quasar | 40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
2448	chrome.exe
1208	S^X.exe
332	chrome.exe
2076	chrome.exe
3948	chrome.exe
4164	chrome.exe
1920	chrome.exe
4700	chrome.exe
3204	chrome.exe
4024	chrome.exe
1072	chrome.exe
2876	chrome.exe
3660	chrome.exe
1472	chrome.exe
4184	chrome.exe
3852	chrome.exe
4920	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000b000000023b69-6.dat	themida
behavioral2/memory/4760-10-0x0000000072DB0000-0x00000000733B8000-memory.dmp	themida
behavioral2/memory/4760-12-0x0000000072DB0000-0x00000000733B8000-memory.dmp	themida
behavioral2/memory/4760-13-0x0000000072DB0000-0x00000000733B8000-memory.dmp	themida
behavioral2/memory/4760-39-0x0000000072DB0000-0x00000000733B8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4604	PING.EXE
4584	PING.EXE
2592	PING.EXE
1512	PING.EXE
2908	PING.EXE
2708	PING.EXE
1984	PING.EXE
4952	PING.EXE
2280	PING.EXE
880	PING.EXE
3252	PING.EXE
1524	PING.EXE
2332	PING.EXE
2160	PING.EXE
1056	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4584	PING.EXE
2908	PING.EXE
4952	PING.EXE
1524	PING.EXE
2160	PING.EXE
880	PING.EXE
1512	PING.EXE
2332	PING.EXE
2708	PING.EXE
1056	PING.EXE
4604	PING.EXE
3252	PING.EXE
1984	PING.EXE
2280	PING.EXE
2592	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3640	schtasks.exe
1412	schtasks.exe
4324	schtasks.exe
3828	schtasks.exe
4212	schtasks.exe
4996	schtasks.exe
4180	schtasks.exe
856	schtasks.exe
640	schtasks.exe
4248	schtasks.exe
3428	schtasks.exe
3900	schtasks.exe
3536	schtasks.exe
860	schtasks.exe
4256	schtasks.exe
4516	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	chrome.exe
Token: SeDebugPrivilege	332	chrome.exe
Token: SeDebugPrivilege	1208	S^X.exe
Token: SeDebugPrivilege	2076	chrome.exe
Token: SeDebugPrivilege	3948	chrome.exe
Token: SeDebugPrivilege	4164	chrome.exe
Token: SeDebugPrivilege	1920	chrome.exe
Token: SeDebugPrivilege	4700	chrome.exe
Token: SeDebugPrivilege	3204	chrome.exe
Token: SeDebugPrivilege	4024	chrome.exe
Token: SeDebugPrivilege	1072	chrome.exe
Token: SeDebugPrivilege	2876	chrome.exe
Token: SeDebugPrivilege	3660	chrome.exe
Token: SeDebugPrivilege	1472	chrome.exe
Token: SeDebugPrivilege	4184	chrome.exe
Token: SeDebugPrivilege	3852	chrome.exe
Token: SeDebugPrivilege	4920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2448	4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	82
PID 4760 wrote to memory of 2448	4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	82
PID 4760 wrote to memory of 1208	4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	83
PID 4760 wrote to memory of 1208	4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	83
PID 4760 wrote to memory of 1208	4760	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	83
PID 2448 wrote to memory of 3640	2448	chrome.exe	84
PID 2448 wrote to memory of 3640	2448	chrome.exe	84
PID 2448 wrote to memory of 332	2448	chrome.exe	86
PID 2448 wrote to memory of 332	2448	chrome.exe	86
PID 332 wrote to memory of 4180	332	chrome.exe	87
PID 332 wrote to memory of 4180	332	chrome.exe	87
PID 332 wrote to memory of 3192	332	chrome.exe	89
PID 332 wrote to memory of 3192	332	chrome.exe	89
PID 3192 wrote to memory of 1472	3192	cmd.exe	91
PID 3192 wrote to memory of 1472	3192	cmd.exe	91
PID 3192 wrote to memory of 4604	3192	cmd.exe	92
PID 3192 wrote to memory of 4604	3192	cmd.exe	92
PID 3192 wrote to memory of 2076	3192	cmd.exe	98
PID 3192 wrote to memory of 2076	3192	cmd.exe	98
PID 2076 wrote to memory of 640	2076	chrome.exe	99
PID 2076 wrote to memory of 640	2076	chrome.exe	99
PID 2076 wrote to memory of 872	2076	chrome.exe	101
PID 2076 wrote to memory of 872	2076	chrome.exe	101
PID 872 wrote to memory of 4304	872	cmd.exe	103
PID 872 wrote to memory of 4304	872	cmd.exe	103
PID 872 wrote to memory of 3252	872	cmd.exe	104
PID 872 wrote to memory of 3252	872	cmd.exe	104
PID 872 wrote to memory of 3948	872	cmd.exe	107
PID 872 wrote to memory of 3948	872	cmd.exe	107
PID 3948 wrote to memory of 4248	3948	chrome.exe	108
PID 3948 wrote to memory of 4248	3948	chrome.exe	108
PID 3948 wrote to memory of 1380	3948	chrome.exe	110
PID 3948 wrote to memory of 1380	3948	chrome.exe	110
PID 1380 wrote to memory of 4420	1380	cmd.exe	112
PID 1380 wrote to memory of 4420	1380	cmd.exe	112
PID 1380 wrote to memory of 4584	1380	cmd.exe	113
PID 1380 wrote to memory of 4584	1380	cmd.exe	113
PID 1380 wrote to memory of 4164	1380	cmd.exe	115
PID 1380 wrote to memory of 4164	1380	cmd.exe	115
PID 4164 wrote to memory of 3428	4164	chrome.exe	117
PID 4164 wrote to memory of 3428	4164	chrome.exe	117
PID 4164 wrote to memory of 3576	4164	chrome.exe	119
PID 4164 wrote to memory of 3576	4164	chrome.exe	119
PID 3576 wrote to memory of 3652	3576	cmd.exe	121
PID 3576 wrote to memory of 3652	3576	cmd.exe	121
PID 3576 wrote to memory of 1984	3576	cmd.exe	122
PID 3576 wrote to memory of 1984	3576	cmd.exe	122
PID 3576 wrote to memory of 1920	3576	cmd.exe	123
PID 3576 wrote to memory of 1920	3576	cmd.exe	123
PID 1920 wrote to memory of 3900	1920	chrome.exe	124
PID 1920 wrote to memory of 3900	1920	chrome.exe	124
PID 1920 wrote to memory of 332	1920	chrome.exe	126
PID 1920 wrote to memory of 332	1920	chrome.exe	126
PID 332 wrote to memory of 1872	332	cmd.exe	128
PID 332 wrote to memory of 1872	332	cmd.exe	128
PID 332 wrote to memory of 4952	332	cmd.exe	129
PID 332 wrote to memory of 4952	332	cmd.exe	129
PID 332 wrote to memory of 4700	332	cmd.exe	130
PID 332 wrote to memory of 4700	332	cmd.exe	130
PID 4700 wrote to memory of 3536	4700	chrome.exe	131
PID 4700 wrote to memory of 3536	4700	chrome.exe	131
PID 4700 wrote to memory of 3320	4700	chrome.exe	133
PID 4700 wrote to memory of 3320	4700	chrome.exe	133
PID 3320 wrote to memory of 2556	3320	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3640
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N6gPUuvUbhQb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1472
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ehaiXIBCcCis.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E6Rpvz7Gn7fI.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K8npeLxseK4m.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkJjqHtrzX6a.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n7JTAzM7A4Zo.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rMQXVyPAjfx.bat" "
        16⤵
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQMVA0wCenmL.bat" "
        18⤵
        
        PID:804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BK8mAioLyqHM.bat" "
        20⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5lJLtI7B1x9T.bat" "
        22⤵
        
        PID:5032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DBTt1A6MNtAV.bat" "
        24⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5hz5xccPxmiP.bat" "
        26⤵
        
        PID:4112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkoTd43Ab4B8.bat" "
        28⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tArOJ6zKy16q.bat" "
        30⤵
        
        PID:3912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLlJZ6RdlcPI.bat" "
        32⤵
        
        PID:804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery