quasar | c563c2586cc408faf2c05f25fcddb9049e8432d76f6fea16556f75d6ad380ce3

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
Size

6.6MB
MD5

54fd1c1af0f12d1ff54ab8901e9ce266
SHA1

f50e95582506de109115a2d46c9d2fae6caa238d
SHA256

c563c2586cc408faf2c05f25fcddb9049e8432d76f6fea16556f75d6ad380ce3
SHA512

21c45d652b2433a9ecc042bec756708e94dd7b648187d24efd178e0eae639e7a541cfe83cca443204cd1dd95e3e6b0b1cd7d62b495efa02cf073b9a4a2628c26
SSDEEP

196608:m+AJG9mLg53HRVu7vHDpS1IqBRU7kCs2q:m3Q9j53xVu7vHhqBa4Cs

Score

10^/10

quasar chrome discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000900000001756b-16.dat	family_quasar
behavioral1/memory/2860-30-0x00000000013E0000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/2940-36-0x00000000012E0000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/2280-77-0x00000000001E0000-0x0000000000264000-memory.dmp	family_quasar
behavioral1/memory/2884-89-0x0000000000020000-0x00000000000A4000-memory.dmp	family_quasar
behavioral1/memory/2684-100-0x0000000001060000-0x00000000010E4000-memory.dmp	family_quasar
behavioral1/memory/2992-132-0x00000000012D0000-0x0000000001354000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe

Executes dropped EXE 13 IoCs

pid	Process
2860	chrome.exe
2380	S^X.exe
2940	chrome.exe
2796	chrome.exe
2164	chrome.exe
2168	chrome.exe
2280	chrome.exe
2884	chrome.exe
2684	chrome.exe
1708	chrome.exe
1572	chrome.exe
2992	chrome.exe
1528	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000d000000016fc9-6.dat	themida
behavioral1/memory/2092-9-0x0000000074090000-0x0000000074698000-memory.dmp	themida
behavioral1/memory/2092-10-0x0000000074090000-0x0000000074698000-memory.dmp	themida
behavioral1/memory/2092-12-0x0000000074090000-0x0000000074698000-memory.dmp	themida
behavioral1/memory/2092-29-0x0000000074090000-0x0000000074698000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2096	PING.EXE
1676	PING.EXE
2680	PING.EXE
2384	PING.EXE
2720	PING.EXE
1252	PING.EXE
2168	PING.EXE
1724	PING.EXE
876	PING.EXE
1864	PING.EXE
2212	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2212	PING.EXE
2384	PING.EXE
2720	PING.EXE
2096	PING.EXE
1676	PING.EXE
2168	PING.EXE
1724	PING.EXE
2680	PING.EXE
876	PING.EXE
1864	PING.EXE
1252	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
1800	schtasks.exe
664	schtasks.exe
2128	schtasks.exe
1020	schtasks.exe
2916	schtasks.exe
2380	schtasks.exe
2364	schtasks.exe
768	schtasks.exe
2536	schtasks.exe
1652	schtasks.exe
2928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	chrome.exe
Token: SeDebugPrivilege	2380	S^X.exe
Token: SeDebugPrivilege	2940	chrome.exe
Token: SeDebugPrivilege	2796	chrome.exe
Token: SeDebugPrivilege	2164	chrome.exe
Token: SeDebugPrivilege	2168	chrome.exe
Token: SeDebugPrivilege	2280	chrome.exe
Token: SeDebugPrivilege	2884	chrome.exe
Token: SeDebugPrivilege	2684	chrome.exe
Token: SeDebugPrivilege	1708	chrome.exe
Token: SeDebugPrivilege	1572	chrome.exe
Token: SeDebugPrivilege	2992	chrome.exe
Token: SeDebugPrivilege	1528	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2940	chrome.exe
2796	chrome.exe
2164	chrome.exe
2168	chrome.exe
2280	chrome.exe
2884	chrome.exe
2684	chrome.exe
1708	chrome.exe
1572	chrome.exe
2992	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2860	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	30
PID 2092 wrote to memory of 2860	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	30
PID 2092 wrote to memory of 2860	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	30
PID 2092 wrote to memory of 2860	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	30
PID 2092 wrote to memory of 2380	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	31
PID 2092 wrote to memory of 2380	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	31
PID 2092 wrote to memory of 2380	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	31
PID 2092 wrote to memory of 2380	2092	JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe	31
PID 2860 wrote to memory of 2324	2860	chrome.exe	32
PID 2860 wrote to memory of 2324	2860	chrome.exe	32
PID 2860 wrote to memory of 2324	2860	chrome.exe	32
PID 2860 wrote to memory of 2940	2860	chrome.exe	34
PID 2860 wrote to memory of 2940	2860	chrome.exe	34
PID 2860 wrote to memory of 2940	2860	chrome.exe	34
PID 2940 wrote to memory of 1800	2940	chrome.exe	35
PID 2940 wrote to memory of 1800	2940	chrome.exe	35
PID 2940 wrote to memory of 1800	2940	chrome.exe	35
PID 2940 wrote to memory of 2608	2940	chrome.exe	37
PID 2940 wrote to memory of 2608	2940	chrome.exe	37
PID 2940 wrote to memory of 2608	2940	chrome.exe	37
PID 2608 wrote to memory of 520	2608	cmd.exe	39
PID 2608 wrote to memory of 520	2608	cmd.exe	39
PID 2608 wrote to memory of 520	2608	cmd.exe	39
PID 2608 wrote to memory of 2680	2608	cmd.exe	40
PID 2608 wrote to memory of 2680	2608	cmd.exe	40
PID 2608 wrote to memory of 2680	2608	cmd.exe	40
PID 2608 wrote to memory of 2796	2608	cmd.exe	41
PID 2608 wrote to memory of 2796	2608	cmd.exe	41
PID 2608 wrote to memory of 2796	2608	cmd.exe	41
PID 2796 wrote to memory of 664	2796	chrome.exe	42
PID 2796 wrote to memory of 664	2796	chrome.exe	42
PID 2796 wrote to memory of 664	2796	chrome.exe	42
PID 2796 wrote to memory of 1600	2796	chrome.exe	44
PID 2796 wrote to memory of 1600	2796	chrome.exe	44
PID 2796 wrote to memory of 1600	2796	chrome.exe	44
PID 1600 wrote to memory of 1488	1600	cmd.exe	46
PID 1600 wrote to memory of 1488	1600	cmd.exe	46
PID 1600 wrote to memory of 1488	1600	cmd.exe	46
PID 1600 wrote to memory of 876	1600	cmd.exe	47
PID 1600 wrote to memory of 876	1600	cmd.exe	47
PID 1600 wrote to memory of 876	1600	cmd.exe	47
PID 1600 wrote to memory of 2164	1600	cmd.exe	48
PID 1600 wrote to memory of 2164	1600	cmd.exe	48
PID 1600 wrote to memory of 2164	1600	cmd.exe	48
PID 2164 wrote to memory of 2128	2164	chrome.exe	49
PID 2164 wrote to memory of 2128	2164	chrome.exe	49
PID 2164 wrote to memory of 2128	2164	chrome.exe	49
PID 2164 wrote to memory of 768	2164	chrome.exe	51
PID 2164 wrote to memory of 768	2164	chrome.exe	51
PID 2164 wrote to memory of 768	2164	chrome.exe	51
PID 768 wrote to memory of 1676	768	cmd.exe	53
PID 768 wrote to memory of 1676	768	cmd.exe	53
PID 768 wrote to memory of 1676	768	cmd.exe	53
PID 768 wrote to memory of 1864	768	cmd.exe	54
PID 768 wrote to memory of 1864	768	cmd.exe	54
PID 768 wrote to memory of 1864	768	cmd.exe	54
PID 768 wrote to memory of 2168	768	cmd.exe	55
PID 768 wrote to memory of 2168	768	cmd.exe	55
PID 768 wrote to memory of 2168	768	cmd.exe	55
PID 2168 wrote to memory of 1652	2168	chrome.exe	56
PID 2168 wrote to memory of 1652	2168	chrome.exe	56
PID 2168 wrote to memory of 1652	2168	chrome.exe	56
PID 2168 wrote to memory of 2028	2168	chrome.exe	58
PID 2168 wrote to memory of 2028	2168	chrome.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2324
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1800
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqKxdQQrZ1ag.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:520
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:664
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wfEyAFTu24DT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0JDIeF5gUWEo.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqLewx3FvPtS.bat" "
        10⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8NaDGV3Wqdrb.bat" "
        12⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uknGZSjsrI1M.bat" "
        14⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2qyyJQHKzsDl.bat" "
        16⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WL9mqhpJcdlw.bat" "
        18⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mFc1lLRsgzGX.bat" "
        20⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2V0mitmJ4IrQ.bat" "
        22⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NtTUfJ8OiOWA.bat" "
        24⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0JDIeF5gUWEo.bat

Filesize
207B

MD5
c425b1cdf73f99a5074406bb3e253ffb

SHA1
7d46b4153cba287afd465cfd9e6a1840b6a27e08

SHA256
1cd24e6ba9027fa30493ac914ec3dbf87e3dfda5c7fff95aa57167531cd6728e

SHA512
6ce5d72a87b794fa22826da8a94fd2d74aef6be37a81c95c231c61d2aea46734ffb2102250583062648e560f5024f98d073b928899b7c1e483cafbde71209371

Download Submit
C:\Users\Admin\AppData\Local\Temp\2V0mitmJ4IrQ.bat

Filesize
207B

MD5
b356e9b2891f4439bfd8d1436d5d4d25

SHA1
b9477ad20b40c3cd03060fa9505f26704962aa53

SHA256
c7a461134f187686144339a4ece7dead12aea7fcd724773fd2bc1da6fb631c9e

SHA512
3ee3f416f08e5704eea0eff196b06b8b66c5f5957e5b751922beed28ee31b1fbaa05c7309fc98b434a39513ae83a12cd71a3e0dbbbcf5c5fc67bdcf4f80af8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qyyJQHKzsDl.bat

Filesize
207B

MD5
4f9961d6405c7e0bfd0f2d7edf14fb76

SHA1
963aba719d010ac58bb04d05a52e02e5183208ba

SHA256
a8b0b21c6949335440ef42a3fbdfe972332102c9c4b946120e0e76f02814d9c5

SHA512
1357e8a5bea61e5ec6c0b61623e5f418a8fe656047a86e6adaa1ab5649886d960ffa5dff654deeacc85982b65fce61b0ac0af5dbbc43b5d0d20e02dc1fc7a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NaDGV3Wqdrb.bat

Filesize
207B

MD5
32e5d29a21f8d0e7b13750aa643f9713

SHA1
1343b113988ec0b121e6830930cca8fb54fa1e82

SHA256
ed151706bc8265717d11d8b6fd322b01e1495f9993a2a2222d1a3f8599276e82

SHA512
1ed85243ace4bec7624a97c2c99b75140cdf7ba14306887c21835f12495e1848dfe87b39279823c2c030fa1602cf7f8df7107bdcad8e772aec5577a00123e588

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtTUfJ8OiOWA.bat

Filesize
207B

MD5
fc89fd66856a60b4c53090fc7d871ca3

SHA1
8c512e0ed1b391c3f35837e3e24b6294ac70b32d

SHA256
d943f7210a2e693f38e1a55e86cad73104e50bb78908a16241d6e9bb54c0ceda

SHA512
c466dd9d3fb9b0a912d14a861c2cdea904adb701f224398dccb7a7f10e0b995792a51ce31b7364f0940278ffb268e6558c29ff2a72c09d08305a81e61cf90a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqLewx3FvPtS.bat

Filesize
207B

MD5
47b1856f475d5ba676a0afcb3f3dc351

SHA1
beec4704d83a84ffa6ef3ee298ffa6121e7cd4b3

SHA256
0ce473f7dab92f3740f1d40e26833251084170e2828276632f1a53735efd3ecd

SHA512
3aca32e63b28343117db9cf84e84f02c54c9b65c5c8b3533f81ffb8f3be4815bf717b31538849685976718e699bbed31d43524d8227b8b27370388c7d4275336

Download Submit
C:\Users\Admin\AppData\Local\Temp\WL9mqhpJcdlw.bat

Filesize
207B

MD5
8fa61f81aa79b3b25d7466f2f05ac582

SHA1
e7a770995a0f27f5d6a30d911d8c98262747ec65

SHA256
3968a38c2ae995d385e0a86ccd6b5058fadfa1d18eab687992825ed25ff464a0

SHA512
5331e815f72d9cc0bc3c318c5dff02d0457be8d2daed7f6cdebb578a7de041ea9f69e16fa2ae91b6b5062940d84fb4b77ca28cd9be60ed4a139c8c35acc94bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YqKxdQQrZ1ag.bat

Filesize
207B

MD5
6958d4bc08f005e118500c1a64090cec

SHA1
303e3734ceca20272c8c77955f0c83a6d9bdd9c4

SHA256
5d1a76fc1adae07df12f17f92d979dcb61380147109f3ed24adcc52d1433bceb

SHA512
4df12fb1a1596b9f88d0f6b32793e5019c7df497d3a3a68d3e10082e9b312472de6fa1c7b641cdf4ba09689c7d4d920a8bff2dba96f54088219d833f62ba8ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFc1lLRsgzGX.bat

Filesize
207B

MD5
ae4a3d54b942f68dd5edf605fa7b6b51

SHA1
fd2d972179ce69e129aadfcb8b471c3edc69f021

SHA256
11520a0265edd4d5f8f96a1034186bbeb21979afcced95522b66fd902f397446

SHA512
2efe0704ba8c94ffb6ca884b32d87ad764000d8d393bef211b9051a775decfc5ecac412c5ffd024066c25706d87f1cc0822db4346d4a44859cbea1da7be7bdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uknGZSjsrI1M.bat

Filesize
207B

MD5
97445d2e3b18138232ffc0bce9b0efbc

SHA1
cf95ad08e09e413a30a0b7f2fd2d9a7986a515d5

SHA256
9f30fc4f944191a2c0e1a2077281b65f57c27818e645bd1ee38bde987093a7de

SHA512
a64e9ee51eaa4074d7e44263df6f9d57e63321c712212bce2e5636a75e08f8830b8e35caf29fabcfa54bc5b252b784688b579b88d6972e04509b5f3a710cd2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfEyAFTu24DT.bat

Filesize
207B

MD5
2f393d1a1ba3fb60bb4322d98f3a2a26

SHA1
30e41e2b1ec246317a249c507f00af7e89cfa5cf

SHA256
ffa04d08e60edec28858316fd5e6c602cef3f0404747c325be6d9d6ce7214450

SHA512
adbb8adc663082f534a825d649e15a6d9cf2fc2caa9685a08bd4c05c9d7e101a74716662d767477990072bdbf8b93f1129d2450a41b3ff96708d20e93d3583ac

Download Submit
\Users\Admin\AppData\Local\Temp\287fa8eb-5597-4a6a-a5c4-42bac29e84c5\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
memory/2092-11-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-13-0x0000000074F50000-0x0000000074FAB000-memory.dmp

Filesize
364KB

Download
memory/2092-12-0x0000000074090000-0x0000000074698000-memory.dmp

Filesize
6.0MB

Download
memory/2092-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-9-0x0000000074090000-0x0000000074698000-memory.dmp

Filesize
6.0MB

Download
memory/2092-29-0x0000000074090000-0x0000000074698000-memory.dmp

Filesize
6.0MB

Download
memory/2092-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/2092-28-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-10-0x0000000074090000-0x0000000074698000-memory.dmp

Filesize
6.0MB

Download
memory/2280-77-0x00000000001E0000-0x0000000000264000-memory.dmp

Filesize
528KB

Download
memory/2380-31-0x0000000000F10000-0x0000000000FDC000-memory.dmp

Filesize
816KB

Download
memory/2684-100-0x0000000001060000-0x00000000010E4000-memory.dmp

Filesize
528KB

Download
memory/2860-30-0x00000000013E0000-0x0000000001464000-memory.dmp

Filesize
528KB

Download
memory/2884-89-0x0000000000020000-0x00000000000A4000-memory.dmp

Filesize
528KB

Download
memory/2940-36-0x00000000012E0000-0x0000000001364000-memory.dmp

Filesize
528KB

Download
memory/2992-132-0x00000000012D0000-0x0000000001354000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads