe
2908	chrome.exe
2112	chrome.exe
2372	chrome.exe
2256	chrome.exe
588	chrome.exe
1224	chrome.exe
1016	chrome.exe
484	chrome.exe
896	chrome.exe
872	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1972-9-0x00000000724B0000-0x0000000072AB8000-memory.dmp	themida
behavioral1/files/0x0008000000016c66-6.dat	themida
behavioral1/memory/1972-10-0x00000000724B0000-0x0000000072AB8000-memory.dmp	themida
behavioral1/memory/1972-12-0x00000000724B0000-0x0000000072AB8000-memory.dmp	themida
behavioral1/memory/1972-28-0x00000000724B0000-0x0000000072AB8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2360	PING.EXE
1392	PING.EXE
2236	PING.EXE
3028	PING.EXE
1432	PING.EXE
2244	PING.EXE
2480	PING.EXE
2892	PING.EXE
1728	PING.EXE
1424	PING.EXE
824	PING.EXE
2912	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2244	PING.EXE
2480	PING.EXE
3028	PING.EXE
1432	PING.EXE
1424	PING.EXE
2360	PING.EXE
824	PING.EXE
1392	PING.EXE
2912	PING.EXE
2892	PING.EXE
2236	PING.EXE
1728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
2232	schtasks.exe
2404	schtasks.exe
2648	schtasks.exe
1904	schtasks.exe
1636	schtasks.exe
2740	schtasks.exe
1448	schtasks.exe
1664	schtasks.exe
2896	schtasks.exe
2840	schtasks.exe
2220	schtasks.exe
304	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	chrome.exe
Token: SeDebugPrivilege	2880	chrome.exe
Token: SeDebugPrivilege	2272	S^X.exe
Token: SeDebugPrivilege	2080	chrome.exe
Token: SeDebugPrivilege	2908	chrome.exe
Token: SeDebugPrivilege	2112	chrome.exe
Token: SeDebugPrivilege	2372	chrome.exe
Token: SeDebugPrivilege	2256	chrome.exe
Token: SeDebugPrivilege	588	chrome.exe
Token: SeDebugPrivilege	1224	chrome.exe
Token: SeDebugPrivilege	1016	chrome.exe
Token: SeDebugPrivilege	484	chrome.exe
Token: SeDebugPrivilege	896	chrome.exe
Token: SeDebugPrivilege	872	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2880	chrome.exe
2080	chrome.exe
2908	chrome.exe
2112	chrome.exe
2372	chrome.exe
2256	chrome.exe
588	chrome.exe
1224	chrome.exe
1016	chrome.exe
484	chrome.exe
896	chrome.exe
872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1876	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	30
PID 1972 wrote to memory of 1876	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	30
PID 1972 wrote to memory of 1876	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	30
PID 1972 wrote to memory of 1876	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	30
PID 1972 wrote to memory of 2272	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	31
PID 1972 wrote to memory of 2272	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	31
PID 1972 wrote to memory of 2272	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	31
PID 1972 wrote to memory of 2272	1972	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	31
PID 1876 wrote to memory of 2452	1876	chrome.exe	33
PID 1876 wrote to memory of 2452	1876	chrome.exe	33
PID 1876 wrote to memory of 2452	1876	chrome.exe	33
PID 1876 wrote to memory of 2880	1876	chrome.exe	35
PID 1876 wrote to memory of 2880	1876	chrome.exe	35
PID 1876 wrote to memory of 2880	1876	chrome.exe	35
PID 2880 wrote to memory of 2740	2880	chrome.exe	36
PID 2880 wrote to memory of 2740	2880	chrome.exe	36
PID 2880 wrote to memory of 2740	2880	chrome.exe	36
PID 2880 wrote to memory of 2144	2880	chrome.exe	38
PID 2880 wrote to memory of 2144	2880	chrome.exe	38
PID 2880 wrote to memory of 2144	2880	chrome.exe	38
PID 2144 wrote to memory of 2776	2144	cmd.exe	40
PID 2144 wrote to memory of 2776	2144	cmd.exe	40
PID 2144 wrote to memory of 2776	2144	cmd.exe	40
PID 2144 wrote to memory of 2236	2144	cmd.exe	41
PID 2144 wrote to memory of 2236	2144	cmd.exe	41
PID 2144 wrote to memory of 2236	2144	cmd.exe	41
PID 2144 wrote to memory of 2080	2144	cmd.exe	42
PID 2144 wrote to memory of 2080	2144	cmd.exe	42
PID 2144 wrote to memory of 2080	2144	cmd.exe	42
PID 2080 wrote to memory of 1448	2080	chrome.exe	43
PID 2080 wrote to memory of 1448	2080	chrome.exe	43
PID 2080 wrote to memory of 1448	2080	chrome.exe	43
PID 2080 wrote to memory of 1984	2080	chrome.exe	45
PID 2080 wrote to memory of 1984	2080	chrome.exe	45
PID 2080 wrote to memory of 1984	2080	chrome.exe	45
PID 1984 wrote to memory of 2660	1984	cmd.exe	47
PID 1984 wrote to memory of 2660	1984	cmd.exe	47
PID 1984 wrote to memory of 2660	1984	cmd.exe	47
PID 1984 wrote to memory of 1728	1984	cmd.exe	48
PID 1984 wrote to memory of 1728	1984	cmd.exe	48
PID 1984 wrote to memory of 1728	1984	cmd.exe	48
PID 1984 wrote to memory of 2908	1984	cmd.exe	49
PID 1984 wrote to memory of 2908	1984	cmd.exe	49
PID 1984 wrote to memory of 2908	1984	cmd.exe	49
PID 2908 wrote to memory of 2232	2908	chrome.exe	50
PID 2908 wrote to memory of 2232	2908	chrome.exe	50
PID 2908 wrote to memory of 2232	2908	chrome.exe	50
PID 2908 wrote to memory of 1608	2908	chrome.exe	52
PID 2908 wrote to memory of 1608	2908	chrome.exe	52
PID 2908 wrote to memory of 1608	2908	chrome.exe	52
PID 1608 wrote to memory of 660	1608	cmd.exe	54
PID 1608 wrote to memory of 660	1608	cmd.exe	54
PID 1608 wrote to memory of 660	1608	cmd.exe	54
PID 1608 wrote to memory of 3028	1608	cmd.exe	55
PID 1608 wrote to memory of 3028	1608	cmd.exe	55
PID 1608 wrote to memory of 3028	1608	cmd.exe	55
PID 1608 wrote to memory of 2112	1608	cmd.exe	56
PID 1608 wrote to memory of 2112	1608	cmd.exe	56
PID 1608 wrote to memory of 2112	1608	cmd.exe	56
PID 2112 wrote to memory of 1664	2112	chrome.exe	57
PID 2112 wrote to memory of 1664	2112	chrome.exe	57
PID 2112 wrote to memory of 1664	2112	chrome.exe	57
PID 2112 wrote to memory of 1924	2112	chrome.exe	59
PID 2112 wrote to memory of 1924	2112	chrome.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2452
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2740
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ip6ItTE1nTP7.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2776
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1448
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PESjpEYdysze.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i8f6NntSfi0B.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qRPFUq8uXR4T.bat" "
        10⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HnRDLENvYOLN.bat" "
        12⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1sdl28TT2eod.bat" "
        14⤵
        
        PID:904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCxj9BiUIvKZ.bat" "
        16⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIS6tfkwVn16.bat" "
        18⤵
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGRTUJfBT75O.bat" "
        20⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOllZmlUUtjb.bat" "
        22⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XLp3Vm4iJEij.bat" "
        24⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1zJYz8lTn8PA.bat" "
        26⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1sdl28TT2eod.bat

Filesize
207B

MD5
90ca9b3c0b9724360c6e92bfa079e272

SHA1
46c45ef3831c7b33df9fe16df66874817f8950b7

SHA256
051d68cb7839ec209e21dbf2ee19043c2fcb08d9361446124b5d345e2f982258

SHA512
b85148c3f8e1150056f555eca044723aba5ca65e28450dd198af97e00bfb4353c0d1e1d9c813c4bf5e2488dffb4644e2d19593a63c2dceb4d6c9bd50c1c6a75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zJYz8lTn8PA.bat

Filesize
207B

MD5
08f366f1c1688610dc8c2b6910e17d63

SHA1
d54cc2f255e6129760b61f509803b340680baf86

SHA256
c14b423ed05225a30887d10144d32c401c5bd66eb7896b56805d0ae45baeafea

SHA512
278146ef1fb305033a378f9ade4875392c59eef6160cb6c0ddf5c653922dfb69ef14b1592d9f012ea6cad3e9c538fd9d3f3a6f322a5183c8d9bead81d2cece06

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnRDLENvYOLN.bat

Filesize
207B

MD5
441787dd5c6908504fde8cace6ac05e0

SHA1
749745988ad26ebb82b1fa9054b8eda37d2afd31

SHA256
06e699cc97a819eef0f76f3f60cc614ae208a74a1bcc17d0dd1145d92326b30f

SHA512
d29a4c22dc3df411c12edad47e9456c7b8c4c5945940ad94f1af6d72931ff5a970cce5bde1c12d3df24f722b0d6b6b1d0212c9dc02ae2a20fd8cff8a4815b2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOllZmlUUtjb.bat

Filesize
207B

MD5
deae609341315c3d254d51546f2c00b0

SHA1
3a658226aeed0c7223ab82a57297cfa2c3c4de61

SHA256
b29f626c844243f49809de202cd4ab7d67ba4fd40a0103fe80a24d9d3e4ba000

SHA512
9eb3466b66a743b2b3339ea839e00f5f5b28e1a50acb7801f79bcc12f1cf33364b2a9cea30f96e056da0da4d70681eb36a7e5cc547282223cddf0b7a38ee17a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PESjpEYdysze.bat

Filesize
207B

MD5
346f4b0c98a5e340abed96fe4b523c28

SHA1
6a3440ea02f48c872640c379e77c7fa9a9ce331d

SHA256
7143d42b2150a73a036a03b9aaea918fe62952a5b995ecb614e21d25467eb0c6

SHA512
bb0a2ef6af285046e298c5809889deb0fed9b718d697c1a56dff8ea985d368b64177f278d11114a02e6cdd28f81095281807a0870715232ee23f128719220485

Download Submit
C:\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLp3Vm4iJEij.bat

Filesize
207B

MD5
1f641f276dae38fbe3f2367b3d6bfe70

SHA1
def3164e9f06d6f4bf463456255f70dbcbad7351

SHA256
a2bc473385eb3ddeefa3dc49ad46998225945fb153e065cc3062c06894a2bfa7

SHA512
a2790c657e37acf8e9550c2a5af4bc0e3e8a7e2a25c4e018c92a161438d04b6834784eaecd45acd380b7b2bd0a478f11b06dae38eee7f7f7d2e369c97254a985

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8f6NntSfi0B.bat

Filesize
207B

MD5
b790b2dd87371fd44480065bcd0833aa

SHA1
8ed2d4f72f9e54ba3ee9bc37c32c1eebeb1bfea7

SHA256
fe11b42c6bea187a1401e7ac9b9e02979850d0d4b2a41cc64dda93f43cd22d5e

SHA512
a6272059f4081c9a4eeeb625dbbe74ae2cd9c67dac3a9f914a2b1ca441b1530cf7a02e03369fafe588381c76fc4c5dbedcc2aa93bed297c27e1ad874a7248791

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip6ItTE1nTP7.bat

Filesize
207B

MD5
5a63f746b151b2d1c6f11920139eca8e

SHA1
1ee61616c24013d2aeeea30bd985e93440d0bb4f

SHA256
c1d639257f744e0e151398ea22ea543b46830551b66c75518b0c9b8b481c2553

SHA512
dab2e9e784dab785c9bc38b71de1809c7065a2ccc6ee16708ad3664e6427f8cb196ca83cb40c194267a57481ea164481c0c36b713be4fc5bfb51b939bcc5c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIS6tfkwVn16.bat

Filesize
207B

MD5
2ce588fd727fd8420a4575eada19b9cc

SHA1
d13ecd2725707192450307005eae52c61afbd138

SHA256
66e270f02dec5078baafef32420af2ea224e569cac32efd46e55c8d2fe487771

SHA512
4aece40e640bcf49a6be4ca551822fcfea8c3a2060a9a66fbbdc9ac3c78dd510ebbd911cdfc29b957e923cc61f671d40086a99965887cb3b3b3bb91fe6580568

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCxj9BiUIvKZ.bat

Filesize
207B

MD5
364c9076798176d626d4915a52e1a4be

SHA1
a18334c29a953de19fb51e544189167138e703a0

SHA256
621314436ebb2a4dab06cbe812bc1ea2a0174500533f263e59c0cd7ff4bcd92e

SHA512
d8ce7304c284aee1ddce3d198c787b48e4ec3ecef62467916a00c397c52f70e789d84d370b39f20f761f44b13a5dffe61fc908f3c680db3654f369ef2c0811f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRPFUq8uXR4T.bat

Filesize
207B

MD5
edaa842ee2c80ab9b1d86335ccee2885

SHA1
1cf8d5b863dd2f611fe513af8b3859e4326210e6

SHA256
c58f359cd29d57b237d5acea6ee331e1ca6d30af26f56f1a9ae9d4cc182f3012

SHA512
daa93c56d636ce9cafb73f6272329dca16d3e4ed7c968c0629781d375bfe614359c9928a2ff05f7b5c2aaf45468a1841c1693e244ab1baa5779ad8bafaf6cf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGRTUJfBT75O.bat

Filesize
207B

MD5
a8a3d6e9175e373b8e29e33a6b5dbd25

SHA1
a89ffcb14d80880634398d40b7d20ab7c80c0bf1

SHA256
f795505044f561df7dcfce9f9c7bce5c908a4cc7cba625a4f2738f2cc0416d4a

SHA512
5127a108c0e543af1c5ca4b0be03124ffffa92f46e5c47647ade4bb2eb684be922e28b9783bbffb24f22af40533ee59a8a177b529602f79d48915dda7edc425d

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
554KB

MD5
2589204aeb19a1d261d5823ca05dd542

SHA1
292de66a43c8ddfab44cd16020434a7349e546a4

SHA256
db92bc93c4836e5db7564cb101233e0c169d3fd5aa6b231538080061ec385be8

SHA512
cafad1246160eb9843ebeb0de5f9cf17a89341d8c91940644d3fe294dd04ad29d579382f1b97bf7ad29b4be053e11febfc189dd7e12dd22dd27f892cb945572c

Download Submit
\Users\Admin\AppData\Local\Temp\9597a42a-4c71-48eb-9cb7-e4568a3181fa\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
memory/872-154-0x00000000001E0000-0x0000000000270000-memory.dmp

Filesize
576KB

Download
memory/1016-123-0x00000000013C0000-0x0000000001450000-memory.dmp

Filesize
576KB

Download
memory/1876-27-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1876-30-0x0000000001350000-0x00000000013E0000-memory.dmp

Filesize
576KB

Download
memory/1972-28-0x00000000724B0000-0x0000000072AB8000-memory.dmp

Filesize
6.0MB

Download
memory/1972-29-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-13-0x0000000074160000-0x00000000741BB000-memory.dmp

Filesize
364KB

Download
memory/1972-9-0x00000000724B0000-0x0000000072AB8000-memory.dmp

Filesize
6.0MB

Download
memory/1972-11-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-12-0x00000000724B0000-0x0000000072AB8000-memory.dmp

Filesize
6.0MB

Download
memory/1972-10-0x00000000724B0000-0x0000000072AB8000-memory.dmp

Filesize
6.0MB

Download
memory/2080-47-0x00000000003F0000-0x0000000000480000-memory.dmp

Filesize
576KB

Download
memory/2112-69-0x0000000000300000-0x0000000000390000-memory.dmp

Filesize
576KB

Download
memory/2256-91-0x0000000000E80000-0x0000000000F10000-memory.dmp

Filesize
576KB

Download
memory/2272-31-0x00000000010E0000-0x00000000011AC000-memory.dmp

Filesize
816KB

Download
memory/2372-80-0x0000000000340000-0x00000000003D0000-memory.dmp

Filesize
576KB

Download
memory/2880-36-0x0000000000180000-0x0000000000210000-memory.dmp

Filesize
576KB

Download
memory/2908-58-0x00000000013D0000-0x0000000001460000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads