quasar | ccd4b2ba4cea6ac4ea648e58cbe9ca9cd48f512a1df7414cad6c9ff602c6c688

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Size

6.0MB
MD5

5c843791f7a693c418b162ccd993b997
SHA1

8d6770ecadac15c9665dcabe2e69b63d62e30a18
SHA256

ccd4b2ba4cea6ac4ea648e58cbe9ca9cd48f512a1df7414cad6c9ff602c6c688
SHA512

6c773e7c57c9d73fc26b88af8b7a4f5491a28eb3211fbc55b3597f660cc424790b44f054ef131b535509aea079a255e3af58240d65d6e29390be7b7b95ac468e
SSDEEP

196608:6vzeNVog53HRVu7vHDpS1IqBRU7kCs2q:8a53xVu7vHhqBa4Cs

Score

10^/10

quasar chrome discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x003200000001930d-16.dat	family_quasar
behavioral1/memory/2852-29-0x0000000000250000-0x00000000002D4000-memory.dmp	family_quasar
behavioral1/memory/2856-36-0x00000000010E0000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/2584-47-0x0000000001380000-0x0000000001404000-memory.dmp	family_quasar
behavioral1/memory/2284-78-0x0000000000350000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/memory/2464-89-0x0000000001280000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/1044-121-0x0000000000360000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/1868-142-0x0000000000FD0000-0x0000000001054000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Executes dropped EXE 15 IoCs

pid	Process
2852	chrome.exe
2108	S^X.exe
2856	chrome.exe
2584	chrome.exe
1780	chrome.exe
1920	chrome.exe
2284	chrome.exe
2464	chrome.exe
2740	chrome.exe
320	chrome.exe
1044	chrome.exe
2164	chrome.exe
1868	chrome.exe
1788	chrome.exe
1596	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000001939b-6.dat	themida
behavioral1/memory/1488-9-0x0000000073770000-0x0000000073D78000-memory.dmp	themida
behavioral1/memory/1488-10-0x0000000073770000-0x0000000073D78000-memory.dmp	themida
behavioral1/memory/1488-12-0x0000000073770000-0x0000000073D78000-memory.dmp	themida
behavioral1/memory/1488-28-0x0000000073770000-0x0000000073D78000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2256	PING.EXE
1860	PING.EXE
1756	PING.EXE
2656	PING.EXE
2376	PING.EXE
1256	PING.EXE
1388	PING.EXE
2372	PING.EXE
992	PING.EXE
2444	PING.EXE
2388	PING.EXE
2396	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE
2656	PING.EXE
2388	PING.EXE
2376	PING.EXE
1256	PING.EXE
1388	PING.EXE
2372	PING.EXE
992	PING.EXE
1860	PING.EXE
1756	PING.EXE
2444	PING.EXE
2396	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
544	schtasks.exe
1588	schtasks.exe
2832	schtasks.exe
1780	schtasks.exe
1700	schtasks.exe
2724	schtasks.exe
1656	schtasks.exe
2584	schtasks.exe
1548	schtasks.exe
2504	schtasks.exe
2632	schtasks.exe
2796	schtasks.exe
2632	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	chrome.exe
Token: SeDebugPrivilege	2856	chrome.exe
Token: SeDebugPrivilege	2108	S^X.exe
Token: SeDebugPrivilege	2584	chrome.exe
Token: SeDebugPrivilege	1780	chrome.exe
Token: SeDebugPrivilege	1920	chrome.exe
Token: SeDebugPrivilege	2284	chrome.exe
Token: SeDebugPrivilege	2464	chrome.exe
Token: SeDebugPrivilege	2740	chrome.exe
Token: SeDebugPrivilege	320	chrome.exe
Token: SeDebugPrivilege	1044	chrome.exe
Token: SeDebugPrivilege	2164	chrome.exe
Token: SeDebugPrivilege	1868	chrome.exe
Token: SeDebugPrivilege	1788	chrome.exe
Token: SeDebugPrivilege	1596	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2856	chrome.exe
2584	chrome.exe
1780	chrome.exe
1920	chrome.exe
2284	chrome.exe
2464	chrome.exe
2740	chrome.exe
320	chrome.exe
1044	chrome.exe
2164	chrome.exe
1868	chrome.exe
1788	chrome.exe
1596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2852	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	29
PID 1488 wrote to memory of 2852	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	29
PID 1488 wrote to memory of 2852	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	29
PID 1488 wrote to memory of 2852	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	29
PID 1488 wrote to memory of 2108	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	30
PID 1488 wrote to memory of 2108	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	30
PID 1488 wrote to memory of 2108	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	30
PID 1488 wrote to memory of 2108	1488	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	30
PID 2852 wrote to memory of 2632	2852	chrome.exe	31
PID 2852 wrote to memory of 2632	2852	chrome.exe	31
PID 2852 wrote to memory of 2632	2852	chrome.exe	31
PID 2852 wrote to memory of 2856	2852	chrome.exe	33
PID 2852 wrote to memory of 2856	2852	chrome.exe	33
PID 2852 wrote to memory of 2856	2852	chrome.exe	33
PID 2856 wrote to memory of 2724	2856	chrome.exe	34
PID 2856 wrote to memory of 2724	2856	chrome.exe	34
PID 2856 wrote to memory of 2724	2856	chrome.exe	34
PID 2856 wrote to memory of 2260	2856	chrome.exe	36
PID 2856 wrote to memory of 2260	2856	chrome.exe	36
PID 2856 wrote to memory of 2260	2856	chrome.exe	36
PID 2260 wrote to memory of 268	2260	cmd.exe	38
PID 2260 wrote to memory of 268	2260	cmd.exe	38
PID 2260 wrote to memory of 268	2260	cmd.exe	38
PID 2260 wrote to memory of 2372	2260	cmd.exe	39
PID 2260 wrote to memory of 2372	2260	cmd.exe	39
PID 2260 wrote to memory of 2372	2260	cmd.exe	39
PID 2260 wrote to memory of 2584	2260	cmd.exe	40
PID 2260 wrote to memory of 2584	2260	cmd.exe	40
PID 2260 wrote to memory of 2584	2260	cmd.exe	40
PID 2584 wrote to memory of 2704	2584	chrome.exe	41
PID 2584 wrote to memory of 2704	2584	chrome.exe	41
PID 2584 wrote to memory of 2704	2584	chrome.exe	41
PID 2584 wrote to memory of 3004	2584	chrome.exe	43
PID 2584 wrote to memory of 3004	2584	chrome.exe	43
PID 2584 wrote to memory of 3004	2584	chrome.exe	43
PID 3004 wrote to memory of 1364	3004	cmd.exe	45
PID 3004 wrote to memory of 1364	3004	cmd.exe	45
PID 3004 wrote to memory of 1364	3004	cmd.exe	45
PID 3004 wrote to memory of 2256	3004	cmd.exe	46
PID 3004 wrote to memory of 2256	3004	cmd.exe	46
PID 3004 wrote to memory of 2256	3004	cmd.exe	46
PID 3004 wrote to memory of 1780	3004	cmd.exe	47
PID 3004 wrote to memory of 1780	3004	cmd.exe	47
PID 3004 wrote to memory of 1780	3004	cmd.exe	47
PID 1780 wrote to memory of 544	1780	chrome.exe	48
PID 1780 wrote to memory of 544	1780	chrome.exe	48
PID 1780 wrote to memory of 544	1780	chrome.exe	48
PID 1780 wrote to memory of 2428	1780	chrome.exe	50
PID 1780 wrote to memory of 2428	1780	chrome.exe	50
PID 1780 wrote to memory of 2428	1780	chrome.exe	50
PID 2428 wrote to memory of 2436	2428	cmd.exe	52
PID 2428 wrote to memory of 2436	2428	cmd.exe	52
PID 2428 wrote to memory of 2436	2428	cmd.exe	52
PID 2428 wrote to memory of 992	2428	cmd.exe	53
PID 2428 wrote to memory of 992	2428	cmd.exe	53
PID 2428 wrote to memory of 992	2428	cmd.exe	53
PID 2428 wrote to memory of 1920	2428	cmd.exe	54
PID 2428 wrote to memory of 1920	2428	cmd.exe	54
PID 2428 wrote to memory of 1920	2428	cmd.exe	54
PID 1920 wrote to memory of 2504	1920	chrome.exe	55
PID 1920 wrote to memory of 2504	1920	chrome.exe	55
PID 1920 wrote to memory of 2504	1920	chrome.exe	55
PID 1920 wrote to memory of 1436	1920	chrome.exe	57
PID 1920 wrote to memory of 1436	1920	chrome.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2724
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\glKumUjPlQUD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:268
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tY5UylCYwUGS.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\acFCw5t7Itxx.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4fvriZ0Mq4zL.bat" "
        10⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xD4NYtCggnKv.bat" "
        12⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tnQDVa4ZNK6Q.bat" "
        14⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TXinqeqcH5k8.bat" "
        16⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sk1Y9ptmip77.bat" "
        18⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8bms7rtlJFre.bat" "
        20⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWm3OYg552Ws.bat" "
        22⤵
        
        PID:308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mNdzL61c0ng0.bat" "
        24⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I1GcD0SaqX4c.bat" "
        26⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fvriZ0Mq4zL.bat

Filesize
207B

MD5
5df57e9274be5d43e07837fad6ef1d6b

SHA1
678e1a49db68b5a18994a4ea163c20e80aaecd53

SHA256
b69f27cccc26cfa917e86672abf9a4ac97fc6f59b6064f246e2df88bab8395db

SHA512
e40155cb2601599c5a1405c379dddf129fff9b83f392cc7c89fa9f007cf16c1d4c765e251c056677df44b5f0e245405df72abbbc3e63042cbef3f6738a6a2fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bms7rtlJFre.bat

Filesize
207B

MD5
4aa62c4a978afe39d151767e51728c71

SHA1
6c2288fdd5c96b45fb8e2b68a3bb8c70bd61c021

SHA256
a548a2e7a2f0aab90f6ce7ba91ec3b366a40b5557ed6fd56bb3d9785c5fbc854

SHA512
fe2d73fa26f7325c226fdf53fc7ccc1361447acb9e693c035e10a878f0d21e68d23f80260f716046ddda952432e5285843803c52084239b7d8aac91e77885aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1GcD0SaqX4c.bat

Filesize
207B

MD5
cf796248976d5d61530d9e481121335f

SHA1
d2807c6fc417fbfeca322f178fec400a32763585

SHA256
768433382a74a49a15b6ba5e04db43fa5a4eca7b07701f0c526a478f749f65d1

SHA512
ef8c890e0d342a6b43b00a16b8b8cc2a5b6991ba152c70e651152b2e6306299721c484a1ccc21eb6ca08569ab366acb48808f954f713a5590cbab7099494375f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXinqeqcH5k8.bat

Filesize
207B

MD5
63462fb0d792a017e20abb78edf025b6

SHA1
f9a0e71283ce7f9ed6ac4b687ecb430d9b80d4f8

SHA256
0e43d78d510b119d144db6c143dde396a010d90f217e114492e213cf424385db

SHA512
7db5a7131f4a805168d57760109e7a3479ca0460640b076d1f44fd75cadac9c3e9f170b1a093d894ec94d2b9780af13f0a945be95eb6baa63513ad441fa499ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\acFCw5t7Itxx.bat

Filesize
207B

MD5
9aeda91a14bc5548079e503979416a27

SHA1
bd71fa9abde10766e4058134ec4406d1f9b3cadf

SHA256
2b4283038742078d951505d6bd6f16a22ba78bf349d3b1a16f0e62179d1b3092

SHA512
6b5c0225fe9b5cce687dac7c1e5f5dfb68fbbb63ec3b18f132c4ecda55d4d3b3c73bc3dc423277f321b65f1c35b49cedb79cd92ac84b7f33e9603483657d1113

Download Submit
C:\Users\Admin\AppData\Local\Temp\glKumUjPlQUD.bat

Filesize
207B

MD5
a76053c8c824499e5906dffd259bde3a

SHA1
bd8bc63256f71abfe870ea8c5da4734ea1ee3e36

SHA256
3abd3a8ec98bffb9a616b542936de2c3069b683ebc42442e2def2b2261a02e9b

SHA512
1e55fa6769ae3d26dec77e13b0df53e33ee77b14d4b55bc3ec4d0248c5e06777b3354b9473d2b0e35abd027440f1470d7a9fe856cf2c73813800b9d7dcaabbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNdzL61c0ng0.bat

Filesize
207B

MD5
71672aee61918594725366974e1616cf

SHA1
b85599790928dadc805bac77be52021793e5d3de

SHA256
7c87ee1023d4083a8cfa5cfd59cb03fa337284ab00c37296db4be034adec6839

SHA512
c9d9c01fac34baf7fee195da1d6f8cc4cac823c1fff2b9a71a352b98147ca54c73be22cce277eaa7c98223cdff968cba550e88e8efbe269d826bfa38b84cc95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sk1Y9ptmip77.bat

Filesize
207B

MD5
694407d80508ba61c128e4ff5e5e5d2e

SHA1
0fc2ac16bb50a1ae41836b68367920de5888a75d

SHA256
99116b4c4a3e36d62b0526e6d7e1843e58a7f5fe0d8f88de4028964d9d3e1ea6

SHA512
a4b57ede53b57fdbac80b7cd5c70b737ad709395ac662540e0ab55ea81e62804800bf9dd6b8007d8d3fb842886c4c4a9c6d3d6b70cc9526d7daaf751693c925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWm3OYg552Ws.bat

Filesize
207B

MD5
35ae3db4ddd9a49872833db2a3a86163

SHA1
d8f28196063f627fff1b1e8831636e6a66ad4457

SHA256
39cc3edb22bc21890324944592634c316e4399dcec8939aacbadbd5e505def90

SHA512
8bc2fbbad8ff6898e1fa258f6aef239a1dc052e05db5380b5be873d54a07e5268bed1cd8e38726d58bc8c519c92f74c99fd825f209642d812fc192ee8140b434

Download Submit
C:\Users\Admin\AppData\Local\Temp\tY5UylCYwUGS.bat

Filesize
207B

MD5
de8b88ff242b3fc3cc7a354a757aaa2e

SHA1
658984a5086d73edef49bd9b8c69d19dc6719046

SHA256
e9d3cacb62f567e70cb45695096d694359efc1e8e2f7fad7df02a727971d5744

SHA512
77d5a3a6529222fbab7329c3d0c2de7fc2b1ea67e36c572eed7f07b07308b2c6fdfa03239ea976212685884d4d43f1098c3800aa2ad937a41747fa8eefbbcd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnQDVa4ZNK6Q.bat

Filesize
207B

MD5
a101d85e0e0c6ded476a6496f2797f59

SHA1
c1d6bd936e0617244b4a16dd268257b1527c6a1d

SHA256
5d44a1b10a9da6f89b13dc00b5b9a460fe11e1a53049e268b605210b5b6a4166

SHA512
8a33a35dacec96e5ae8aacdd45601e5dec9a8621eb8ddc2f7a068473bd81847bea14fad1a9d8214b7a11c499d089e9ccb927d1a49798fec24ed2b0f32b58b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\xD4NYtCggnKv.bat

Filesize
207B

MD5
9833ec68991c5cab50973e7d36a93c5d

SHA1
abb8de4e826abc51ddc18b8befd5ad93c925bf96

SHA256
29f585c104118451bab3f22b76d9da92b8a327f6e53c0fd0e35ccd43243d27e6

SHA512
8b3175d88ab609671b3cc84bcf34532356c7c392adfdce62efb0898d2abc59568bb3625b1e8b61f343843d80d06eeb53001248aaa22aa82c2c98c2b5af21e5f2

Download Submit
\Users\Admin\AppData\Local\Temp\665450f8-512a-405d-aca7-73e91bdaa644\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
memory/1044-121-0x0000000000360000-0x00000000003E4000-memory.dmp

Filesize
528KB

Download
memory/1488-9-0x0000000073770000-0x0000000073D78000-memory.dmp

Filesize
6.0MB

Download
memory/1488-12-0x0000000073770000-0x0000000073D78000-memory.dmp

Filesize
6.0MB

Download
memory/1488-2-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-11-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-0-0x0000000073D81000-0x0000000073D82000-memory.dmp

Filesize
4KB

Download
memory/1488-30-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-28-0x0000000073770000-0x0000000073D78000-memory.dmp

Filesize
6.0MB

Download
memory/1488-1-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-10-0x0000000073770000-0x0000000073D78000-memory.dmp

Filesize
6.0MB

Download
memory/1488-13-0x0000000074650000-0x00000000746AB000-memory.dmp

Filesize
364KB

Download
memory/1868-142-0x0000000000FD0000-0x0000000001054000-memory.dmp

Filesize
528KB

Download
memory/2108-31-0x0000000000B30000-0x0000000000BFC000-memory.dmp

Filesize
816KB

Download
memory/2284-78-0x0000000000350000-0x00000000003D4000-memory.dmp

Filesize
528KB

Download
memory/2464-89-0x0000000001280000-0x0000000001304000-memory.dmp

Filesize
528KB

Download
memory/2584-47-0x0000000001380000-0x0000000001404000-memory.dmp

Filesize
528KB

Download
memory/2852-29-0x0000000000250000-0x00000000002D4000-memory.dmp

Filesize
528KB

Download
memory/2852-22-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

Filesize
4KB

Download
memory/2856-36-0x00000000010E0000-0x0000000001164000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads