quasar | dad97f307f734fde769cdd8c471193bb2c7e3c8101e8c6af95e6635cc58d3868

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
Size

1.2MB
MD5

5cc235bca992542d2a9f412e32cdd196
SHA1

554595bcc147b930f072508c99bad03d56f596d1
SHA256

dad97f307f734fde769cdd8c471193bb2c7e3c8101e8c6af95e6635cc58d3868
SHA512

8dee4b1fe1c2af90c3fb7b3a2f6944a156b51c36679843ad959b5227b8582c852f57304f6bf2a06c70ea1243a4fc6245ede126b070001b347ba46b703dc9ff57
SSDEEP

12288:QZ47sidAz4J1l+1Ax7olDAvE6wN7pug/6nA99vM6Pphf0y/yrsaMJcR/V0:Q2LdG4J14qx0lPrYA9tM6PphfF4sId0

Score

10^/10

quasar word discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Word

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
Word.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
WordW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019cba-15.dat	family_quasar
behavioral1/memory/2840-25-0x0000000000D50000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/memory/2804-33-0x0000000000B90000-0x0000000000C14000-memory.dmp	family_quasar
behavioral1/memory/1584-59-0x00000000012A0000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/memory/1872-80-0x0000000000030000-0x00000000000B4000-memory.dmp	family_quasar
behavioral1/memory/1596-91-0x0000000000EF0000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/2744-102-0x00000000013C0000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/1692-143-0x0000000000020000-0x00000000000A4000-memory.dmp	family_quasar
behavioral1/memory/800-154-0x0000000000CF0000-0x0000000000D74000-memory.dmp	family_quasar
behavioral1/memory/1600-165-0x0000000001120000-0x00000000011A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2840	Word.exe
2212	S^X.exe
2804	Word.exe
2988	Word.exe
1584	Word.exe
2484	Word.exe
1872	Word.exe
1596	Word.exe
2744	Word.exe
772	Word.exe
1144	Word.exe
2180	Word.exe
1692	Word.exe
800	Word.exe
1600	Word.exe

Loads dropped DLL 8 IoCs

pid	Process
2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	2212	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2176	PING.EXE
2272	PING.EXE
1528	PING.EXE
2404	PING.EXE
1132	PING.EXE
2268	PING.EXE
2108	PING.EXE
1704	PING.EXE
2804	PING.EXE
1408	PING.EXE
1064	PING.EXE
2456	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2272	PING.EXE
1528	PING.EXE
1704	PING.EXE
1408	PING.EXE
1064	PING.EXE
1132	PING.EXE
2176	PING.EXE
2268	PING.EXE
2108	PING.EXE
2804	PING.EXE
2404	PING.EXE
2456	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
1132	schtasks.exe
2168	schtasks.exe
2900	schtasks.exe
1768	schtasks.exe
2912	schtasks.exe
680	schtasks.exe
1084	schtasks.exe
1684	schtasks.exe
2304	schtasks.exe
2124	schtasks.exe
568	schtasks.exe
2340	schtasks.exe
2612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	Word.exe
Token: SeDebugPrivilege	2804	Word.exe
Token: SeDebugPrivilege	2988	Word.exe
Token: SeDebugPrivilege	1584	Word.exe
Token: SeDebugPrivilege	2484	Word.exe
Token: SeDebugPrivilege	1872	Word.exe
Token: SeDebugPrivilege	1596	Word.exe
Token: SeDebugPrivilege	2744	Word.exe
Token: SeDebugPrivilege	772	Word.exe
Token: SeDebugPrivilege	1144	Word.exe
Token: SeDebugPrivilege	2180	Word.exe
Token: SeDebugPrivilege	1692	Word.exe
Token: SeDebugPrivilege	800	Word.exe
Token: SeDebugPrivilege	1600	Word.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2804	Word.exe
2988	Word.exe
1584	Word.exe
2484	Word.exe
1872	Word.exe
1596	Word.exe
2744	Word.exe
772	Word.exe
1144	Word.exe
2180	Word.exe
1692	Word.exe
800	Word.exe
1600	Word.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2840	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	30
PID 2652 wrote to memory of 2840	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	30
PID 2652 wrote to memory of 2840	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	30
PID 2652 wrote to memory of 2840	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	30
PID 2652 wrote to memory of 2212	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	31
PID 2652 wrote to memory of 2212	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	31
PID 2652 wrote to memory of 2212	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	31
PID 2652 wrote to memory of 2212	2652	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	31
PID 2840 wrote to memory of 2900	2840	Word.exe	32
PID 2840 wrote to memory of 2900	2840	Word.exe	32
PID 2840 wrote to memory of 2900	2840	Word.exe	32
PID 2840 wrote to memory of 2804	2840	Word.exe	34
PID 2840 wrote to memory of 2804	2840	Word.exe	34
PID 2840 wrote to memory of 2804	2840	Word.exe	34
PID 2804 wrote to memory of 2756	2804	Word.exe	35
PID 2804 wrote to memory of 2756	2804	Word.exe	35
PID 2804 wrote to memory of 2756	2804	Word.exe	35
PID 2804 wrote to memory of 1344	2804	Word.exe	37
PID 2804 wrote to memory of 1344	2804	Word.exe	37
PID 2804 wrote to memory of 1344	2804	Word.exe	37
PID 1344 wrote to memory of 2388	1344	cmd.exe	39
PID 1344 wrote to memory of 2388	1344	cmd.exe	39
PID 1344 wrote to memory of 2388	1344	cmd.exe	39
PID 1344 wrote to memory of 2176	1344	cmd.exe	40
PID 1344 wrote to memory of 2176	1344	cmd.exe	40
PID 1344 wrote to memory of 2176	1344	cmd.exe	40
PID 2212 wrote to memory of 1520	2212	S^X.exe	41
PID 2212 wrote to memory of 1520	2212	S^X.exe	41
PID 2212 wrote to memory of 1520	2212	S^X.exe	41
PID 2212 wrote to memory of 1520	2212	S^X.exe	41
PID 1344 wrote to memory of 2988	1344	cmd.exe	42
PID 1344 wrote to memory of 2988	1344	cmd.exe	42
PID 1344 wrote to memory of 2988	1344	cmd.exe	42
PID 2988 wrote to memory of 1084	2988	Word.exe	43
PID 2988 wrote to memory of 1084	2988	Word.exe	43
PID 2988 wrote to memory of 1084	2988	Word.exe	43
PID 2988 wrote to memory of 1724	2988	Word.exe	45
PID 2988 wrote to memory of 1724	2988	Word.exe	45
PID 2988 wrote to memory of 1724	2988	Word.exe	45
PID 1724 wrote to memory of 3040	1724	cmd.exe	47
PID 1724 wrote to memory of 3040	1724	cmd.exe	47
PID 1724 wrote to memory of 3040	1724	cmd.exe	47
PID 1724 wrote to memory of 2268	1724	cmd.exe	48
PID 1724 wrote to memory of 2268	1724	cmd.exe	48
PID 1724 wrote to memory of 2268	1724	cmd.exe	48
PID 1724 wrote to memory of 1584	1724	cmd.exe	49
PID 1724 wrote to memory of 1584	1724	cmd.exe	49
PID 1724 wrote to memory of 1584	1724	cmd.exe	49
PID 1584 wrote to memory of 1768	1584	Word.exe	50
PID 1584 wrote to memory of 1768	1584	Word.exe	50
PID 1584 wrote to memory of 1768	1584	Word.exe	50
PID 1584 wrote to memory of 2164	1584	Word.exe	52
PID 1584 wrote to memory of 2164	1584	Word.exe	52
PID 1584 wrote to memory of 2164	1584	Word.exe	52
PID 2164 wrote to memory of 2232	2164	cmd.exe	54
PID 2164 wrote to memory of 2232	2164	cmd.exe	54
PID 2164 wrote to memory of 2232	2164	cmd.exe	54
PID 2164 wrote to memory of 2108	2164	cmd.exe	55
PID 2164 wrote to memory of 2108	2164	cmd.exe	55
PID 2164 wrote to memory of 2108	2164	cmd.exe	55
PID 2164 wrote to memory of 2484	2164	cmd.exe	56
PID 2164 wrote to memory of 2484	2164	cmd.exe	56
PID 2164 wrote to memory of 2484	2164	cmd.exe	56
PID 2484 wrote to memory of 1684	2484	Word.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\Word.exe
  "C:\Users\Admin\AppData\Roaming\Word.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Word.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2900
- - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
    "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2756
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWaV7CYe2ej8.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2388
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
    - - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1084
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\C7lvwNyZ9bCr.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rmx5xTZIErvN.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NtAGfM0K41ei.bat" "
        10⤵
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\86uDuySGgEir.bat" "
        12⤵
        
        PID:1056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwftZTrQmyhx.bat" "
        14⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FBAZZq05cOg.bat" "
        16⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K8w3HKdrcPSV.bat" "
        18⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7aCi06nVUG7g.bat" "
        20⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9398kqzF14pM.bat" "
        22⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xp8701bmdFZE.bat" "
        24⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B1nBmeWHNJ4x.bat" "
        26⤵
        
        PID:1056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
- C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 600
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FBAZZq05cOg.bat

Filesize
204B

MD5
654b11fa9d5faeda641fede11d143011

SHA1
c1168b41a6ef5bae0c383dca0080fa82f0bc498a

SHA256
8058ad79e568afe6100b93dc1e306d874e5fa4e419ff4084e0f3e14f091cb343

SHA512
b2502d1d2133fe20bda7a5b08a2b35fde33907bbcc3ba22b84191bdab7bec7fb2ea13f4f4d0d4e3d3be7d8c68f7358d6c8aa5d845695c2b46cccba0ad3c0627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aCi06nVUG7g.bat

Filesize
204B

MD5
80c945b957945bb017c816791579c90b

SHA1
7afa1917be0b9453eddeae947517d2d39863e6ec

SHA256
71cbf06aa4a084925417817c080ba602eefe613dd24bda8c666628b4c4e1e525

SHA512
2303a90a25cbaf4927e721cb804488416cac1d0dad6b015746fb0a6dc27cdde2ed7497ac2285be3da113c3a701dc74b867351b9ce1b7c051755c0e61adc04575

Download Submit
C:\Users\Admin\AppData\Local\Temp\86uDuySGgEir.bat

Filesize
204B

MD5
dcc29666c2d5ff6ea3c49cdc8aa36b75

SHA1
79175066eed84004f70cebe3ff8741cb14158939

SHA256
fd4132a0d5a68a530e10f0095581797672e61f479c07542059dd16e4006dd27a

SHA512
098d03d9847d38f842e333c78bab9bf9ed73c6705b75ba4c940082fbba528a35bb6d69b1ed8f80799c17a150c2a9e6cdbcdd0c8de7e5c199b7f24a07c60f8b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\9398kqzF14pM.bat

Filesize
204B

MD5
234685b54a49a42068ded3f0c1b1d3da

SHA1
799a8ac6221ab53b4ebc7cd586d458fbaa8ed628

SHA256
32a96bfa3ce2843782e2e686502fd4fb889ed0d2c27797b05bbe872f2436f53a

SHA512
50a02f6b184044ed828c32273bfcc7efc4e3d1c6ca44a9b3a9b8daea197ff1fe0ea630f04d7846adbb8534d9ec21e8f6919894e794c91cdde786b949fc86b920

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1nBmeWHNJ4x.bat

Filesize
204B

MD5
76f906ace49efa319aff0dad368b374e

SHA1
a318f446dd8736a8550e466ba9a75ac2fb36df70

SHA256
6c17a991e8a854d42960652433c0fe2651d12a57cf3ffb1ad7b92a272917bacb

SHA512
38746d88abd7a873ec6a3ae71f5d8725f7027f22e63f6050181dad7879e14c4a5d9f00a69ef81f2e26ba4cf4665e2c777802ac59e8a70f42048d0f7c7068190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7lvwNyZ9bCr.bat

Filesize
204B

MD5
3e6807f4e0986da40627624addd84652

SHA1
1a8a7565f4c373de4875966349cbe52e5e4dae06

SHA256
2d4522446c2938ad3c77437bc4f61d6a3d1f34e98cc2af62d4ee2681a529f763

SHA512
7d15fa220e8bd8a3b809e7b0c55978ce565040740e0aaedb6b62a46a465e496a2b9541ab1f6d5349c17a90a1a141c06714fe936b5e9d1a83810c5990dd4a6c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\K8w3HKdrcPSV.bat

Filesize
204B

MD5
5da9b8fd790bac2baad398fcf087fee7

SHA1
b84a6e752c843425db70f9f54659ced25ee772af

SHA256
8e5b7aefe9bc3dd622630b2d1184ba256e319fd999aa6c86d826142097403fc8

SHA512
195623b71dca34f832b928897244e3de913b007618f46ef37d1c1a36a4e3a112655980597e76eff1e5259380be8d57c782a3a817cf6753cb8db607a8eb2918bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtAGfM0K41ei.bat

Filesize
204B

MD5
68211b91e12b1580ceb9048f7da8cf83

SHA1
ab4289ecb324158940ccccbe5dc7068be9b80f6b

SHA256
bfa781c86f9c21eaeda0755c8c8f892a5e8fd16bd8b35764430a17f942428c2b

SHA512
109b400924062cb2e7525d988152b9db2e1a8ef64bcf42100a42ebdaccf6e5c3b3b5778dcd10fe50a54831e006f4ec25804fda02da1477a97a350f098ea1e879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rmx5xTZIErvN.bat

Filesize
204B

MD5
a48f6fb46b3da321b5608353382446ba

SHA1
ff36af532ebaf85449170cd846a7b0cb3396b623

SHA256
f500e57927e12edbf76dc0538c013ce9cdbd555477095f636230a4db20a2648f

SHA512
f5ca6d1b11635a5d4b75f5a513008d8bb3860a049fc7a6a0c13dd2e8df35a6898278ee96f7271f89d84eb9b691a96c1b241427e0897c21f5d7b0321173277ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWaV7CYe2ej8.bat

Filesize
204B

MD5
89a059785af799e5d06e0ebf01030c1e

SHA1
4f458668dc2bde06439e4828c952da12129e8502

SHA256
cd947172916f07cb7619010de686e6fdc446ca7ed9e8961a6290ddd7521fb36d

SHA512
addf4d05614a0ef4fec66365720e74dea920cf4264b46a321ea0951a24b38628b7b9c8aa313ec1539c5dabed7f404fcf0336b3104359e1939364997cfce73dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwftZTrQmyhx.bat

Filesize
204B

MD5
8031c93574c1bae0ce549063fce25f39

SHA1
9579b8a850a51fbebd4959dc3a90793befcc1307

SHA256
36e8a7ebc2b2169a1c966cdf89430652762fcc75f796a471018e469d17d2e955

SHA512
35b0d2f2d5a37f3ab676be153cbc6a07864f3ccceb5c6cfc231f91900a334cadebe0445bfdd2cd5f9dcc1466e6734337d117b4a4f9bf35f58eeda936e4ff3bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp8701bmdFZE.bat

Filesize
204B

MD5
2faaa550d37dd1d6923efb294c9dd6f3

SHA1
a9d1b370b8667a95b3c90cfc5af6d7bd1d7c6d40

SHA256
346d463a81e0c29fa0ef64a4a680f6c21fa20050cb6df2b354107a74f1505091

SHA512
b8e08d4bf323907ed07402c6bb41e6eaa31a8df604bbc63bb9ce0bbf06e33a854deb4d88b5800970becd7cd0e533513b81761aac00662262f4795ce0526678d0

Download Submit
C:\Users\Admin\AppData\Roaming\Word.exe

Filesize
502KB

MD5
6be4bd44032a94198e8809edcc647f58

SHA1
7a46c39d01ae48e619cbebc9d9a8951db71f09f0

SHA256
12f9c355a6280b8c51f233ecda941dfb5d59a8830547690606fdafd755852772

SHA512
6fbcf0a05dcb0d27be4812caa339c377a1ca0d1def29263f6b9e4e1c572076285eae682d22203410953a0f48c23f229aa8868657120f77486dad713b8df38df4

Download Submit
\Users\Admin\AppData\Local\Temp\6eb884fd-4bd2-46b3-ae3c-af2d61b19de9\AgileDotNetRT.dll

Filesize
140KB

MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
\Users\Admin\AppData\Local\Temp\bin\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
memory/800-154-0x0000000000CF0000-0x0000000000D74000-memory.dmp

Filesize
528KB

Download
memory/1584-59-0x00000000012A0000-0x0000000001324000-memory.dmp

Filesize
528KB

Download
memory/1596-91-0x0000000000EF0000-0x0000000000F74000-memory.dmp

Filesize
528KB

Download
memory/1600-165-0x0000000001120000-0x00000000011A4000-memory.dmp

Filesize
528KB

Download
memory/1692-143-0x0000000000020000-0x00000000000A4000-memory.dmp

Filesize
528KB

Download
memory/1872-80-0x0000000000030000-0x00000000000B4000-memory.dmp

Filesize
528KB

Download
memory/2212-26-0x00000000010D0000-0x000000000119C000-memory.dmp

Filesize
816KB

Download
memory/2652-0-0x0000000074931000-0x0000000074932000-memory.dmp

Filesize
4KB

Download
memory/2652-10-0x0000000075160000-0x00000000751BB000-memory.dmp

Filesize
364KB

Download
memory/2652-27-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-9-0x0000000074FB0000-0x0000000074FD8000-memory.dmp

Filesize
160KB

Download
memory/2652-28-0x0000000074FB0000-0x0000000074FD8000-memory.dmp

Filesize
160KB

Download
memory/2652-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-102-0x00000000013C0000-0x0000000001444000-memory.dmp

Filesize
528KB

Download
memory/2804-33-0x0000000000B90000-0x0000000000C14000-memory.dmp

Filesize
528KB

Download
memory/2840-25-0x0000000000D50000-0x0000000000DD4000-memory.dmp

Filesize
528KB

Download
memory/2840-19-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads