quasar | dad97f307f734fde769cdd8c471193bb2c7e3c8101e8c6af95e6635cc58d3868

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
Size

1.2MB
MD5

5cc235bca992542d2a9f412e32cdd196
SHA1

554595bcc147b930f072508c99bad03d56f596d1
SHA256

dad97f307f734fde769cdd8c471193bb2c7e3c8101e8c6af95e6635cc58d3868
SHA512

8dee4b1fe1c2af90c3fb7b3a2f6944a156b51c36679843ad959b5227b8582c852f57304f6bf2a06c70ea1243a4fc6245ede126b070001b347ba46b703dc9ff57
SSDEEP

12288:QZ47sidAz4J1l+1Ax7olDAvE6wN7pug/6nA99vM6Pphf0y/yrsaMJcR/V0:Q2LdG4J14qx0lPrYA9tM6PphfF4sId0

Score

10^/10

quasar word discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Word

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
Word.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
WordW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c87-16.dat	family_quasar
behavioral2/memory/4892-36-0x0000000000670000-0x00000000006F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe

Executes dropped EXE 17 IoCs

pid	Process
4892	Word.exe
4000	S^X.exe
1180	Word.exe
2912	Word.exe
4756	Word.exe
3032	Word.exe
3636	Word.exe
216	Word.exe
4456	Word.exe
1268	Word.exe
1740	Word.exe
3032	Word.exe
3636	Word.exe
4980	Word.exe
2448	Word.exe
1184	Word.exe
3036	Word.exe

Loads dropped DLL 1 IoCs

pid	Process
4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3188	4000	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4708	PING.EXE
220	PING.EXE
3712	PING.EXE
3504	PING.EXE
2564	PING.EXE
2524	PING.EXE
4264	PING.EXE
2648	PING.EXE
4608	PING.EXE
932	PING.EXE
1636	PING.EXE
1724	PING.EXE
4744	PING.EXE
2864	PING.EXE
1948	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3712	PING.EXE
4264	PING.EXE
932	PING.EXE
4744	PING.EXE
2524	PING.EXE
2648	PING.EXE
3504	PING.EXE
1724	PING.EXE
4608	PING.EXE
1636	PING.EXE
2864	PING.EXE
220	PING.EXE
1948	PING.EXE
4708	PING.EXE
2564	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3244	schtasks.exe
3064	schtasks.exe
1396	schtasks.exe
5088	schtasks.exe
1508	schtasks.exe
1608	schtasks.exe
2700	schtasks.exe
1496	schtasks.exe
2480	schtasks.exe
3616	schtasks.exe
2824	schtasks.exe
3784	schtasks.exe
3924	schtasks.exe
2612	schtasks.exe
1096	schtasks.exe
4404	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	Word.exe
Token: SeDebugPrivilege	1180	Word.exe
Token: SeDebugPrivilege	2912	Word.exe
Token: SeDebugPrivilege	4756	Word.exe
Token: SeDebugPrivilege	3032	Word.exe
Token: SeDebugPrivilege	3636	Word.exe
Token: SeDebugPrivilege	216	Word.exe
Token: SeDebugPrivilege	4456	Word.exe
Token: SeDebugPrivilege	1268	Word.exe
Token: SeDebugPrivilege	1740	Word.exe
Token: SeDebugPrivilege	3032	Word.exe
Token: SeDebugPrivilege	3636	Word.exe
Token: SeDebugPrivilege	4980	Word.exe
Token: SeDebugPrivilege	2448	Word.exe
Token: SeDebugPrivilege	1184	Word.exe
Token: SeDebugPrivilege	3036	Word.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1180	Word.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4892	4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	82
PID 4624 wrote to memory of 4892	4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	82
PID 4624 wrote to memory of 4000	4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	83
PID 4624 wrote to memory of 4000	4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	83
PID 4624 wrote to memory of 4000	4624	JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe	83
PID 4892 wrote to memory of 2700	4892	Word.exe	84
PID 4892 wrote to memory of 2700	4892	Word.exe	84
PID 4892 wrote to memory of 1180	4892	Word.exe	86
PID 4892 wrote to memory of 1180	4892	Word.exe	86
PID 1180 wrote to memory of 1496	1180	Word.exe	87
PID 1180 wrote to memory of 1496	1180	Word.exe	87
PID 1180 wrote to memory of 2524	1180	Word.exe	89
PID 1180 wrote to memory of 2524	1180	Word.exe	89
PID 2524 wrote to memory of 720	2524	cmd.exe	91
PID 2524 wrote to memory of 720	2524	cmd.exe	91
PID 2524 wrote to memory of 3712	2524	cmd.exe	92
PID 2524 wrote to memory of 3712	2524	cmd.exe	92
PID 2524 wrote to memory of 2912	2524	cmd.exe	98
PID 2524 wrote to memory of 2912	2524	cmd.exe	98
PID 2912 wrote to memory of 3064	2912	Word.exe	101
PID 2912 wrote to memory of 3064	2912	Word.exe	101
PID 2912 wrote to memory of 1856	2912	Word.exe	103
PID 2912 wrote to memory of 1856	2912	Word.exe	103
PID 1856 wrote to memory of 3812	1856	cmd.exe	105
PID 1856 wrote to memory of 3812	1856	cmd.exe	105
PID 1856 wrote to memory of 2648	1856	cmd.exe	106
PID 1856 wrote to memory of 2648	1856	cmd.exe	106
PID 1856 wrote to memory of 4756	1856	cmd.exe	110
PID 1856 wrote to memory of 4756	1856	cmd.exe	110
PID 4756 wrote to memory of 1096	4756	Word.exe	111
PID 4756 wrote to memory of 1096	4756	Word.exe	111
PID 4756 wrote to memory of 4856	4756	Word.exe	113
PID 4756 wrote to memory of 4856	4756	Word.exe	113
PID 4856 wrote to memory of 3244	4856	cmd.exe	115
PID 4856 wrote to memory of 3244	4856	cmd.exe	115
PID 4856 wrote to memory of 1636	4856	cmd.exe	116
PID 4856 wrote to memory of 1636	4856	cmd.exe	116
PID 4856 wrote to memory of 3032	4856	cmd.exe	119
PID 4856 wrote to memory of 3032	4856	cmd.exe	119
PID 3032 wrote to memory of 2480	3032	Word.exe	120
PID 3032 wrote to memory of 2480	3032	Word.exe	120
PID 3032 wrote to memory of 3360	3032	Word.exe	122
PID 3032 wrote to memory of 3360	3032	Word.exe	122
PID 3360 wrote to memory of 2184	3360	cmd.exe	124
PID 3360 wrote to memory of 2184	3360	cmd.exe	124
PID 3360 wrote to memory of 3504	3360	cmd.exe	125
PID 3360 wrote to memory of 3504	3360	cmd.exe	125
PID 3360 wrote to memory of 3636	3360	cmd.exe	126
PID 3360 wrote to memory of 3636	3360	cmd.exe	126
PID 3636 wrote to memory of 3784	3636	Word.exe	127
PID 3636 wrote to memory of 3784	3636	Word.exe	127
PID 3636 wrote to memory of 2840	3636	Word.exe	129
PID 3636 wrote to memory of 2840	3636	Word.exe	129
PID 2840 wrote to memory of 4004	2840	cmd.exe	131
PID 2840 wrote to memory of 4004	2840	cmd.exe	131
PID 2840 wrote to memory of 2864	2840	cmd.exe	132
PID 2840 wrote to memory of 2864	2840	cmd.exe	132
PID 2840 wrote to memory of 216	2840	cmd.exe	133
PID 2840 wrote to memory of 216	2840	cmd.exe	133
PID 216 wrote to memory of 1508	216	Word.exe	134
PID 216 wrote to memory of 1508	216	Word.exe	134
PID 216 wrote to memory of 1672	216	Word.exe	136
PID 216 wrote to memory of 1672	216	Word.exe	136
PID 1672 wrote to memory of 3712	1672	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cc235bca992542d2a9f412e32cdd196.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Roaming\Word.exe
  "C:\Users\Admin\AppData\Roaming\Word.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Word.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
    "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ov2nKVWbE5cz.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:720
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3712
    - - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoheCacctmmD.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oTBhiKFRxRrS.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gALXE039FHQY.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWcG5MZawQLg.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7j4U9Hr7s7AE.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F3RusiB9klez.bat" "
        16⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z38jt8G2C1bG.bat" "
        18⤵
        
        PID:4732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pr1GENMptRN0.bat" "
        20⤵
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOHQ9EMQlcWM.bat" "
        22⤵
        
        PID:4676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:220
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pO31S9USKf4m.bat" "
        24⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URZy6uqCOmnH.bat" "
        26⤵
        
        PID:3992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RpusGdoun4Ei.bat" "
        28⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYqM9LUJ87IN.bat" "
        30⤵
        
        PID:4580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikui2Y0IrBSF.bat" "
        32⤵
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
- C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1020
    3⤵
    - Program crash
    PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4000 -ip 4000
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Word.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eb884fd-4bd2-46b3-ae3c-af2d61b19de9\AgileDotNetRT.dll

Filesize
140KB

MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7j4U9Hr7s7AE.bat

Filesize
204B

MD5
19931125a1a188bb54fa1754b9a5f757

SHA1
abb17dc283bccde24e70308475fdf2e54efb3ead

SHA256
b074684ac7d547441831a96ab0b82b995c77e16aba4768344e7c2e0984ea8e38

SHA512
9d8988e423877911286f507c0fc260b57c45ecddad2337bbb9b6dbecde01dc3652bb4101e5f6dd786e2dcb5e3f0dda674308ff62429e740c89bddd75b29d4108

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3RusiB9klez.bat

Filesize
204B

MD5
e01bbbed275a422e57e09a7060f6351b

SHA1
b818a7e0d452dbbd087734e1c9a323bdd5720280

SHA256
2f42d933fa556e9f296dff324de8c8fbfcbe00b6bedac90d0f20623b4beef278

SHA512
c8d029000a8972f9799f465e3ce2b84812c1c50a6c2910a2ee665eff87c24cc21437bf50ac6f7a94777ce30d21c274a75e4465605ab9df0cbf1357320ca63938

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoheCacctmmD.bat

Filesize
204B

MD5
135f173cd7046ee200d9dbbd58ad8750

SHA1
86f67360dd58c9aa190c46f89b0b760a071a9309

SHA256
91ff00f14818f806906e95db4d8068ea9b32d449a1aedd2d23253e468c47bb44

SHA512
8ab5f09ab018a31ca05d31d5aa8816f93a24161a11d4ae952507ec22df71b38fce791a1cb6a3973309762541455bd40021780cd5b7f45503ba8218679adacca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RpusGdoun4Ei.bat

Filesize
204B

MD5
d59ceb8ba13ff20caec22cf637e4ddf8

SHA1
6bc80afda460b32d067cfd9f574e33e7d1ffc243

SHA256
39d47748f35e0bbc207a7e28ea470d47ea8292e72d231a2539f8377f9b33e81d

SHA512
65b32afc93ea8474ea12cc18dd17e7080812499e15ff7e27ebb35e6c9cb5459170302e84caa74b8f8154e267c90d3da010d61f7be0809fc15c065bcd01299f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\URZy6uqCOmnH.bat

Filesize
204B

MD5
e32a4b9c1d86104458e5208fc923095b

SHA1
1dfd63325d7fcdb3a280d0150b80ba08dda0c07b

SHA256
437d5e0bcc9d9dfe2da74f64b925b683e3463cc2a760cc1fd2c22c774c53dcff

SHA512
9e30c0189dc29482b46cc9607b6f18f111bad442439649412fca1d95873fe75c8f9906916086f3616ec3bea2f5c251483fc2de76b3ba7a530a1e81a2124ef30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYqM9LUJ87IN.bat

Filesize
204B

MD5
3083d36bc5f705d562264680a2d94e5b

SHA1
7afb05f019e971171a58e98305d02a6746b3168c

SHA256
88c968b77e0d73986fb1fd2277b787dcf2a86492cbc8bcf803583bf089830af8

SHA512
d0a8330025cea4ceab5a3f246bd94ec3c9296bbfed040c7cdaedf561a808a3cfa7616a0f68010a0323ae774c6c4c4c35b4a276f7acf1f2f8a8d7ac7b4abae546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z38jt8G2C1bG.bat

Filesize
204B

MD5
38093fcfb74cad3e75b4df1117816694

SHA1
790437f7fe2ff99b407cb4b13883ed770dca9b9f

SHA256
9ce5a5ab81542a771c5cb0e18d3e813c86eb84b7e7ed26a9f410d109cce18365

SHA512
9fab82e49f33277c746f6a83b437ca2411e08fe50ee924a6c79f15dfbf28e35eb6ddc94b9a83a19121a1a7091ada4b1ed39a2379ec7a06c9fbb3a1836ae7f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\gALXE039FHQY.bat

Filesize
204B

MD5
fe3719017d6521a04c88288489f78a50

SHA1
1a592d0ebeb691a92934f6ee219db9b075c60c4a

SHA256
9c77429dff8c72b362a96f604d792b58d9f7f82d0870ad58956caa3946ddc1a8

SHA512
37d60b78c1e8e2407cf3633ccb4d3ed3cba92e46bb7bd43ee9d23e492d6476c401c1cb2261ce8e104c825067127a54f5db1307b2d34302cf6bf2d80fd3b92f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOHQ9EMQlcWM.bat

Filesize
204B

MD5
49f8f4802c55fa044691916aea7dad01

SHA1
55efeebab65e9c6d5ce716d7d573059fb1c4404a

SHA256
c2573e9bef8b8a6267951394dbdabeb2db935683556ddebea278ed5e32e2bb22

SHA512
a0846d44672a9b6828031f42e67261da42df572f21ac580c43317c83d5ff4965827118486711505003517555a3f6c0ee711a0db8c3a5efc42982d3eb3c273d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikui2Y0IrBSF.bat

Filesize
204B

MD5
774df2c16879c66ea184690825d30a22

SHA1
ef5c94ecf5613f61b6b640d29690511d09882378

SHA256
958b5de4c44f4b56d190de010b35d4082b5d6927b08154d3f207a82eedd6ae78

SHA512
771b903646dc4e05c1c24018dd3a3e2aa2fc0876de8b4c1a281a68b538411f9c7b743f1a54f7bcade6ae8464fd8325b3ee1769eea16d39f1e73e426188dea0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oTBhiKFRxRrS.bat

Filesize
204B

MD5
dc63a0c145075b525b2aa13aa7d32644

SHA1
ccc32265b80fc5fd383cce1591a7c115dafb5f6d

SHA256
c7d129283a53120d5c53fa31fe3a1f84b0086ca5491bc76e28d4e5f65b6918f5

SHA512
fedffc7eb20ed27dd50d4aaf487466397f65ce447a78f4d6a79338f40f4133082d1037bc67da498970360a7121beb1d14d5c392ccb64c712e24144814b6e4096

Download Submit
C:\Users\Admin\AppData\Local\Temp\ov2nKVWbE5cz.bat

Filesize
204B

MD5
64382d281cb38da1668f1f25261eb5be

SHA1
beec22f3e08a71c7441bc41b188909281b526552

SHA256
d616f282054acfae83490495f8ff16f948cdbb0c264483c6b508712321662170

SHA512
06e57809b0e46f7600f61944213b2ac5448091113c8a1af794a60a03369a76b8a3ed6f2b49e3f6851614c5a710e6e5d6cb0978afd915391bef6347eab2c8f53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pO31S9USKf4m.bat

Filesize
204B

MD5
8e4a1f9d77640bd2eb5b990c2ff63b37

SHA1
f4a882c589a7402f65e1747934ba1114e8337f04

SHA256
f80c55de7ed55db902f91557e74eabc04f444dd557961a6f93b51a7609fae204

SHA512
9d50f7948d59f68ee84ea58376fad2a98a34dec8ce9a63ffb22423fc0620af67c54f19ad2f77c899f788ed3b3975df54d2792cfaa1f44b3f09349eeceefc97bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pr1GENMptRN0.bat

Filesize
204B

MD5
6189314bb14cad536bc6125c22101926

SHA1
7bb72311964719b0a15e6418d65d1c6b974ca149

SHA256
9425620b919824c1fe9a5c11a4f82f60cd85817e981606120c1139afe423d8bb

SHA512
e2c01dfb4962334f299f1e9fbc97b8ab7892b245c778fe94fcae2cf1ff1abb0dc56592f3c05fdf73992a08fee906ddd55b6137a8332178071c210b75b63c0b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWcG5MZawQLg.bat

Filesize
204B

MD5
faa18cc8a5ad0e01b6d080a4d552025e

SHA1
b20d000317e58c96a93de0ec0e8fbfebea2ee166

SHA256
0cea65431902625f4a92e2ff8ca3a50b396b5ce9621af04abd0f9b3025b21dad

SHA512
d05c071a15ec57148652118eddeee7e2aacb047373e08009562f8fe891a7449a460d48cd058145109734e3cae91cfe7949b3dfd791fe056dc7da8b5507c12f38

Download Submit
C:\Users\Admin\AppData\Roaming\Word.exe

Filesize
502KB

MD5
6be4bd44032a94198e8809edcc647f58

SHA1
7a46c39d01ae48e619cbebc9d9a8951db71f09f0

SHA256
12f9c355a6280b8c51f233ecda941dfb5d59a8830547690606fdafd755852772

SHA512
6fbcf0a05dcb0d27be4812caa339c377a1ca0d1def29263f6b9e4e1c572076285eae682d22203410953a0f48c23f229aa8868657120f77486dad713b8df38df4

Download Submit
memory/1180-50-0x000000001D410000-0x000000001D4C2000-memory.dmp

Filesize
712KB

Download
memory/1180-49-0x000000001B540000-0x000000001B590000-memory.dmp

Filesize
320KB

Download
memory/4000-41-0x0000000000730000-0x00000000007FC000-memory.dmp

Filesize
816KB

Download
memory/4000-39-0x000000007204E000-0x000000007204F000-memory.dmp

Filesize
4KB

Download
memory/4000-42-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/4000-43-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4624-10-0x0000000073690000-0x00000000736B8000-memory.dmp

Filesize
160KB

Download
memory/4624-37-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4624-38-0x0000000073690000-0x00000000736B8000-memory.dmp

Filesize
160KB

Download
memory/4624-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/4624-11-0x0000000073EA0000-0x0000000073EFB000-memory.dmp

Filesize
364KB

Download
memory/4624-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4624-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4892-40-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/4892-24-0x00007FFEBCFA3000-0x00007FFEBCFA5000-memory.dmp

Filesize
8KB

Download
memory/4892-36-0x0000000000670000-0x00000000006F4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads