quasar | ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

79069701295f944d67c5f2e0213b3b9c
SHA1

589e8b6227ec6ef923f7eb8e4dc96797593f9535
SHA256

ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8
SHA512

472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67
SSDEEP

49152:mvjI22SsaNYfdPBldt698dBcjHtqRJ6sbR3LoGdnTHHB72eh2NT:mvc22SsaNYfdPBldt6+dBcjHtqRJ62

Score

10^/10

quasar test-rat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test-rat

46.125.249.50:4782:4782

Mutex

e2bb43be-2392-4c93-9a3c-dcea173d5afd

Attributes

encryption_key
AE2F816185F134AF4E7D747D3E55802DE0F16A45
install_name
Virus-Rat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Update
subdirectory
Rat-Test-cx

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/1732-1-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/files/0x00060000000191fd-5.dat	family_quasar
behavioral1/memory/3056-8-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral1/memory/2540-22-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar
behavioral1/memory/1680-33-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/2196-44-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/2868-55-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2220-66-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/memory/876-77-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
behavioral1/memory/2972-99-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar
behavioral1/memory/2364-110-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/2236-121-0x0000000000950000-0x0000000000C74000-memory.dmp	family_quasar
behavioral1/memory/1820-132-0x0000000000F40000-0x0000000001264000-memory.dmp	family_quasar
behavioral1/memory/2376-143-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/1356-175-0x0000000000FD0000-0x00000000012F4000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
3056	Virus-Rat.exe
2540	Virus-Rat.exe
1680	Virus-Rat.exe
2196	Virus-Rat.exe
2868	Virus-Rat.exe
2220	Virus-Rat.exe
876	Virus-Rat.exe
2852	Virus-Rat.exe
2972	Virus-Rat.exe
2364	Virus-Rat.exe
2236	Virus-Rat.exe
1820	Virus-Rat.exe
2376	Virus-Rat.exe
708	Virus-Rat.exe
3024	Virus-Rat.exe
1356	Virus-Rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1552	PING.EXE
2788	PING.EXE
1160	PING.EXE
2948	PING.EXE
2828	PING.EXE
1824	PING.EXE
2520	PING.EXE
1676	PING.EXE
2732	PING.EXE
324	PING.EXE
2400	PING.EXE
856	PING.EXE
2156	PING.EXE
1548	PING.EXE
2740	PING.EXE
2792	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2828	PING.EXE
1548	PING.EXE
2520	PING.EXE
2740	PING.EXE
1552	PING.EXE
2788	PING.EXE
1676	PING.EXE
2732	PING.EXE
324	PING.EXE
2156	PING.EXE
1160	PING.EXE
2792	PING.EXE
2948	PING.EXE
1824	PING.EXE
2400	PING.EXE
856	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2212	schtasks.exe
1908	schtasks.exe
2964	schtasks.exe
2112	schtasks.exe
1152	schtasks.exe
2584	schtasks.exe
1680	schtasks.exe
2016	schtasks.exe
1912	schtasks.exe
2288	schtasks.exe
2392	schtasks.exe
624	schtasks.exe
1048	schtasks.exe
2832	schtasks.exe
2516	schtasks.exe
2796	schtasks.exe
2604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	Client-built.exe
Token: SeDebugPrivilege	3056	Virus-Rat.exe
Token: SeDebugPrivilege	2540	Virus-Rat.exe
Token: SeDebugPrivilege	1680	Virus-Rat.exe
Token: SeDebugPrivilege	2196	Virus-Rat.exe
Token: SeDebugPrivilege	2868	Virus-Rat.exe
Token: SeDebugPrivilege	2220	Virus-Rat.exe
Token: SeDebugPrivilege	876	Virus-Rat.exe
Token: SeDebugPrivilege	2852	Virus-Rat.exe
Token: SeDebugPrivilege	2972	Virus-Rat.exe
Token: SeDebugPrivilege	2364	Virus-Rat.exe
Token: SeDebugPrivilege	2236	Virus-Rat.exe
Token: SeDebugPrivilege	1820	Virus-Rat.exe
Token: SeDebugPrivilege	2376	Virus-Rat.exe
Token: SeDebugPrivilege	708	Virus-Rat.exe
Token: SeDebugPrivilege	3024	Virus-Rat.exe
Token: SeDebugPrivilege	1356	Virus-Rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2516	1732	Client-built.exe	31
PID 1732 wrote to memory of 2516	1732	Client-built.exe	31
PID 1732 wrote to memory of 2516	1732	Client-built.exe	31
PID 1732 wrote to memory of 3056	1732	Client-built.exe	33
PID 1732 wrote to memory of 3056	1732	Client-built.exe	33
PID 1732 wrote to memory of 3056	1732	Client-built.exe	33
PID 3056 wrote to memory of 2796	3056	Virus-Rat.exe	34
PID 3056 wrote to memory of 2796	3056	Virus-Rat.exe	34
PID 3056 wrote to memory of 2796	3056	Virus-Rat.exe	34
PID 3056 wrote to memory of 2812	3056	Virus-Rat.exe	36
PID 3056 wrote to memory of 2812	3056	Virus-Rat.exe	36
PID 3056 wrote to memory of 2812	3056	Virus-Rat.exe	36
PID 2812 wrote to memory of 2632	2812	cmd.exe	38
PID 2812 wrote to memory of 2632	2812	cmd.exe	38
PID 2812 wrote to memory of 2632	2812	cmd.exe	38
PID 2812 wrote to memory of 2740	2812	cmd.exe	39
PID 2812 wrote to memory of 2740	2812	cmd.exe	39
PID 2812 wrote to memory of 2740	2812	cmd.exe	39
PID 2812 wrote to memory of 2540	2812	cmd.exe	40
PID 2812 wrote to memory of 2540	2812	cmd.exe	40
PID 2812 wrote to memory of 2540	2812	cmd.exe	40
PID 2540 wrote to memory of 2604	2540	Virus-Rat.exe	41
PID 2540 wrote to memory of 2604	2540	Virus-Rat.exe	41
PID 2540 wrote to memory of 2604	2540	Virus-Rat.exe	41
PID 2540 wrote to memory of 1008	2540	Virus-Rat.exe	43
PID 2540 wrote to memory of 1008	2540	Virus-Rat.exe	43
PID 2540 wrote to memory of 1008	2540	Virus-Rat.exe	43
PID 1008 wrote to memory of 916	1008	cmd.exe	45
PID 1008 wrote to memory of 916	1008	cmd.exe	45
PID 1008 wrote to memory of 916	1008	cmd.exe	45
PID 1008 wrote to memory of 2732	1008	cmd.exe	46
PID 1008 wrote to memory of 2732	1008	cmd.exe	46
PID 1008 wrote to memory of 2732	1008	cmd.exe	46
PID 1008 wrote to memory of 1680	1008	cmd.exe	47
PID 1008 wrote to memory of 1680	1008	cmd.exe	47
PID 1008 wrote to memory of 1680	1008	cmd.exe	47
PID 1680 wrote to memory of 2016	1680	Virus-Rat.exe	48
PID 1680 wrote to memory of 2016	1680	Virus-Rat.exe	48
PID 1680 wrote to memory of 2016	1680	Virus-Rat.exe	48
PID 1680 wrote to memory of 2760	1680	Virus-Rat.exe	50
PID 1680 wrote to memory of 2760	1680	Virus-Rat.exe	50
PID 1680 wrote to memory of 2760	1680	Virus-Rat.exe	50
PID 2760 wrote to memory of 2000	2760	cmd.exe	52
PID 2760 wrote to memory of 2000	2760	cmd.exe	52
PID 2760 wrote to memory of 2000	2760	cmd.exe	52
PID 2760 wrote to memory of 324	2760	cmd.exe	53
PID 2760 wrote to memory of 324	2760	cmd.exe	53
PID 2760 wrote to memory of 324	2760	cmd.exe	53
PID 2760 wrote to memory of 2196	2760	cmd.exe	54
PID 2760 wrote to memory of 2196	2760	cmd.exe	54
PID 2760 wrote to memory of 2196	2760	cmd.exe	54
PID 2196 wrote to memory of 2392	2196	Virus-Rat.exe	55
PID 2196 wrote to memory of 2392	2196	Virus-Rat.exe	55
PID 2196 wrote to memory of 2392	2196	Virus-Rat.exe	55
PID 2196 wrote to memory of 972	2196	Virus-Rat.exe	57
PID 2196 wrote to memory of 972	2196	Virus-Rat.exe	57
PID 2196 wrote to memory of 972	2196	Virus-Rat.exe	57
PID 972 wrote to memory of 2208	972	cmd.exe	59
PID 972 wrote to memory of 2208	972	cmd.exe	59
PID 972 wrote to memory of 2208	972	cmd.exe	59
PID 972 wrote to memory of 2156	972	cmd.exe	60
PID 972 wrote to memory of 2156	972	cmd.exe	60
PID 972 wrote to memory of 2156	972	cmd.exe	60
PID 972 wrote to memory of 2868	972	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2516
- C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
  "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\c3QmfcPWtopt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2632
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2740
  - - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
      "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ip7bMMFCad9r.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:916
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
      - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMPzfao25519.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoBr0SFc9grD.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rpncGmhrgFLh.bat" "
        11⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKfpWE7h944L.bat" "
        13⤵
        
        PID:708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\J8haW9n8i2Gs.bat" "
        15⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkgamvN47wEI.bat" "
        17⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ctnZMwGp0vRm.bat" "
        19⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rfTkh6PlGirG.bat" "
        21⤵
        
        PID:376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4Kxlwcr9Uk7k.bat" "
        23⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqoBz9fMuL1c.bat" "
        25⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAoznYpMOp6g.bat" "
        27⤵
        
        PID:912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEKAi9k9Ys0J.bat" "
        29⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\J6HRxW7ZtGSB.bat" "
        31⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yJvZU4dFijGG.bat" "
        33⤵
        
        PID:344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Kxlwcr9Uk7k.bat

Filesize
215B

MD5
df7656a2518c9dd1fc951c4eabc3aa13

SHA1
b00b929877b0e01ec9cc94cd481ca9b1a7112515

SHA256
e9214d0ceead13aefcccf0210e2c48577aaba9cb89fa3244f97d3ae895a4a20a

SHA512
ca54097081174418f36ceb114a49a24d1bee345defad54518d1ecbf3d7833205a5f01f564c2a8be9ae43939e6b6e3acf61f4089b6776ab33189f1aabfbb8f8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkgamvN47wEI.bat

Filesize
215B

MD5
e01a8ecdae778c096c23d0a317c98123

SHA1
c4a74725b76aeb3789a05d32d518c54fcf35bbc7

SHA256
052d6b73196c814daa8102aebb548cfd4139de2968ee4252a30e296deb9055b9

SHA512
1991cb1c18f39a8121698798c14bdc8747207d2bea443331844007620e3a759d9f7996cd9d7a9c7f6335a863ea1f09b85a5de0e7b1b12f1c44437bd76ab5e989

Download Submit
C:\Users\Admin\AppData\Local\Temp\HoBr0SFc9grD.bat

Filesize
215B

MD5
250d5e81cb3c27a024d54bb9d55cf804

SHA1
8bd66b2d91c82db127c61b583be57af288a1fa04

SHA256
b72e6276437cfbc0f9b8d5f21a5991457c8bea4f264900e73364ae7b41695fff

SHA512
6bd45165469d93a93a11c5cff69aa8deae10876c962da6f330c08f3b2c4de83d76c549bca3c7b96284e74a8a51789ac9694c2ff7680f75ae1034129caa5181d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6HRxW7ZtGSB.bat

Filesize
215B

MD5
c525d86511d9654ad1722282314ca6c1

SHA1
cdc5fdced85501b61e4a8533534b08d973861cd9

SHA256
cd7995fff1eaeabbafc5f552736eb454db487a7185c5737d77f302ab9295b685

SHA512
c16a033fa65604bf7e8d3ab507d3a3d8cd407e42bf80d0e5023604fcd39cf27ef958b476d45ded895248add954d07d133cbfbaaff8fd64caefd4137f26d38f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\J8haW9n8i2Gs.bat

Filesize
215B

MD5
324da4f41036fb36b8c1c5d482656dee

SHA1
5a7b1e986b68890e26df90ef732d13f88a119314

SHA256
72631d5c8af8ab6f1001dc8d822558edf9c4f6333a81e583e0d2f024aad292f9

SHA512
bf78e86d68f57dd06afda542822b0d8a2419f0d8c762d1a1d6b4e9c0bc2d9eb522e0e1b4ece54b3592cf72e273521b5efc4e8ac7a318bbb806265272aafca014

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMPzfao25519.bat

Filesize
215B

MD5
1374199705d49b3dfb307f46fcc93a19

SHA1
242ca38144f99333933f51574662b2cf8194e591

SHA256
37b7bd6bfd3894783f51fd2d8a537a198b72e306fd3328011a0daafc2c99f049

SHA512
2c876e13d3200a106b0a98c8ff292d8dbfb97322fbe19ee8519f34f730ac788e0a792a95de922a9a52a8b91ec7d2b1acfea3ef0aee013cc2b67a215f39c6f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqoBz9fMuL1c.bat

Filesize
215B

MD5
bbaab5a2c6112ed043d15b9ace01f6f3

SHA1
02ef7b86ca29b4d72a36cb38fbedbc0a50ddd420

SHA256
cd187a94e0b8886a28df0b9f4ecea3a8209b456819e10a30e00bbdb022d5aefa

SHA512
e7fb5b84549fdc52b024249e068d0bd88f87c4f100eaeed1533405430d00199120f84eb259907bcbe4dd2cd2ca3d15261b7f34178cd8813d7d2b969fabe57092

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3QmfcPWtopt.bat

Filesize
215B

MD5
8782838106afae8cd501baf79e611d1d

SHA1
b20d3b97ec7afc57308bba2263b203ea031fce86

SHA256
e555e7e40192ae7fee7abc7b661050c7fa82f3705f20e33bf8d58b2384715a4e

SHA512
2d1f7a081a1148dd109fde9b59b75b32824a16387865c36926663481c9833e58928c43d4ebfc5d1aad6864a99b163159251f27c8290a3b869c315ad89c6c2b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctnZMwGp0vRm.bat

Filesize
215B

MD5
f259a69e6d49b02b50f8a0bae80f2a6c

SHA1
6defab05df4c9a1bd9cd5d320597a250d4f6835f

SHA256
3c2e76ef679176c55eb6ed94ab769e955c14d11bbdd8a6e01a96fd41437f9165

SHA512
ec71b04cbd443a7ed7ae71e9e790d84888e1544005388cf1782b87a222bdc4d271e5e99a6aefe1f2dca5d833522c01ee951a46928b8db247f894d50bd382aded

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAoznYpMOp6g.bat

Filesize
215B

MD5
030f33aac1c21f6f1e56021a9abf9a6b

SHA1
7e69c4ebfdd45b230c68689d1a91862ba08c1f4f

SHA256
ae534ed246a152362176615f719e8d38ff18e71999b64365565f5273124a2d03

SHA512
560af88a235d5b7fef35d42868d071e5fcd69e0bb999aa93a2a1df4f8a859f1daed9afc9c7de06a09bf8f444cb0082a89459f59a3b2fc62154aaab8beccb1cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip7bMMFCad9r.bat

Filesize
215B

MD5
9359ba92d74cadcf5b2d2469d93c170c

SHA1
db9a26c09db40f566ae23d8182e48c790d8a6c7c

SHA256
6c7305bd99240b9af42d3ae7f31973caaad67d3015995eaee645a05e818aaec2

SHA512
5cd4c7cee9b1c697789bab4d74f4f5ab7b27d1d11d33100065d0d4762d3a0e6ab7f588657223519897fa7546bb355d3347f84a35d90200c250febd1173cb2c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEKAi9k9Ys0J.bat

Filesize
215B

MD5
afb2b1d00f05e1395e939311fd14928e

SHA1
a1b60542c64266a6bba47e0ccc7e4114cabc21fd

SHA256
bbdab4291f9a01a10e2b2fe7059c2f62778bb31e5513425241c6c6a387744a5c

SHA512
3b02c0918972789de9a148b781257dc8c5b0c37153b62c94d952100f87e5fbb8e2301c264d54c5dead12a2f01538755a1b0c44c889d9230f4cd72040d0fcf2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfTkh6PlGirG.bat

Filesize
215B

MD5
66c8beca75ebdf523ddfaeb03907b275

SHA1
4cf5818db0b4e11df959bf896e0bf8d0266c6bbf

SHA256
5cedc7be2bc766500437ccaf5491bc775a139fbdcc077b804f084b9357b070a0

SHA512
5ac381066337d1b80c0ee3997003a2781db4416f459dc72e7b0cef90469c70eccaa5c26a09c422eb323030badcd30859a483fc67b86b76aa9406780e369bc0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpncGmhrgFLh.bat

Filesize
215B

MD5
e2b3315e96ecc881838375e56f8f2a2e

SHA1
6a84279a804cdd906e6ce8bb983837c81b043a3b

SHA256
56e8c7c4084b495683c07ee897d572714c87433614f61d052b7973f6a71a34e0

SHA512
5bd29fbb9751f87c99a185fd643615afafe4c94198f9955d9b27e0240f1c62cc72d4d9332c82b5207c532dc9b1b9760ed61ff5b33687c51cf37ed359c3036a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\vKfpWE7h944L.bat

Filesize
215B

MD5
7eb7119f8f97f99022841262d538e714

SHA1
6b34c57b4c68564fbf731b8c3fc6468eb563d7a0

SHA256
0bca83fe3e816278f921c78e4e4bc6398a7204cfdce413ef172a870438cc452f

SHA512
fd11b6e4af94b908f3b34f3ba01802e4809c72933d8b85d30d8264bc89b630374c5a962be8dcd7ba83fbe46807814de26b1ae16c4349e379178c7e925ab3383e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJvZU4dFijGG.bat

Filesize
215B

MD5
b3c6816a872e17b94f9984e99f19627f

SHA1
ffc80e17d24f3235a803a12c40d15f2a73508341

SHA256
fbac69cbb4ea6aecba0261194753831b7c2c3675867c19ad00631a957a4c31ff

SHA512
81a9b23c8ebf5949575e2bf2734f60e3f3e22f46ea4728a4cac8da7e8f9fff3dfd6fb5945e1b3031959491dffb54de2a9831fe447409a01b8219f9feb4b0f815

Download Submit
C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe

Filesize
3.1MB

MD5
79069701295f944d67c5f2e0213b3b9c

SHA1
589e8b6227ec6ef923f7eb8e4dc96797593f9535

SHA256
ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

SHA512
472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67

Download Submit
memory/876-77-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/1356-175-0x0000000000FD0000-0x00000000012F4000-memory.dmp

Filesize
3.1MB

Download
memory/1680-33-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/1732-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1732-7-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-1-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/1820-132-0x0000000000F40000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/2196-44-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2220-66-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/2236-121-0x0000000000950000-0x0000000000C74000-memory.dmp

Filesize
3.1MB

Download
memory/2364-110-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/2376-143-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/2540-22-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/2868-55-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/2972-99-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/3056-19-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3056-8-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/3056-9-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3056-10-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads