quasar | ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

Analysis

max time kernel
145s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

79069701295f944d67c5f2e0213b3b9c
SHA1

589e8b6227ec6ef923f7eb8e4dc96797593f9535
SHA256

ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8
SHA512

472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67
SSDEEP

49152:mvjI22SsaNYfdPBldt698dBcjHtqRJ6sbR3LoGdnTHHB72eh2NT:mvc22SsaNYfdPBldt6+dBcjHtqRJ62

Score

10^/10

quasar test-rat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test-rat

46.125.249.50:4782:4782

Mutex

e2bb43be-2392-4c93-9a3c-dcea173d5afd

Attributes

encryption_key
AE2F816185F134AF4E7D747D3E55802DE0F16A45
install_name
Virus-Rat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Update
subdirectory
Rat-Test-cx

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3284-1-0x0000000000520000-0x0000000000844000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c82-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe

Executes dropped EXE 15 IoCs

pid	Process
3864	Virus-Rat.exe
2504	Virus-Rat.exe
1012	Virus-Rat.exe
1016	Virus-Rat.exe
3832	Virus-Rat.exe
3784	Virus-Rat.exe
1556	Virus-Rat.exe
364	Virus-Rat.exe
3768	Virus-Rat.exe
3832	Virus-Rat.exe
4452	Virus-Rat.exe
3388	Virus-Rat.exe
436	Virus-Rat.exe
4492	Virus-Rat.exe
1368	Virus-Rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4268	PING.EXE
4988	PING.EXE
1228	PING.EXE
2136	PING.EXE
2820	PING.EXE
4332	PING.EXE
2456	PING.EXE
2856	PING.EXE
2012	PING.EXE
5084	PING.EXE
2040	PING.EXE
3796	PING.EXE
2056	PING.EXE
1372	PING.EXE
3284	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
5084	PING.EXE
2856	PING.EXE
2136	PING.EXE
2820	PING.EXE
4332	PING.EXE
1228	PING.EXE
2012	PING.EXE
4988	PING.EXE
2056	PING.EXE
1372	PING.EXE
3284	PING.EXE
4268	PING.EXE
2040	PING.EXE
2456	PING.EXE
3796	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
4568	schtasks.exe
4372	schtasks.exe
3084	schtasks.exe
4712	schtasks.exe
896	schtasks.exe
3668	schtasks.exe
4076	schtasks.exe
4988	schtasks.exe
1564	schtasks.exe
1652	schtasks.exe
1204	schtasks.exe
1592	schtasks.exe
3732	schtasks.exe
4176	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	Client-built.exe
Token: SeDebugPrivilege	3864	Virus-Rat.exe
Token: SeDebugPrivilege	2504	Virus-Rat.exe
Token: SeDebugPrivilege	1012	Virus-Rat.exe
Token: SeDebugPrivilege	1016	Virus-Rat.exe
Token: SeDebugPrivilege	3832	Virus-Rat.exe
Token: SeDebugPrivilege	3784	Virus-Rat.exe
Token: SeDebugPrivilege	1556	Virus-Rat.exe
Token: SeDebugPrivilege	364	Virus-Rat.exe
Token: SeDebugPrivilege	3768	Virus-Rat.exe
Token: SeDebugPrivilege	3832	Virus-Rat.exe
Token: SeDebugPrivilege	4452	Virus-Rat.exe
Token: SeDebugPrivilege	3388	Virus-Rat.exe
Token: SeDebugPrivilege	436	Virus-Rat.exe
Token: SeDebugPrivilege	4492	Virus-Rat.exe
Token: SeDebugPrivilege	1368	Virus-Rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4712	3284	Client-built.exe	83
PID 3284 wrote to memory of 4712	3284	Client-built.exe	83
PID 3284 wrote to memory of 3864	3284	Client-built.exe	85
PID 3284 wrote to memory of 3864	3284	Client-built.exe	85
PID 3864 wrote to memory of 3732	3864	Virus-Rat.exe	86
PID 3864 wrote to memory of 3732	3864	Virus-Rat.exe	86
PID 3864 wrote to memory of 4520	3864	Virus-Rat.exe	88
PID 3864 wrote to memory of 4520	3864	Virus-Rat.exe	88
PID 4520 wrote to memory of 3592	4520	cmd.exe	90
PID 4520 wrote to memory of 3592	4520	cmd.exe	90
PID 4520 wrote to memory of 2820	4520	cmd.exe	91
PID 4520 wrote to memory of 2820	4520	cmd.exe	91
PID 4520 wrote to memory of 2504	4520	cmd.exe	93
PID 4520 wrote to memory of 2504	4520	cmd.exe	93
PID 2504 wrote to memory of 896	2504	Virus-Rat.exe	94
PID 2504 wrote to memory of 896	2504	Virus-Rat.exe	94
PID 2504 wrote to memory of 1752	2504	Virus-Rat.exe	96
PID 2504 wrote to memory of 1752	2504	Virus-Rat.exe	96
PID 1752 wrote to memory of 4176	1752	cmd.exe	99
PID 1752 wrote to memory of 4176	1752	cmd.exe	99
PID 1752 wrote to memory of 4268	1752	cmd.exe	100
PID 1752 wrote to memory of 4268	1752	cmd.exe	100
PID 1752 wrote to memory of 1012	1752	cmd.exe	102
PID 1752 wrote to memory of 1012	1752	cmd.exe	102
PID 1012 wrote to memory of 3668	1012	Virus-Rat.exe	103
PID 1012 wrote to memory of 3668	1012	Virus-Rat.exe	103
PID 1012 wrote to memory of 4508	1012	Virus-Rat.exe	105
PID 1012 wrote to memory of 4508	1012	Virus-Rat.exe	105
PID 4508 wrote to memory of 1180	4508	cmd.exe	108
PID 4508 wrote to memory of 1180	4508	cmd.exe	108
PID 4508 wrote to memory of 4332	4508	cmd.exe	109
PID 4508 wrote to memory of 4332	4508	cmd.exe	109
PID 4508 wrote to memory of 1016	4508	cmd.exe	114
PID 4508 wrote to memory of 1016	4508	cmd.exe	114
PID 1016 wrote to memory of 1564	1016	Virus-Rat.exe	115
PID 1016 wrote to memory of 1564	1016	Virus-Rat.exe	115
PID 1016 wrote to memory of 4056	1016	Virus-Rat.exe	117
PID 1016 wrote to memory of 4056	1016	Virus-Rat.exe	117
PID 4056 wrote to memory of 3492	4056	cmd.exe	120
PID 4056 wrote to memory of 3492	4056	cmd.exe	120
PID 4056 wrote to memory of 5084	4056	cmd.exe	121
PID 4056 wrote to memory of 5084	4056	cmd.exe	121
PID 4056 wrote to memory of 3832	4056	cmd.exe	130
PID 4056 wrote to memory of 3832	4056	cmd.exe	130
PID 3832 wrote to memory of 2140	3832	Virus-Rat.exe	131
PID 3832 wrote to memory of 2140	3832	Virus-Rat.exe	131
PID 3832 wrote to memory of 1472	3832	Virus-Rat.exe	134
PID 3832 wrote to memory of 1472	3832	Virus-Rat.exe	134
PID 1472 wrote to memory of 3716	1472	cmd.exe	138
PID 1472 wrote to memory of 3716	1472	cmd.exe	138
PID 1472 wrote to memory of 2040	1472	cmd.exe	139
PID 1472 wrote to memory of 2040	1472	cmd.exe	139
PID 1472 wrote to memory of 3784	1472	cmd.exe	140
PID 1472 wrote to memory of 3784	1472	cmd.exe	140
PID 3784 wrote to memory of 1652	3784	Virus-Rat.exe	141
PID 3784 wrote to memory of 1652	3784	Virus-Rat.exe	141
PID 3784 wrote to memory of 440	3784	Virus-Rat.exe	144
PID 3784 wrote to memory of 440	3784	Virus-Rat.exe	144
PID 440 wrote to memory of 3720	440	cmd.exe	146
PID 440 wrote to memory of 3720	440	cmd.exe	146
PID 440 wrote to memory of 2456	440	cmd.exe	147
PID 440 wrote to memory of 2456	440	cmd.exe	147
PID 440 wrote to memory of 1556	440	cmd.exe	150
PID 440 wrote to memory of 1556	440	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4712
- C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
  "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCrL9BUGO12j.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3592
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2820
  - - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
      "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85exvaE3gooj.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4176
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4268
      - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nI2JArH8z7pX.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHVQ3nYm7dOD.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6gokqIAc1k11.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsseP59iZwBl.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S2lX9Ghr73J9.bat" "
        15⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fjD0p9nGga5L.bat" "
        17⤵
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mnbbdNvYb0Bc.bat" "
        19⤵
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G2ba8Bk28Y5G.bat" "
        21⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3Us7lIui0Wh.bat" "
        23⤵
        
        PID:4120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzcJ6zraqKWD.bat" "
        25⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25WWCJa0rWBB.bat" "
        27⤵
        
        PID:1124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoqaXMHr6fBN.bat" "
        29⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vScjvzH8NosU.bat" "
        31⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Virus-Rat.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\25WWCJa0rWBB.bat

Filesize
215B

MD5
10ccb41c25aa1585ae789c4494040c19

SHA1
97df8a2639182a909af567de9f492724ae96019d

SHA256
9548b877022e228e8ead46a83a3edcd3f56fd4ad390411a3eee730960cfcac59

SHA512
1391886b04baac119cb26be8255c0f99f62f12e2941c28df718ddc6ead80434e17636e806f6ae39183fb4dd7a700201cbe5877ccb1202a0ae62143b8a04b5c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\6gokqIAc1k11.bat

Filesize
215B

MD5
b459a724a127cbf2c3e2e36c1137ab42

SHA1
58a9ac27768d796681cdf54cc82aefa74b92e42a

SHA256
9ba998cd1fadb882f9e90e1d0a855e842b3b43636f61869c3a54c31f9f59ce30

SHA512
7a4daa99096a10f24768410ec9f51c1b2920bf7a9ea3371b3e8f6ebd5097c6fd61b3e22813fa12bdc283e17e2f35e6ced3195bbd8b8e727b39ef3a6090d7de8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\85exvaE3gooj.bat

Filesize
215B

MD5
f874fa958e5bafdb7490850304607469

SHA1
257230243b41c75311fd66c7afb81b94040dddc4

SHA256
9dfc98245ac6d9bd1a9124065c2af44a9f9fbe5a166120c6bd91c11b27e8d2f9

SHA512
eac31a360128ed2c93cc0a5c6d4341bdf132d82ec5f680cb5d3e6cf3ed1d7ac00e0255cb5503ccbbd960e16f23b2dcdc9b9a8830ed5c81d8a1baf2412498c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCrL9BUGO12j.bat

Filesize
215B

MD5
0da9afddd6a3cc76a1500dc85cf8bf13

SHA1
cc658fddb38e411227d78d02af12bb9544dd6c35

SHA256
68f5072f8a31fd7daee8fb98e0ae5e1d2385b166d792019f1615d01c2c0c9127

SHA512
997c62ffd11e44a3fc1d6421d978137f0d812d0c9f3c2c8c7ba90a521ece606fb53a1029edd929203eca65cc45fb6e17ad512d5f44bea77d323f29b311271ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHVQ3nYm7dOD.bat

Filesize
215B

MD5
e8d586d665fae4ef7d7804af51e208f4

SHA1
63e02228ba3c911568c479a84a88ef7a8b2d7b6d

SHA256
292e3b4f244ef82629677c785c8690274a13f78e31efdf1f7923f156013a4f89

SHA512
7a53577f0a89c21869bb2b6ec23f60235dc91cfcc8b1e20e847775911640dcbc1f999f4e3f4aa0c22ad1f4347c8eebe3245cbd0a023108a09a651a82f968f634

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2ba8Bk28Y5G.bat

Filesize
215B

MD5
f8838859b0eff1528352bc87abd67f1e

SHA1
d623cf6046873ee22ae001b4bd659bfae5e2cdfa

SHA256
4b0e6fb8345b7f7b3258aaad4cf31535d48843afc3fe441dd7f51688cd323017

SHA512
a217d551de2e847e37d10cb80c2c07088e86893507d3233796d16fed4c10619ab949363b0872ad031345170358ca99b95bbdc028fb25bbf5e1b57d640602c558

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2lX9Ghr73J9.bat

Filesize
215B

MD5
a47808f5daeab92a05d2ef0ef18e1b04

SHA1
1ece3764b20136a451eaa3478f73faa881bc4d73

SHA256
e21094eee8763bbeead07c40418a891d2a93cffbeb3564ac418e351872732e34

SHA512
6d9974167ecd7766e747444f42e8769f741fa7ba6ebccd0610f2e64d76cb521397919129097da9c66d41810d943c3cc35e76f1ee4f0f268b583b280f81b60458

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3Us7lIui0Wh.bat

Filesize
215B

MD5
473bdd352a1b58213af15891b9049627

SHA1
890a7fb1cd015be15de04fd82892973af1ed0711

SHA256
467858068b3496e646408534d2e5bf20c85e167ebebcc4f40acdfcd671d63a01

SHA512
be8edb16ca56ea3fc52b5e4e5c46a54b4c459b6cd6917f4d89c272a3f6dcea1ebec0e2f8dd50927b6aa7e2f1b7509da370766317d6f7ac3a3e0c5ac4953ef1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjD0p9nGga5L.bat

Filesize
215B

MD5
1966ca68c3796285d1daac1af0e12ca0

SHA1
4e90f9226f687ac27fecba50254c8999bf0be734

SHA256
ba7c44781e7377d1a159c57a2a6d70c6794b0c3a64671850527b78813148bcd1

SHA512
b4dc33a041a13a844debdbb5b73c96ea22b543272888495d50f5de4e2e3c8880a70814217ff0bb92eaf405f2038dc1292807b0387181d1767a979e6b710a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnbbdNvYb0Bc.bat

Filesize
215B

MD5
b840b884cf3ca611116a8dde4c319ee3

SHA1
2f1d186fdca33231a6e5ac22f96272fa7cabe9eb

SHA256
4f0bdb5eba148b45ce4b4e5b9db0220e80b6efca7eb7f3766161dfa66b506b09

SHA512
1507a4243ff5293d935b14b862d73c8410a1f8133575eecc27938ad47a4fbe4c95f5560e98eaac3ee48d83de35cbc04114f5a8a10f198518b5839061ac0db56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nI2JArH8z7pX.bat

Filesize
215B

MD5
292a1a58aa568dfc6cbca95a2286feb4

SHA1
2a9c54ab4c5069078d5c470626873e7151dde9f3

SHA256
b7703d5ff51fbcdb563108a334d544f0f27fbf54ed1ac837cefba5aef0351c0b

SHA512
ee67a9c12afc6a8805a99df0e9ba7d8c0adb65a6e0785d1888180faa29ec1272ea8703e0a444d630334394c16a43360e4526a62898b5eef265ef15ea56d75430

Download Submit
C:\Users\Admin\AppData\Local\Temp\vScjvzH8NosU.bat

Filesize
215B

MD5
0eecedcb0c2f7f4e37b1bcd812074ba0

SHA1
a1014b13b491119854f1db4a2772bc7b84b9e9a6

SHA256
0dfb70fc17e69966398d9c10185064131148f7810199a5a0d323c88ded371cfa

SHA512
6a6e920bb1bd2eb17f6cd9f818fe587ea9ee16d1f4d3716b37ae3c80b5b74d8e6fc503e4ce2352a01ea12396418f8b6832944f546494f6667cf8e2e43db1cf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsseP59iZwBl.bat

Filesize
215B

MD5
4bed50407a08ba97e247574fc2c6a88d

SHA1
8e8a9adc174c4d80e996795fab9e982f7e3eae22

SHA256
4774ce946ccf554aadeadfd69c405cc22542e9fca97a9c503b80fdcb34a94816

SHA512
7600f4e26024ccc866ddb22261d8ea9763107af44142ccd14693f8cbb4ebc9fc16520ec879b793de4ccd228ac188fede7150e69fcf26f24bd0a1b56061ff9bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzcJ6zraqKWD.bat

Filesize
215B

MD5
fd0df1e4cfefc2f8aed9d8e98d85e538

SHA1
5cd89618cf328644a1e3db565827d2d3f2043277

SHA256
14895b8f170176c480e1267d44b099f9c40f8da24b78d3f68bb4ab3d01062e5d

SHA512
4fdbfeffd6825ee56650141cd6c599843226a1455d0a5adb82f18cba1af5590642c1f4bad4e949f2ffb0fb0a80a651690d5538b698c274d9805c5cb2de4db308

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoqaXMHr6fBN.bat

Filesize
215B

MD5
a3d001b2bddda8a1bf78e5751b2f9e4e

SHA1
239204ee804953401f9d3545d14564b740be847a

SHA256
e8ce67f5ad806a86dc775fd0e53cbbc99bddacef20b30339298c3686e808c150

SHA512
5adf6dc26232397f4ea0b48da0f67d8b75cb1ff09fc0745fc89533f419f453ec69b2f5f0ab9eea83a48c0bcc9d929c8f83cf6adc18f6e5da48f90136ed842595

Download Submit
C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe

Filesize
3.1MB

MD5
79069701295f944d67c5f2e0213b3b9c

SHA1
589e8b6227ec6ef923f7eb8e4dc96797593f9535

SHA256
ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

SHA512
472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67

Download Submit
memory/3284-0-0x00007FFF45A13000-0x00007FFF45A15000-memory.dmp

Filesize
8KB

Download
memory/3284-9-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-2-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-1-0x0000000000520000-0x0000000000844000-memory.dmp

Filesize
3.1MB

Download
memory/3864-18-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-8-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-10-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/3864-11-0x00000000025E0000-0x0000000002630000-memory.dmp

Filesize
320KB

Download
memory/3864-12-0x000000001BAE0000-0x000000001BB92000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads