quasar | 2602948e0301d266cd808c4b9d8bbe75dee0025686b603b2c321d6e97c5f2cc5

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/01/2025, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
Size

6.3MB
MD5

e82e07a2f06226989c2864557311d904
SHA1

1b5efe272bcc5fd95f4cae034995fc3b795d3416
SHA256

2602948e0301d266cd808c4b9d8bbe75dee0025686b603b2c321d6e97c5f2cc5
SHA512

f43124a0f4cff06fb31450dece6d21394a1817b56d50b2988338b1295ea963b9bc9405d4691a926c7179ddb785d67e01f4bfb74044e8fcf2db0f361bbde3f62d
SSDEEP

98304:P3c+RXz2LmThcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qoP:rRfg53HRVu7vHDpS1IqBRU7kCs2q

Score

10^/10

quasar word discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Word

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
Word.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
WordW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018b28-16.dat	family_quasar
behavioral1/memory/3012-30-0x0000000000B50000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/memory/2836-36-0x0000000000E80000-0x0000000000F04000-memory.dmp	family_quasar
behavioral1/memory/1956-52-0x00000000011F0000-0x0000000001274000-memory.dmp	family_quasar
behavioral1/memory/2428-63-0x00000000000C0000-0x0000000000144000-memory.dmp	family_quasar
behavioral1/memory/1208-74-0x0000000000AB0000-0x0000000000B34000-memory.dmp	family_quasar
behavioral1/memory/2972-96-0x0000000000180000-0x0000000000204000-memory.dmp	family_quasar
behavioral1/memory/1996-108-0x0000000000390000-0x0000000000414000-memory.dmp	family_quasar
behavioral1/memory/1656-119-0x00000000003D0000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/2164-130-0x0000000000100000-0x0000000000184000-memory.dmp	family_quasar
behavioral1/memory/2004-141-0x0000000000120000-0x00000000001A4000-memory.dmp	family_quasar
behavioral1/memory/1924-152-0x0000000000980000-0x0000000000A04000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Executes dropped EXE 13 IoCs

pid	Process
3012	Word.exe
2032	S^X.exe
2836	Word.exe
1956	Word.exe
2428	Word.exe
1208	Word.exe
940	Word.exe
2972	Word.exe
1996	Word.exe
1656	Word.exe
2164	Word.exe
2004	Word.exe
1924	Word.exe

Loads dropped DLL 8 IoCs

pid	Process
804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00280000000186b7-6.dat	themida
behavioral1/memory/804-9-0x0000000072DF0000-0x00000000733F8000-memory.dmp	themida
behavioral1/memory/804-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp	themida
behavioral1/memory/804-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp	themida
behavioral1/memory/804-28-0x0000000072DF0000-0x00000000733F8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	2032	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
840	PING.EXE
2776	PING.EXE
968	PING.EXE
1352	PING.EXE
2640	PING.EXE
2340	PING.EXE
2304	PING.EXE
1880	PING.EXE
1060	PING.EXE
1824	PING.EXE
2176	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2304	PING.EXE
968	PING.EXE
1352	PING.EXE
2176	PING.EXE
1880	PING.EXE
840	PING.EXE
1060	PING.EXE
1824	PING.EXE
2776	PING.EXE
2640	PING.EXE
2340	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2364	schtasks.exe
1048	schtasks.exe
2304	schtasks.exe
2188	schtasks.exe
1880	schtasks.exe
1544	schtasks.exe
2212	schtasks.exe
1204	schtasks.exe
1868	schtasks.exe
1688	schtasks.exe
1992	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	Word.exe
Token: SeDebugPrivilege	2836	Word.exe
Token: SeDebugPrivilege	1956	Word.exe
Token: SeDebugPrivilege	2428	Word.exe
Token: SeDebugPrivilege	1208	Word.exe
Token: SeDebugPrivilege	940	Word.exe
Token: SeDebugPrivilege	2972	Word.exe
Token: SeDebugPrivilege	1996	Word.exe
Token: SeDebugPrivilege	1656	Word.exe
Token: SeDebugPrivilege	2164	Word.exe
Token: SeDebugPrivilege	2004	Word.exe
Token: SeDebugPrivilege	1924	Word.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2836	Word.exe
1956	Word.exe
2428	Word.exe
1208	Word.exe
940	Word.exe
2972	Word.exe
1996	Word.exe
1656	Word.exe
2164	Word.exe
2004	Word.exe
1924	Word.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 3012	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	30
PID 804 wrote to memory of 3012	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	30
PID 804 wrote to memory of 3012	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	30
PID 804 wrote to memory of 3012	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	30
PID 804 wrote to memory of 2032	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	31
PID 804 wrote to memory of 2032	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	31
PID 804 wrote to memory of 2032	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	31
PID 804 wrote to memory of 2032	804	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	31
PID 3012 wrote to memory of 2760	3012	Word.exe	32
PID 3012 wrote to memory of 2760	3012	Word.exe	32
PID 3012 wrote to memory of 2760	3012	Word.exe	32
PID 3012 wrote to memory of 2836	3012	Word.exe	34
PID 3012 wrote to memory of 2836	3012	Word.exe	34
PID 3012 wrote to memory of 2836	3012	Word.exe	34
PID 2836 wrote to memory of 2364	2836	Word.exe	35
PID 2836 wrote to memory of 2364	2836	Word.exe	35
PID 2836 wrote to memory of 2364	2836	Word.exe	35
PID 2032 wrote to memory of 1652	2032	S^X.exe	37
PID 2032 wrote to memory of 1652	2032	S^X.exe	37
PID 2032 wrote to memory of 1652	2032	S^X.exe	37
PID 2032 wrote to memory of 1652	2032	S^X.exe	37
PID 2836 wrote to memory of 2280	2836	Word.exe	38
PID 2836 wrote to memory of 2280	2836	Word.exe	38
PID 2836 wrote to memory of 2280	2836	Word.exe	38
PID 2280 wrote to memory of 1948	2280	cmd.exe	40
PID 2280 wrote to memory of 1948	2280	cmd.exe	40
PID 2280 wrote to memory of 1948	2280	cmd.exe	40
PID 2280 wrote to memory of 2304	2280	cmd.exe	41
PID 2280 wrote to memory of 2304	2280	cmd.exe	41
PID 2280 wrote to memory of 2304	2280	cmd.exe	41
PID 2280 wrote to memory of 1956	2280	cmd.exe	42
PID 2280 wrote to memory of 1956	2280	cmd.exe	42
PID 2280 wrote to memory of 1956	2280	cmd.exe	42
PID 1956 wrote to memory of 2212	1956	Word.exe	43
PID 1956 wrote to memory of 2212	1956	Word.exe	43
PID 1956 wrote to memory of 2212	1956	Word.exe	43
PID 1956 wrote to memory of 272	1956	Word.exe	45
PID 1956 wrote to memory of 272	1956	Word.exe	45
PID 1956 wrote to memory of 272	1956	Word.exe	45
PID 272 wrote to memory of 2080	272	cmd.exe	47
PID 272 wrote to memory of 2080	272	cmd.exe	47
PID 272 wrote to memory of 2080	272	cmd.exe	47
PID 272 wrote to memory of 1880	272	cmd.exe	48
PID 272 wrote to memory of 1880	272	cmd.exe	48
PID 272 wrote to memory of 1880	272	cmd.exe	48
PID 272 wrote to memory of 2428	272	cmd.exe	49
PID 272 wrote to memory of 2428	272	cmd.exe	49
PID 272 wrote to memory of 2428	272	cmd.exe	49
PID 2428 wrote to memory of 1204	2428	Word.exe	50
PID 2428 wrote to memory of 1204	2428	Word.exe	50
PID 2428 wrote to memory of 1204	2428	Word.exe	50
PID 2428 wrote to memory of 2492	2428	Word.exe	52
PID 2428 wrote to memory of 2492	2428	Word.exe	52
PID 2428 wrote to memory of 2492	2428	Word.exe	52
PID 2492 wrote to memory of 1716	2492	cmd.exe	54
PID 2492 wrote to memory of 1716	2492	cmd.exe	54
PID 2492 wrote to memory of 1716	2492	cmd.exe	54
PID 2492 wrote to memory of 840	2492	cmd.exe	55
PID 2492 wrote to memory of 840	2492	cmd.exe	55
PID 2492 wrote to memory of 840	2492	cmd.exe	55
PID 2492 wrote to memory of 1208	2492	cmd.exe	56
PID 2492 wrote to memory of 1208	2492	cmd.exe	56
PID 2492 wrote to memory of 1208	2492	cmd.exe	56
PID 1208 wrote to memory of 1868	1208	Word.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e82e07a2f06226989c2864557311d904.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Roaming\Word.exe
  "C:\Users\Admin\AppData\Roaming\Word.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Word.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2760
- - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
    "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2364
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z2QXl0JESAUR.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1948
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
    - - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oPlRzl6okbgI.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUWGBWt9NyQS.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0r0NqPIKHmpe.bat" "
        10⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMmP4X0NfNEo.bat" "
        12⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ub7qWBzk7krI.bat" "
        14⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYRtcfDZi5G0.bat" "
        16⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\acaedJuM2L93.bat" "
        18⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\H3FoxJlJoA0Z.bat" "
        20⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8jNxCTaNisb1.bat" "
        22⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\l7rcUxYvAnPt.bat" "
        24⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
- C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 608
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0r0NqPIKHmpe.bat

Filesize
204B

MD5
23dba4869c0de8af73abd72380615b7d

SHA1
803f450509e28a7f31272592018c9fe68bf00fa7

SHA256
e7bba6725e5f8724fb62c20946c89e9a77bd05af89ea6f3dbec4d5400dceef1e

SHA512
fa53060e2e2910d42ae193494db2799c749c3ebefbe907eb010668a3189cedfb73be7b36fe7db99f4d301ead36982576e1f6968fecd4c14ed329a80b799b7825

Download Submit
C:\Users\Admin\AppData\Local\Temp\8jNxCTaNisb1.bat

Filesize
204B

MD5
67149869158afc882fb146222ce88d63

SHA1
c4b3f58f9be2f2a7ce4df708e0d964823875ddb0

SHA256
6086e89a39126efdd06e7543cc96dd7788e1f11511aca9a7d13ca601abc87fb9

SHA512
5d00aef781fb20e1ad6fc53a7ee5f46dd48652a34691d177418f812485976a33035520de3dff4b1f8187cd8c777d7572a761c9d3f0c7399348060a8cc154dba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYRtcfDZi5G0.bat

Filesize
204B

MD5
6e8831346328b88e108b58504bcb4030

SHA1
c8377ac4442782c2d2d6398306b09de3350ba60c

SHA256
89014ae81b7a0538986d7dbde31ba9f633569054b1ed2e5b6cd29ce83422907b

SHA512
9081ee77ab9dba929fc3fd9c10440b56dcd8276068330f6fa4288dcf73e5c79d1babc62d26ab131feca1b87a078a266ee8089d082977c14e67e8221d8cd992d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H3FoxJlJoA0Z.bat

Filesize
204B

MD5
3e3d5b0dad34236cfdce5e9ef984230a

SHA1
8aedc940d6fe1eeb9540cc87225d1cca94ce3d50

SHA256
731ec87a50359ddcde674f223dd9ac392a8b67c0260389adfbeb443895bfba3e

SHA512
a039ac9838a481ba34667b939a48054a938739f7aa829db7ad17deebe1efe91234be9cbfd807f603190ee353c07d556c26f26ef14a0a1fd3430f35a8c53f720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMmP4X0NfNEo.bat

Filesize
204B

MD5
a5f713b7d22f7ee4519558ff9fdda55d

SHA1
10ec9a54956411ef69f3194c6b3689082129b92a

SHA256
2a76dd41e291be2ccb16467bbe51aaba80f89cc23737d2dd3e31bd415664c1f5

SHA512
a47be8a359f9d6fa29d49dbabac1d0a371dd145d4a49f3b5c235a716cb5e97c3e44103040620bcd696c353bcd4981244ae15594513365421b9e5321ca3488fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2QXl0JESAUR.bat

Filesize
204B

MD5
7269094ecf57963277d5164a00f20041

SHA1
64e8a7ffd45439c44c0eedf224dc98230b08b553

SHA256
2a628eb72e676227fd4f50e7f03d37536add2359a100cf6c4d636180851c625f

SHA512
92c9f218b901e9a72c624cbfb1be5f6d1f65ea07b062f97d23ad76e82f5da8bd1773cecf3d1cff4e6587d9da5771ca9c07e69f2e58056ce2599d9bd5cd5aec9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUWGBWt9NyQS.bat

Filesize
204B

MD5
a90ae60ab542fe51a65d3359a3616b51

SHA1
d281280fc273ff87b696f9e08abe77930f5be1b2

SHA256
3d8d600cc55893412721d0ca442ffc8f280411102df757e3cf6c848ec5df2be2

SHA512
4881bd72fe0c3533d80b5e409f33e101cedff9842d027972d6eba0878f614c913434c440c81640c98dcd074645d0ac89c62848d3fd3892814fa3888868b82398

Download Submit
C:\Users\Admin\AppData\Local\Temp\acaedJuM2L93.bat

Filesize
204B

MD5
bc75e19f9cb89710d93ba605f9e89a82

SHA1
2c0423ea0d9c6d2bf3d59196c1036cca4f1c9995

SHA256
1f6ac87d8212d7234945bc90bf9fae7f779269452d10f43233d4aee8ff98349b

SHA512
141c140433a11bfa0fd716921fa9822b6bdb7634f127235ac93be8680d468b72c82bdd31dd94d0c1c595a0de3b7fd2f5581c4d9bb368f9f73ba2f8e2cc896b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7rcUxYvAnPt.bat

Filesize
204B

MD5
275fc7bea3eb9d1e2745ed822b3e281c

SHA1
c952949ec9c8b281c27ae7fe0be0421343c860a0

SHA256
2a57acc420c7b0b26c9ed9fa0092d6661d8ad935432162fdbeb5e13880f8b325

SHA512
eba6e1e6566029651a6385044adaf65e383f77d913eac4aa59083839c1d8ee94c6f11fdb1cff4feff4d6fda1ab3eddc0bf9198e8b3274383f069f64f7bb9a5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPlRzl6okbgI.bat

Filesize
204B

MD5
17a7fabe15abd7943c8532fe5d6096b1

SHA1
7adc189dfc929f9b27c64c84dd7995919f7da3b2

SHA256
67c1d94dbc2af460e0adc30a75bf0c74de94ead8fc59f80dd148a5e487ca164b

SHA512
dd236c22acf79436ac07ab8b2843a6454871746ba2baf568d85be35d284dfc05c2f98d258737e0c5877899286d561f3df7d27971e0bdcaa8f7621effef53fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ub7qWBzk7krI.bat

Filesize
204B

MD5
fb3174bde7d7cbd8593f46fcc002c122

SHA1
d1da175df6ec01ab0a27a0056fac1d957684d1eb

SHA256
c4cfbc211458e08f4f1af84ac40c153f4d0339fe2294119e47841d58ddf8fcbe

SHA512
99b97ad645bca54b5fb74763c82a533fcdc60c81e330ac162f14a738070b07b42ede2b6914c20328ec3d442c02d0950e03122b6d723ac332c858c3e42935c1f8

Download Submit
\Users\Admin\AppData\Local\Temp\308f8bd5-a5f6-4b35-8cf3-1d4e4b92a924\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Local\Temp\bin\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
\Users\Admin\AppData\Roaming\Word.exe

Filesize
502KB

MD5
6be4bd44032a94198e8809edcc647f58

SHA1
7a46c39d01ae48e619cbebc9d9a8951db71f09f0

SHA256
12f9c355a6280b8c51f233ecda941dfb5d59a8830547690606fdafd755852772

SHA512
6fbcf0a05dcb0d27be4812caa339c377a1ca0d1def29263f6b9e4e1c572076285eae682d22203410953a0f48c23f229aa8868657120f77486dad713b8df38df4

Download Submit
memory/804-11-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/804-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/804-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/804-9-0x0000000072DF0000-0x00000000733F8000-memory.dmp

Filesize
6.0MB

Download
memory/804-29-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/804-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp

Filesize
6.0MB

Download
memory/804-28-0x0000000072DF0000-0x00000000733F8000-memory.dmp

Filesize
6.0MB

Download
memory/804-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp

Filesize
6.0MB

Download
memory/804-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

Filesize
4KB

Download
memory/804-13-0x0000000074AD0000-0x0000000074B2B000-memory.dmp

Filesize
364KB

Download
memory/1208-74-0x0000000000AB0000-0x0000000000B34000-memory.dmp

Filesize
528KB

Download
memory/1656-119-0x00000000003D0000-0x0000000000454000-memory.dmp

Filesize
528KB

Download
memory/1924-152-0x0000000000980000-0x0000000000A04000-memory.dmp

Filesize
528KB

Download
memory/1956-52-0x00000000011F0000-0x0000000001274000-memory.dmp

Filesize
528KB

Download
memory/1996-108-0x0000000000390000-0x0000000000414000-memory.dmp

Filesize
528KB

Download
memory/2004-141-0x0000000000120000-0x00000000001A4000-memory.dmp

Filesize
528KB

Download
memory/2032-31-0x0000000000DA0000-0x0000000000E6C000-memory.dmp

Filesize
816KB

Download
memory/2164-130-0x0000000000100000-0x0000000000184000-memory.dmp

Filesize
528KB

Download
memory/2428-63-0x00000000000C0000-0x0000000000144000-memory.dmp

Filesize
528KB

Download
memory/2836-36-0x0000000000E80000-0x0000000000F04000-memory.dmp

Filesize
528KB

Download
memory/2972-96-0x0000000000180000-0x0000000000204000-memory.dmp

Filesize
528KB

Download
memory/3012-21-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/3012-30-0x0000000000B50000-0x0000000000BD4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads