quasar | 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

3.1MB
MD5

aad11067aa90b9d96958aae378c45747
SHA1

13dc757a06a092ab0ef34482c307604a67fd74b9
SHA256

2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA512

8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813
SSDEEP

49152:gvXhBYjCOuDt2d5aKCuVPzlEmVQL0wvwkaE8sV4mzFEoGdCTHHB72eh2NT:gvdt2d5aKCuVPzlEmVQ0wvwfJsVo

Score

10^/10

quasar vm-ku discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

VM-KU

adidya354-21806.portmap.host:21806

Mutex

cf7c4d30-a326-47cc-a5f0-5a19aa014204

Attributes

encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
install_name
Windows Shell Interactive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Shell Interactive

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3484-1-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b8a-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe

Executes dropped EXE 15 IoCs

pid	Process
2472	Windows Shell Interactive.exe
1952	Windows Shell Interactive.exe
4484	Windows Shell Interactive.exe
4392	Windows Shell Interactive.exe
2128	Windows Shell Interactive.exe
4016	Windows Shell Interactive.exe
608	Windows Shell Interactive.exe
3020	Windows Shell Interactive.exe
3572	Windows Shell Interactive.exe
2804	Windows Shell Interactive.exe
1048	Windows Shell Interactive.exe
2528	Windows Shell Interactive.exe
2592	Windows Shell Interactive.exe
1380	Windows Shell Interactive.exe
4056	Windows Shell Interactive.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3880	PING.EXE
3180	PING.EXE
4420	PING.EXE
4476	PING.EXE
3504	PING.EXE
2684	PING.EXE
5096	PING.EXE
996	PING.EXE
3136	PING.EXE
1252	PING.EXE
5104	PING.EXE
4760	PING.EXE
4460	PING.EXE
4880	PING.EXE
3868	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3880	PING.EXE
2684	PING.EXE
4476	PING.EXE
996	PING.EXE
1252	PING.EXE
5104	PING.EXE
3136	PING.EXE
4760	PING.EXE
5096	PING.EXE
3180	PING.EXE
3504	PING.EXE
4420	PING.EXE
4880	PING.EXE
4460	PING.EXE
3868	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4084	schtasks.exe
2616	schtasks.exe
2684	schtasks.exe
2184	schtasks.exe
4860	schtasks.exe
4004	schtasks.exe
2116	schtasks.exe
1080	schtasks.exe
3460	schtasks.exe
1164	schtasks.exe
3588	schtasks.exe
4480	schtasks.exe
736	schtasks.exe
4328	schtasks.exe
1708	schtasks.exe
2544	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	Client.exe
Token: SeDebugPrivilege	2472	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1952	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4484	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4392	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2128	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4016	Windows Shell Interactive.exe
Token: SeDebugPrivilege	608	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3020	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3572	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2804	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1048	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2528	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2592	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1380	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4056	Windows Shell Interactive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4480	3484	Client.exe	82
PID 3484 wrote to memory of 4480	3484	Client.exe	82
PID 3484 wrote to memory of 2472	3484	Client.exe	84
PID 3484 wrote to memory of 2472	3484	Client.exe	84
PID 2472 wrote to memory of 736	2472	Windows Shell Interactive.exe	85
PID 2472 wrote to memory of 736	2472	Windows Shell Interactive.exe	85
PID 2472 wrote to memory of 5116	2472	Windows Shell Interactive.exe	87
PID 2472 wrote to memory of 5116	2472	Windows Shell Interactive.exe	87
PID 5116 wrote to memory of 3036	5116	cmd.exe	89
PID 5116 wrote to memory of 3036	5116	cmd.exe	89
PID 5116 wrote to memory of 2684	5116	cmd.exe	90
PID 5116 wrote to memory of 2684	5116	cmd.exe	90
PID 5116 wrote to memory of 1952	5116	cmd.exe	95
PID 5116 wrote to memory of 1952	5116	cmd.exe	95
PID 1952 wrote to memory of 1080	1952	Windows Shell Interactive.exe	97
PID 1952 wrote to memory of 1080	1952	Windows Shell Interactive.exe	97
PID 1952 wrote to memory of 1056	1952	Windows Shell Interactive.exe	99
PID 1952 wrote to memory of 1056	1952	Windows Shell Interactive.exe	99
PID 1056 wrote to memory of 832	1056	cmd.exe	101
PID 1056 wrote to memory of 832	1056	cmd.exe	101
PID 1056 wrote to memory of 5096	1056	cmd.exe	102
PID 1056 wrote to memory of 5096	1056	cmd.exe	102
PID 1056 wrote to memory of 4484	1056	cmd.exe	105
PID 1056 wrote to memory of 4484	1056	cmd.exe	105
PID 4484 wrote to memory of 4084	4484	Windows Shell Interactive.exe	106
PID 4484 wrote to memory of 4084	4484	Windows Shell Interactive.exe	106
PID 4484 wrote to memory of 2244	4484	Windows Shell Interactive.exe	108
PID 4484 wrote to memory of 2244	4484	Windows Shell Interactive.exe	108
PID 2244 wrote to memory of 4820	2244	cmd.exe	110
PID 2244 wrote to memory of 4820	2244	cmd.exe	110
PID 2244 wrote to memory of 3180	2244	cmd.exe	111
PID 2244 wrote to memory of 3180	2244	cmd.exe	111
PID 2244 wrote to memory of 4392	2244	cmd.exe	114
PID 2244 wrote to memory of 4392	2244	cmd.exe	114
PID 4392 wrote to memory of 4860	4392	Windows Shell Interactive.exe	115
PID 4392 wrote to memory of 4860	4392	Windows Shell Interactive.exe	115
PID 4392 wrote to memory of 3788	4392	Windows Shell Interactive.exe	117
PID 4392 wrote to memory of 3788	4392	Windows Shell Interactive.exe	117
PID 3788 wrote to memory of 4864	3788	cmd.exe	119
PID 3788 wrote to memory of 4864	3788	cmd.exe	119
PID 3788 wrote to memory of 996	3788	cmd.exe	120
PID 3788 wrote to memory of 996	3788	cmd.exe	120
PID 3788 wrote to memory of 2128	3788	cmd.exe	121
PID 3788 wrote to memory of 2128	3788	cmd.exe	121
PID 2128 wrote to memory of 4328	2128	Windows Shell Interactive.exe	122
PID 2128 wrote to memory of 4328	2128	Windows Shell Interactive.exe	122
PID 2128 wrote to memory of 3452	2128	Windows Shell Interactive.exe	124
PID 2128 wrote to memory of 3452	2128	Windows Shell Interactive.exe	124
PID 3452 wrote to memory of 4480	3452	cmd.exe	126
PID 3452 wrote to memory of 4480	3452	cmd.exe	126
PID 3452 wrote to memory of 4420	3452	cmd.exe	127
PID 3452 wrote to memory of 4420	3452	cmd.exe	127
PID 3452 wrote to memory of 4016	3452	cmd.exe	128
PID 3452 wrote to memory of 4016	3452	cmd.exe	128
PID 4016 wrote to memory of 2616	4016	Windows Shell Interactive.exe	129
PID 4016 wrote to memory of 2616	4016	Windows Shell Interactive.exe	129
PID 4016 wrote to memory of 4908	4016	Windows Shell Interactive.exe	131
PID 4016 wrote to memory of 4908	4016	Windows Shell Interactive.exe	131
PID 4908 wrote to memory of 4924	4908	cmd.exe	133
PID 4908 wrote to memory of 4924	4908	cmd.exe	133
PID 4908 wrote to memory of 1252	4908	cmd.exe	134
PID 4908 wrote to memory of 1252	4908	cmd.exe	134
PID 4908 wrote to memory of 608	4908	cmd.exe	135
PID 4908 wrote to memory of 608	4908	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4480
- C:\Windows\system32\Windows Shell Interactive.exe
  "C:\Windows\system32\Windows Shell Interactive.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOWbDUYm7Mrg.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3036
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2684
  - - C:\Windows\system32\Windows Shell Interactive.exe
      "C:\Windows\system32\Windows Shell Interactive.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qFqV0oDTHwMO.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:832
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5096
      - C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sRmA0qDsZVGi.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3180
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgSBlBxGbf1x.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwVQv3dkh4fZ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iRY4xXMuMnUV.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYnurDYbNDSb.bat" "
        15⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5104
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ICzbv5FGuok.bat" "
        17⤵
        
        PID:620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3136
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMFCm8T1wK6T.bat" "
        19⤵
        
        PID:356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4476
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u9xo72QLTljR.bat" "
        21⤵
        
        PID:1412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ERM4H8hvwqAh.bat" "
        23⤵
        
        PID:3404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LjhSvTOkK8rm.bat" "
        25⤵
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEjiHHaxBihL.bat" "
        27⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4460
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ZYizZzG9GWw.bat" "
        29⤵
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSvwbcRbNS1g.bat" "
        31⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Shell Interactive.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ICzbv5FGuok.bat

Filesize
208B

MD5
45d272b831d49d0b9415f68ce0e0e25f

SHA1
6911b990cd4ca76b3d882b8851ae24fe8253d68c

SHA256
41e7886a19934231015425719d780b0bf890537809cdb02b90b7a47f0d47ee07

SHA512
223b8f1f5f174fd7b37e1d2f03ceb9f34862254b0dcfa1db05458625a437e1973789da1d37a0d9532c6d645ace159ccb3462c0c3289fa498f178b7031ee617f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ZYizZzG9GWw.bat

Filesize
208B

MD5
330c16115b435586afb6e64b55462655

SHA1
f885037714b1632ea755d55665862e04fba9491b

SHA256
aaf8a199b910cebdceef96adfca5bb02544823a91a8656b3984e31a57c028e7b

SHA512
ad0adaafd53022d9db2db6d6d5ce8bb7ba2f42d5effbca2bc0e464b08626c2f13f6208a6a4466839a588188cac55ca635acc5aa86d9e142d2a69da3c64922a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERM4H8hvwqAh.bat

Filesize
208B

MD5
a7ca524a38c34bd445ea26837f126a2e

SHA1
1cafba8f9396ff648ccbbfda9958390adb93a90b

SHA256
9dd64ebf4333da000be3b2b1e5b2609e6d373f6a10938c7b54f2293479f3ceee

SHA512
7f7b0cbe0e7722e4932e80e24deabd06d0da87cfdf2b811a750f8d6ac4377ed1124c91ecadc9bd9a59950c6a1e06d4973788b95f6d0bf65fcc92531b290409ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgSBlBxGbf1x.bat

Filesize
208B

MD5
b2c4de009099205fcd7e3e4efd56e84a

SHA1
f6ed149b1a4fefc6eb309eef972070b048b64e02

SHA256
c28f20aac52ad9252135f33391e1b6f64bbd9fa6daf1d9eea39729d6519cfb18

SHA512
ed5de49abcbdcb34d4c664edfa823da87fa779064c4b028f57022f7f00102166dfc87448030d8a95b7a34a85e6eab07ec7fbf1872251f84201af022153f7d558

Download Submit
C:\Users\Admin\AppData\Local\Temp\LjhSvTOkK8rm.bat

Filesize
208B

MD5
b5b3ecc6d6b81e6090c762095522334f

SHA1
7aa4b9b7e8169564191145c05bdbf725f9aaed86

SHA256
1373b2a7d109aa9a5e88fbefeb97edc618a223d0f8a04bbd4166bf58b625d8fe

SHA512
26e03fc2a28fef1997a848fe1440ddbc082637177b10b83fa39d6cb79551c0459d466eb83d6c07d009f26df7418ab33b7ab214b446fd19b6fac072ed495b268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSvwbcRbNS1g.bat

Filesize
208B

MD5
b10b87344bf8b95b6825f95834608f3e

SHA1
179145daa2fe753db0aef2392a18f9fec3764bbb

SHA256
ae5ea311e1ec1f0311f3a92d22ad52c95f30ed6a01d1fd234fce1ef3c3b9a199

SHA512
5146afbfba71451f2d150629f5bb43491da10a00fb6d2c1ae215188b07bafcf99461170baebb963b8d2a16a9e04790fde17f7466957d17633c7fb2fed2ccf513

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRY4xXMuMnUV.bat

Filesize
208B

MD5
69c9f9545e1f371227ad4a899718c773

SHA1
830c56b99fcd0e0ef2d5f4e2c40b431013ff3f43

SHA256
7e63c1ef4a5cb7ebdfbffba7d5af79effd2acbe8ada3e968f1d5f01398c778c9

SHA512
e17f3f251eb0bded6684e9e78177e8fd16fcd082502a9d2e710db28ed0f7b57ec479577c99c30ce4d74671547c2fb009f805cc6e77171314842df866bd191124

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYnurDYbNDSb.bat

Filesize
208B

MD5
b7bcfb0821e2f61b3606156a23c4cfd3

SHA1
49d53d43e7c124789b0daf761594b16c163bb2b4

SHA256
bffa63a9f00ed7581bf7c06cbed21f1f865ba1ef461fc49c18cb23d81d6c9277

SHA512
707810eaa00dd0ec8cc2b875631709d92af2cb3fee2910fcf39526e13d28c1c69294ca8f397a0f446a14c30b5c6dc3c57e37959370b54f2a4d1a6f824b9d92c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwVQv3dkh4fZ.bat

Filesize
208B

MD5
999fd22274451d483a0f6f04b220de6a

SHA1
061de044e9cd053fe5524e193de6caa4a23e7d9f

SHA256
3bff8bfc224f9d557586689096232004e290d3b0606e10012e8a9cae324e19e9

SHA512
9e5d57baff521ba8b74ef2472744fb6f8eebfbb0f60d4756c837e5d5d68c709c14d5a50b8854f1e3a085634943c7f5ba10db72a68c9b3da19e2b4b144b864bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOWbDUYm7Mrg.bat

Filesize
208B

MD5
1a9ea0c9101723d0e5100e35344b406c

SHA1
5ea4a1b6090d9f3437c4920d7b3d85ede44687d7

SHA256
ad077b685dfc2093b4389c30918bf557724dda2f2ad4341949bc99be35ab816d

SHA512
7495fc650d50c99df8d2cfceaa9767aedf2bde18dced63ad288ed4ba11323c05e65f2b9aa6618f47989840d4c48330d70e21eeb39e38332c4087a7a387310fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMFCm8T1wK6T.bat

Filesize
208B

MD5
f4404d799c4b5ebfd71f7e7d560eb5fb

SHA1
1557d881316f5a0089221a4fd88eb7cc745b14f4

SHA256
8c87636f8cbf76ee4df42ddce50816c33e43932222c29e76a80c985eaa2a05f0

SHA512
85554cfcf48bcf1d6f34d5588e4b87da48a5c14b95e7df9e19c708b94fdef27c80c21b163bcf9fbd92a2019cd2d39cf47dd8a493a2c92a97fc70d173ab370cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qFqV0oDTHwMO.bat

Filesize
208B

MD5
6c8138870afc2f4d43e24ab14dfef660

SHA1
16e4bc6cb69b3e6d97d374b79fe2d2bccb4a9b7b

SHA256
120fac3a7878885389991bc4327be7f84161f8bc05c6edde8999db438a0eca3e

SHA512
75749e19a07f86f7fc302956d25053e5532e7e31bac11dd94820eae39957f4d1d8f32cf7612e29fe0136cf73836d5e2f90b3873ba94c4b4c064e43c25a8b46f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEjiHHaxBihL.bat

Filesize
208B

MD5
8ec277c6ce5711779a356a35449cfb66

SHA1
fad1900db80ddf8efdf874b73ab93d2221f1d06d

SHA256
33d070a0c164dbedf494856003ca90ead176733335051577e1ae8850674c1f05

SHA512
73b4372eed068be698b615bb81f9c1f904fc0218428934e8b015ff27d08bba3f1d503d98d9bfba134aff70d80670933e4b5bfc1f5ba21101e0d3c8aea10c7fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\sRmA0qDsZVGi.bat

Filesize
208B

MD5
e835a0f57ba25aa77e96a171aa167d53

SHA1
37a0c25946328402be9c36b9b644c1c3ea917e77

SHA256
65f7e4f3c713552b7654addb1c7bb7fc279878ac8902b8cf1755f11badc37572

SHA512
21a8dd6bc1a14a38f60cd55bf679855f002524360338e91c7be5ae68c054a74690cdd02df59d1f34c3a509428e85a88e2cdd30f30980741a59f319474a8216fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u9xo72QLTljR.bat

Filesize
208B

MD5
b97565ff81415dda20f483ab6e00cbce

SHA1
b7837f3ab3798929ad6bba89231f364eb50c56b8

SHA256
cfc296326c49ff45d5f24d8dfaa6c69e5ec84a38f37834e5471f8ed498b7b125

SHA512
f3bceb286ee518bead0b7eb1f0dbe26d4ad5f475d4f97d774aadfc00ab16345154b770469d9421c459fa76c4fe430445ddce5aba69058b9da9ef4bd7a17ba97e

Download Submit
C:\Windows\System32\Windows Shell Interactive.exe

Filesize
3.1MB

MD5
aad11067aa90b9d96958aae378c45747

SHA1
13dc757a06a092ab0ef34482c307604a67fd74b9

SHA256
2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

SHA512
8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

Download Submit
memory/2472-13-0x000000001D410000-0x000000001D4C2000-memory.dmp

Filesize
712KB

Download
memory/2472-11-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/2472-10-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/2472-12-0x000000001D300000-0x000000001D350000-memory.dmp

Filesize
320KB

Download
memory/2472-18-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-9-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-0-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/3484-2-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-1-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads