quasar | 3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intro.avi.exe
Size

348KB
MD5

d219d94cabaa00e5abffc599bdeef75d
SHA1

123e511de20beab7bfa2bea5c2206422bc5e8241
SHA256

3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA512

82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
SSDEEP

6144:0I6bPXhLApfpMMoDMWZVGZV+RzbLirAeMB2Wku:FmhApypOrAeMB2/u

Score

10^/10

quasar user discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes

encryption_key
Uz3u2uI4Ld2N91oq93Eb
install_name
systemware.exe
log_directory
logs
reconnect_delay
3000
startup_key
System Ware
subdirectory
system

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	10	ip-api.com	Process not Found
	18	api.ipify.org	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
	2	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/1228-1-0x0000000000BC0000-0x0000000000C1E000-memory.dmp	family_quasar
behavioral1/files/0x002f000000018bd7-5.dat	family_quasar
behavioral1/memory/2016-10-0x00000000003F0000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2524-31-0x00000000009C0000-0x0000000000A1E000-memory.dmp	family_quasar
behavioral1/memory/1928-49-0x0000000000A40000-0x0000000000A9E000-memory.dmp	family_quasar
behavioral1/memory/1580-67-0x00000000013A0000-0x00000000013FE000-memory.dmp	family_quasar
behavioral1/memory/1440-85-0x00000000013A0000-0x00000000013FE000-memory.dmp	family_quasar
behavioral1/memory/1424-137-0x00000000013A0000-0x00000000013FE000-memory.dmp	family_quasar
behavioral1/memory/1512-153-0x00000000000F0000-0x000000000014E000-memory.dmp	family_quasar
behavioral1/memory/1452-163-0x0000000000860000-0x00000000008BE000-memory.dmp	family_quasar

Executes dropped EXE 10 IoCs

pid	Process
2016	systemware.exe
2524	systemware.exe
1928	systemware.exe
1580	systemware.exe
1440	systemware.exe
1828	systemware.exe
2504	systemware.exe
1424	systemware.exe
1512	systemware.exe
1452	systemware.exe

Loads dropped DLL 51 IoCs

pid	Process
1228	intro.avi.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1020	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
18	api.ipify.org
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
1732	2016	WerFault.exe	33
2612	2524	WerFault.exe	41
1020	1928	WerFault.exe	49
1760	1580	WerFault.exe	57
3036	1440	WerFault.exe	65
320	1828	WerFault.exe	73
2256	2504	WerFault.exe	82
1304	1424	WerFault.exe	90
2924	1512	WerFault.exe	98
3068	1452	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intro.avi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1660	PING.EXE
2440	PING.EXE
2892	PING.EXE
1128	PING.EXE
808	PING.EXE
2064	PING.EXE
2864	PING.EXE
2272	PING.EXE
2912	PING.EXE
1212	PING.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2892	PING.EXE
1660	PING.EXE
2864	PING.EXE
2272	PING.EXE
2912	PING.EXE
2440	PING.EXE
1212	PING.EXE
808	PING.EXE
1128	PING.EXE
2064	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1664	schtasks.exe
2844	schtasks.exe
2056	schtasks.exe
2168	schtasks.exe
1656	schtasks.exe
3044	schtasks.exe
436	schtasks.exe
2596	schtasks.exe
2356	schtasks.exe
2820	schtasks.exe
2216	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	intro.avi.exe
Token: SeDebugPrivilege	2016	systemware.exe
Token: SeDebugPrivilege	2524	systemware.exe
Token: SeDebugPrivilege	1928	systemware.exe
Token: SeDebugPrivilege	1580	systemware.exe
Token: SeDebugPrivilege	1440	systemware.exe
Token: SeDebugPrivilege	1828	systemware.exe
Token: SeDebugPrivilege	2504	systemware.exe
Token: SeDebugPrivilege	1424	systemware.exe
Token: SeDebugPrivilege	1512	systemware.exe
Token: SeDebugPrivilege	1452	systemware.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2016	systemware.exe
2524	systemware.exe
1928	systemware.exe
1580	systemware.exe
1440	systemware.exe
1828	systemware.exe
2504	systemware.exe
1424	systemware.exe
1512	systemware.exe
1452	systemware.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2596	1228	intro.avi.exe	31
PID 1228 wrote to memory of 2596	1228	intro.avi.exe	31
PID 1228 wrote to memory of 2596	1228	intro.avi.exe	31
PID 1228 wrote to memory of 2596	1228	intro.avi.exe	31
PID 1228 wrote to memory of 2016	1228	intro.avi.exe	33
PID 1228 wrote to memory of 2016	1228	intro.avi.exe	33
PID 1228 wrote to memory of 2016	1228	intro.avi.exe	33
PID 1228 wrote to memory of 2016	1228	intro.avi.exe	33
PID 2016 wrote to memory of 2844	2016	systemware.exe	34
PID 2016 wrote to memory of 2844	2016	systemware.exe	34
PID 2016 wrote to memory of 2844	2016	systemware.exe	34
PID 2016 wrote to memory of 2844	2016	systemware.exe	34
PID 2016 wrote to memory of 2752	2016	systemware.exe	36
PID 2016 wrote to memory of 2752	2016	systemware.exe	36
PID 2016 wrote to memory of 2752	2016	systemware.exe	36
PID 2016 wrote to memory of 2752	2016	systemware.exe	36
PID 2016 wrote to memory of 1732	2016	systemware.exe	38
PID 2016 wrote to memory of 1732	2016	systemware.exe	38
PID 2016 wrote to memory of 1732	2016	systemware.exe	38
PID 2016 wrote to memory of 1732	2016	systemware.exe	38
PID 2752 wrote to memory of 2564	2752	cmd.exe	39
PID 2752 wrote to memory of 2564	2752	cmd.exe	39
PID 2752 wrote to memory of 2564	2752	cmd.exe	39
PID 2752 wrote to memory of 2564	2752	cmd.exe	39
PID 2752 wrote to memory of 1212	2752	cmd.exe	40
PID 2752 wrote to memory of 1212	2752	cmd.exe	40
PID 2752 wrote to memory of 1212	2752	cmd.exe	40
PID 2752 wrote to memory of 1212	2752	cmd.exe	40
PID 2752 wrote to memory of 2524	2752	cmd.exe	41
PID 2752 wrote to memory of 2524	2752	cmd.exe	41
PID 2752 wrote to memory of 2524	2752	cmd.exe	41
PID 2752 wrote to memory of 2524	2752	cmd.exe	41
PID 2524 wrote to memory of 2056	2524	systemware.exe	42
PID 2524 wrote to memory of 2056	2524	systemware.exe	42
PID 2524 wrote to memory of 2056	2524	systemware.exe	42
PID 2524 wrote to memory of 2056	2524	systemware.exe	42
PID 2524 wrote to memory of 940	2524	systemware.exe	44
PID 2524 wrote to memory of 940	2524	systemware.exe	44
PID 2524 wrote to memory of 940	2524	systemware.exe	44
PID 2524 wrote to memory of 940	2524	systemware.exe	44
PID 2524 wrote to memory of 2612	2524	systemware.exe	45
PID 2524 wrote to memory of 2612	2524	systemware.exe	45
PID 2524 wrote to memory of 2612	2524	systemware.exe	45
PID 2524 wrote to memory of 2612	2524	systemware.exe	45
PID 940 wrote to memory of 1000	940	cmd.exe	47
PID 940 wrote to memory of 1000	940	cmd.exe	47
PID 940 wrote to memory of 1000	940	cmd.exe	47
PID 940 wrote to memory of 1000	940	cmd.exe	47
PID 940 wrote to memory of 808	940	cmd.exe	48
PID 940 wrote to memory of 808	940	cmd.exe	48
PID 940 wrote to memory of 808	940	cmd.exe	48
PID 940 wrote to memory of 808	940	cmd.exe	48
PID 940 wrote to memory of 1928	940	cmd.exe	49
PID 940 wrote to memory of 1928	940	cmd.exe	49
PID 940 wrote to memory of 1928	940	cmd.exe	49
PID 940 wrote to memory of 1928	940	cmd.exe	49
PID 1928 wrote to memory of 2168	1928	systemware.exe	50
PID 1928 wrote to memory of 2168	1928	systemware.exe	50
PID 1928 wrote to memory of 2168	1928	systemware.exe	50
PID 1928 wrote to memory of 2168	1928	systemware.exe	50
PID 1928 wrote to memory of 900	1928	systemware.exe	52
PID 1928 wrote to memory of 900	1928	systemware.exe	52
PID 1928 wrote to memory of 900	1928	systemware.exe	52
PID 1928 wrote to memory of 900	1928	systemware.exe	52

C:\Users\Admin\AppData\Local\Temp\intro.avi.exe
"C:\Users\Admin\AppData\Local\Temp\intro.avi.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intro.avi.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2596
- C:\Users\Admin\AppData\Roaming\system\systemware.exe
  "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgZyY3xwSyyU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1212
  - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
      "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZZFu9oAmb8Ck.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:808
      - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSvpkaNcjHPz.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPxDHv1CYjdW.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYitl4MumdCk.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Lq04DFeA6KJ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XwZQtP55TGFs.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6fe7r4cvaEQB.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E6PdKUdHKQU1.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ebCklCoa2fjJ.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1516
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1444
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1464
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1452
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1484
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1468
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1436
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1440
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1472
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1476
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6fe7r4cvaEQB.bat

Filesize
211B

MD5
8d9a119b1193b200e238da54398f253c

SHA1
96bb2f816ce0bed04393ed15783c5e928205e17d

SHA256
dc4341a0a3a68a8db97010cc9f73fa10e1edcdd38741593f25b35051ce38d606

SHA512
a4e1a1c8dd51810d792ba8b9e5402c6534c21ab5129fa8da4f3a1e4cd1f22611c9d6bf21871f671b9ec801681afe288f8a18f91a3d6cb9e13198afa94f86fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq04DFeA6KJ.bat

Filesize
211B

MD5
a776c9fd4f395029c8ac1bf6d2948a04

SHA1
ddee0210ce165e589b0c2655fa43d958a7f6fcc3

SHA256
b128616d52cc1a47032068931d2a78f326ed466c7a655dccff538de9ad1b427f

SHA512
767af2a32b3a9e5f630bc2ac360dfea8771c12ee0bf9c6faadf0e621b1b683694848eadb887ed9f52bd49193c29ed2303e3a0e210496c6b755edbfdba28959f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6PdKUdHKQU1.bat

Filesize
211B

MD5
d7ab7a8702f88022287b20bc232fa70a

SHA1
ed94505e7b8f0605fed43cfa6eadd20d61dd3937

SHA256
ae5094e17ed1dfccb2293302b6bb0743b496135d763853f6b7d28b25369bb13b

SHA512
11a1f78d98faa9b0fd85aeb030d42a7ae3c4eb7c51702f0c4c3cbed2c6f4f0dd78bde17bfd4ce8b00282cdb6a1e8b1ebc227b189c74f1dc8fc4d9958d82d0844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYitl4MumdCk.bat

Filesize
211B

MD5
13f19cd3ca55108fb471cb0046ad9e77

SHA1
800a2fefef0c99344fe57b4684ec12278de5a2f5

SHA256
1c02dc617e492c6af07338e1db77eeb0356f1ad9d8ad03fe8a7d441fab76c8bd

SHA512
7e7838c3657b50b2548b056a122ede8818cc922baf7fbdc6427e813397e87397fe2251b706df7b080b8b3c5a3e8ba8a98569d809ebbdc91bad8d9e98c7d6005d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgZyY3xwSyyU.bat

Filesize
211B

MD5
5ba3cee432676629d4d2983b4eceba71

SHA1
0e410bc5faca150cac371bed2ba006e75207f10b

SHA256
0b54a34d3f7d09d9158213be56e44eb9a84fb0dd43cabb9226bce8ce9431f2f9

SHA512
e3f08c56b9ab88958cf2da4515c14643c327479aa9cd41c5f5fc1f6f9439c8b1b0ebcf7c739985a3f39e3c6f674354327ed529955418235b6fc281aa70cfac14

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwZQtP55TGFs.bat

Filesize
211B

MD5
877d57740579418a6ccd7e3a05294788

SHA1
83aca7bf5c7f2821e5a57d192655147718f82c05

SHA256
b6afe713541e15a05aa9430b0651484562ce3bf477a2271ee7b9134658b9e1f8

SHA512
ced384d27f096fbf5c77fd88abdda5405664e76fb7bf289bc91fd65b7c0560d857d5b093f69e6d474d356a2a92140af87aa790c01f1d087d7f1abb31ab2a2d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZFu9oAmb8Ck.bat

Filesize
211B

MD5
eafb641cead76cecfb25910ad73ee019

SHA1
d6a45124a6d4efb3ce3ad9fd97e3b4fa03ea09c9

SHA256
e8ea1cd23fa78c720d8a0716dfe6090d91954c825508fe2a9354450920c1e06a

SHA512
79fce9cebd7498541f109fa24d649618d29b1a8333c61988a89e6f943bbe94b4c444bc289d0b0cb337d6f4b96b1b549dd3d7c2dd0e63a9a7929ccf771c97311e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebCklCoa2fjJ.bat

Filesize
211B

MD5
d138d74b4c5e47a9e3e3fb5d8be4340b

SHA1
b9be98a5cf4c3dae959d6c98137b6d88eead1cb3

SHA256
c1b4f0aa15591f27ca96bfd49188b25e16b7987bcf8e349ade54ce99b8b43ad0

SHA512
ed4242cb4147c79c3b5d13fb09f223b6a813da932e6d6c648a98bb19748212cb54c88f31280c49a3b5c9b4d8aa962f9a40b118a88f1063c3fd0cdf29429cb40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSvpkaNcjHPz.bat

Filesize
211B

MD5
5055b6bd30980fac1a3f10a13f039417

SHA1
9f641aff0f3caf0a5c910560baba91eab0530e45

SHA256
aa80cace4d619b31ab152bfda285ceadf306a8eb7657dcc7486ea903f54c26fe

SHA512
fa76eefab698d16f3cc382880e86c45414dd242c290cc8ab0890f832a6cd9af2e7ac0e6013c5542223527c66662e5a8237bd8c568107c5bb5f619164af040b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lPxDHv1CYjdW.bat

Filesize
211B

MD5
efba6028c4858b3eae774119cc18a8f4

SHA1
32eadfe5746be7c7340a4798aeb9d28fc87f9b05

SHA256
a76b93d84f6bf999b48699956f259656f5b8b9e3f5ce45a51655ca4cf798a5d1

SHA512
ad06ae056a26d09aed6f64b5b37dad00c8d5a31aa3b9a0ba8f3f8c59b7fe57f0f8c14a357b9df12fa83fe4c292dd9c68917b7c554de9203764fd537d7e032534

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
e7f83316ed3d677c199e5ffa6b0eb7a1

SHA1
5e5b1b9c0dd56d8ac83303d1947d308e5f371e58

SHA256
3b2ef4a72743f5a43393e2a3bc3f49fd9e4eabe35dfe980e83235853ab46d8b3

SHA512
eb5bfec2eb13246d532bc184c83e92e19052c6a6af3f7f3fc0c59d515fa775c7a86b189ead7895fcd92dd0535f67b254691c4aec05bbc67ebc7df433e4cb5e05

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
10243687eb8240980314521dc69175f6

SHA1
39e0986144d1098fbe01df79e0c6f87d8fd24f08

SHA256
a9096babd0d025516ce82ecc3598d262a7c0e2f1e35a1b5bcbb0458ca3765115

SHA512
b17e829ae87454d6debcf9f91288fa0b1ebddeb0654cc562617f282cd6713e0813e2d647a1e910e5128aa754a4241cc213a9478705b114e9d606368d2216eaae

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
6ef5a51dd86f0915806a79ade04d9b0f

SHA1
c7390c441b70b490119e85024ea4c1b777086dda

SHA256
974fb05cc7415593028387c3bec40a58262365b87cca07f1f0b9b9f943d351d2

SHA512
a674b509f7f9e515f1b687c567b1199192ce7d06d4eaf945ee6ac361f06a28d31b84614e872a01a358dd1dfbb96ff22b5928c9d275002d7c12f3fc807888014e

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
ef709973615d272b683033d160fb84c4

SHA1
c36610e51ad341c5161cffa3dd2b11b402396995

SHA256
69109752fd53b1f499f8e6b58cc010b6a48d561041dab70a4128226ee1bfd713

SHA512
382ee8f89a33c5e98974a29ba8f00898551e21232a99b0966f467bf238dd7241689e962c64f82f9373c54c8df74abbcc71a5dfb9ed958366af599adc285bfd99

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
94644589938ca3e05c3992f7d0254c25

SHA1
f17cd08d3582a06e56c5e649279f71273db2d626

SHA256
a7a1397cc8fa8840ac30f43ab5727835d728d582c9278b9613e515040d477c9a

SHA512
5fe913462fd2afd1b0a950c7fe88e0de7aeed2131aba3c86e91c0d42f0fbd7043d35dce4f35595ed07c4fff0978a707eb8b83188d3c0097a24a844e9427c8b15

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
243589710e1ee294687e6eab14ed95e1

SHA1
8c25fafb59efb2050d468a68471a9ef5796a45f3

SHA256
9ad48d5cf9f4cf0428064128b531612110668e409dfed46ff80c4a847dd36712

SHA512
14fbb177f26631af985d2e2833c75b47becf488b1707adab8045bdc3a9ed59ba0318276b4dde0b7ef5a60bc632ee8487245dafa517b9497d5e49a8e2d2904105

Download Submit
C:\Users\Admin\AppData\Roaming\logs\01-02-2025

Filesize
224B

MD5
eab209d368426700ba6dfde5c6e95e82

SHA1
e171c8390438d6883998bc0a0375d38fb794eb51

SHA256
a1a0b8121c905bb5bd882805e140b4a40d9298a2d95377405b569a1cbd469c86

SHA512
c278348ba6569395bf3e711373990361eae131619072d5a1bc2d59c8d8ee9c83e7f2bf42c07e46274394974d9ce137cd4dab02cabdc13fb1160c7942a23dcf4e

Download Submit
\Users\Admin\AppData\Roaming\system\systemware.exe

Filesize
348KB

MD5
d219d94cabaa00e5abffc599bdeef75d

SHA1
123e511de20beab7bfa2bea5c2206422bc5e8241

SHA256
3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

SHA512
82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

Download Submit
memory/1228-1-0x0000000000BC0000-0x0000000000C1E000-memory.dmp

Filesize
376KB

Download
memory/1228-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1228-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1228-13-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1424-137-0x00000000013A0000-0x00000000013FE000-memory.dmp

Filesize
376KB

Download
memory/1440-85-0x00000000013A0000-0x00000000013FE000-memory.dmp

Filesize
376KB

Download
memory/1452-163-0x0000000000860000-0x00000000008BE000-memory.dmp

Filesize
376KB

Download
memory/1512-153-0x00000000000F0000-0x000000000014E000-memory.dmp

Filesize
376KB

Download
memory/1580-67-0x00000000013A0000-0x00000000013FE000-memory.dmp

Filesize
376KB

Download
memory/1928-49-0x0000000000A40000-0x0000000000A9E000-memory.dmp

Filesize
376KB

Download
memory/2016-10-0x00000000003F0000-0x000000000044E000-memory.dmp

Filesize
376KB

Download
memory/2016-11-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-29-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-12-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-31-0x00000000009C0000-0x0000000000A1E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads