quasar | 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
Size

3.1MB
MD5

aad11067aa90b9d96958aae378c45747
SHA1

13dc757a06a092ab0ef34482c307604a67fd74b9
SHA256

2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA512

8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813
SSDEEP

49152:gvXhBYjCOuDt2d5aKCuVPzlEmVQL0wvwkaE8sV4mzFEoGdCTHHB72eh2NT:gvdt2d5aKCuVPzlEmVQ0wvwfJsVo

Score

10^/10

quasar vm-ku discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

VM-KU

adidya354-21806.portmap.host:21806

Mutex

cf7c4d30-a326-47cc-a5f0-5a19aa014204

Attributes

encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
install_name
Windows Shell Interactive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Shell Interactive

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2380-1-0x0000000000F60000-0x0000000001284000-memory.dmp	family_quasar
behavioral1/files/0x00080000000120ff-7.dat	family_quasar
behavioral1/memory/2996-10-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/memory/560-53-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/924-64-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/1508-75-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral1/memory/2836-86-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1252-98-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/memory/1208-109-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/2232-120-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
behavioral1/memory/988-131-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/2312-142-0x0000000000B60000-0x0000000000E84000-memory.dmp	family_quasar
behavioral1/memory/1608-153-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2996	Windows Shell Interactive.exe
2916	Windows Shell Interactive.exe
868	Windows Shell Interactive.exe
1312	Windows Shell Interactive.exe
560	Windows Shell Interactive.exe
924	Windows Shell Interactive.exe
1508	Windows Shell Interactive.exe
2836	Windows Shell Interactive.exe
1252	Windows Shell Interactive.exe
1208	Windows Shell Interactive.exe
2232	Windows Shell Interactive.exe
988	Windows Shell Interactive.exe
2312	Windows Shell Interactive.exe
1608	Windows Shell Interactive.exe
2156	Windows Shell Interactive.exe
2948	Windows Shell Interactive.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File created	C:\Windows\system32\Windows Shell Interactive.exe	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2584	PING.EXE
1196	PING.EXE
764	PING.EXE
1220	PING.EXE
1196	PING.EXE
1584	PING.EXE
1624	PING.EXE
3040	PING.EXE
2644	PING.EXE
2828	PING.EXE
2832	PING.EXE
2316	PING.EXE
2224	PING.EXE
1916	PING.EXE
2676	PING.EXE
948	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1916	PING.EXE
1624	PING.EXE
2584	PING.EXE
2316	PING.EXE
764	PING.EXE
2644	PING.EXE
1220	PING.EXE
1584	PING.EXE
3040	PING.EXE
948	PING.EXE
2828	PING.EXE
2676	PING.EXE
1196	PING.EXE
1196	PING.EXE
2832	PING.EXE
2224	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
2724	schtasks.exe
2872	schtasks.exe
956	schtasks.exe
2560	schtasks.exe
1516	schtasks.exe
2652	schtasks.exe
2468	schtasks.exe
2328	schtasks.exe
2744	schtasks.exe
884	schtasks.exe
1744	schtasks.exe
2232	schtasks.exe
2804	schtasks.exe
1776	schtasks.exe
2844	schtasks.exe
2664	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
Token: SeDebugPrivilege	2996	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2916	Windows Shell Interactive.exe
Token: SeDebugPrivilege	868	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1312	Windows Shell Interactive.exe
Token: SeDebugPrivilege	560	Windows Shell Interactive.exe
Token: SeDebugPrivilege	924	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1508	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2836	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1252	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1208	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2232	Windows Shell Interactive.exe
Token: SeDebugPrivilege	988	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2312	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1608	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2156	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2948	Windows Shell Interactive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2328	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	30
PID 2380 wrote to memory of 2328	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	30
PID 2380 wrote to memory of 2328	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	30
PID 2380 wrote to memory of 2996	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	32
PID 2380 wrote to memory of 2996	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	32
PID 2380 wrote to memory of 2996	2380	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	32
PID 2996 wrote to memory of 2936	2996	Windows Shell Interactive.exe	33
PID 2996 wrote to memory of 2936	2996	Windows Shell Interactive.exe	33
PID 2996 wrote to memory of 2936	2996	Windows Shell Interactive.exe	33
PID 2996 wrote to memory of 2716	2996	Windows Shell Interactive.exe	36
PID 2996 wrote to memory of 2716	2996	Windows Shell Interactive.exe	36
PID 2996 wrote to memory of 2716	2996	Windows Shell Interactive.exe	36
PID 2716 wrote to memory of 2704	2716	cmd.exe	38
PID 2716 wrote to memory of 2704	2716	cmd.exe	38
PID 2716 wrote to memory of 2704	2716	cmd.exe	38
PID 2716 wrote to memory of 2584	2716	cmd.exe	39
PID 2716 wrote to memory of 2584	2716	cmd.exe	39
PID 2716 wrote to memory of 2584	2716	cmd.exe	39
PID 2716 wrote to memory of 2916	2716	cmd.exe	40
PID 2716 wrote to memory of 2916	2716	cmd.exe	40
PID 2716 wrote to memory of 2916	2716	cmd.exe	40
PID 2916 wrote to memory of 2744	2916	Windows Shell Interactive.exe	41
PID 2916 wrote to memory of 2744	2916	Windows Shell Interactive.exe	41
PID 2916 wrote to memory of 2744	2916	Windows Shell Interactive.exe	41
PID 2916 wrote to memory of 1716	2916	Windows Shell Interactive.exe	43
PID 2916 wrote to memory of 1716	2916	Windows Shell Interactive.exe	43
PID 2916 wrote to memory of 1716	2916	Windows Shell Interactive.exe	43
PID 1716 wrote to memory of 580	1716	cmd.exe	45
PID 1716 wrote to memory of 580	1716	cmd.exe	45
PID 1716 wrote to memory of 580	1716	cmd.exe	45
PID 1716 wrote to memory of 3040	1716	cmd.exe	46
PID 1716 wrote to memory of 3040	1716	cmd.exe	46
PID 1716 wrote to memory of 3040	1716	cmd.exe	46
PID 1716 wrote to memory of 868	1716	cmd.exe	47
PID 1716 wrote to memory of 868	1716	cmd.exe	47
PID 1716 wrote to memory of 868	1716	cmd.exe	47
PID 868 wrote to memory of 1744	868	Windows Shell Interactive.exe	48
PID 868 wrote to memory of 1744	868	Windows Shell Interactive.exe	48
PID 868 wrote to memory of 1744	868	Windows Shell Interactive.exe	48
PID 868 wrote to memory of 2388	868	Windows Shell Interactive.exe	50
PID 868 wrote to memory of 2388	868	Windows Shell Interactive.exe	50
PID 868 wrote to memory of 2388	868	Windows Shell Interactive.exe	50
PID 2388 wrote to memory of 2888	2388	cmd.exe	52
PID 2388 wrote to memory of 2888	2388	cmd.exe	52
PID 2388 wrote to memory of 2888	2388	cmd.exe	52
PID 2388 wrote to memory of 2316	2388	cmd.exe	53
PID 2388 wrote to memory of 2316	2388	cmd.exe	53
PID 2388 wrote to memory of 2316	2388	cmd.exe	53
PID 2388 wrote to memory of 1312	2388	cmd.exe	54
PID 2388 wrote to memory of 1312	2388	cmd.exe	54
PID 2388 wrote to memory of 1312	2388	cmd.exe	54
PID 1312 wrote to memory of 2232	1312	Windows Shell Interactive.exe	55
PID 1312 wrote to memory of 2232	1312	Windows Shell Interactive.exe	55
PID 1312 wrote to memory of 2232	1312	Windows Shell Interactive.exe	55
PID 1312 wrote to memory of 2392	1312	Windows Shell Interactive.exe	57
PID 1312 wrote to memory of 2392	1312	Windows Shell Interactive.exe	57
PID 1312 wrote to memory of 2392	1312	Windows Shell Interactive.exe	57
PID 2392 wrote to memory of 2088	2392	cmd.exe	59
PID 2392 wrote to memory of 2088	2392	cmd.exe	59
PID 2392 wrote to memory of 2088	2392	cmd.exe	59
PID 2392 wrote to memory of 2224	2392	cmd.exe	60
PID 2392 wrote to memory of 2224	2392	cmd.exe	60
PID 2392 wrote to memory of 2224	2392	cmd.exe	60
PID 2392 wrote to memory of 560	2392	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
"C:\Users\Admin\AppData\Local\Temp\2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2328
- C:\Windows\system32\Windows Shell Interactive.exe
  "C:\Windows\system32\Windows Shell Interactive.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2936
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HySy8JGBrgDF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2704
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2584
  - - C:\Windows\system32\Windows Shell Interactive.exe
      "C:\Windows\system32\Windows Shell Interactive.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWbqR0c6BbXi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:580
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
      - C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IakkcADJ3YYK.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xT2OLpJUkhCJ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y0p0NVBFMZ2Z.bat" "
        11⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sI9zWsaEnZU8.bat" "
        13⤵
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAv3IZ2pbwKK.bat" "
        15⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ro77aHn4OKU9.bat" "
        17⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwgO2GbdpDiV.bat" "
        19⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\O2IdQikaqoKk.bat" "
        21⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oBKn3UV9e063.bat" "
        23⤵
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZFr5IM6XuicF.bat" "
        25⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7gdSoUn2yKoW.bat" "
        27⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SVMJPL897cOW.bat" "
        29⤵
        
        PID:372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:948
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q0coGT8hZ7sT.bat" "
        31⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fA5BpgiaYBAA.bat" "
        33⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7gdSoUn2yKoW.bat

Filesize
208B

MD5
7900d1d296de04fba2a1281f28f9f0a6

SHA1
6d1f0168b0db389e145e3d968966f7874a877eda

SHA256
cda1c6f81f707c36bca6ce6c2d2b40f2e7fefa7058290212c9a4713dc469ed78

SHA512
204f81844fea51a9f5dc1ded2cf5eca6980b419e48b7d9dd231d26e7cf8a7dae738748cc0df0465f339b6c3ba99eb66120e6ff468eb7d43fd8c0def17e56444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwgO2GbdpDiV.bat

Filesize
208B

MD5
f6f30effbd0fcc534f1255d6b6532132

SHA1
7b9598ab78e6c184a567b4d189f4dd21a22923b5

SHA256
09694d537d77f22aee4cb389b3813c973c55aaea35c35c71ef2460a8072f639d

SHA512
5776bd9a55966376e026a3f9233e6b7c342560464d12ca58ac2ebd53b202b0955f09f77d0e407a7c1ed9a7a7c3c31e4bd20c04da92109accb9a231b67d1c04bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HySy8JGBrgDF.bat

Filesize
208B

MD5
414798bfb1ec537626e801364e40824d

SHA1
c89c400e53067beca0722dcf78cf8a55cd832a96

SHA256
59770827a7c7e1b6dbf1231095a5e55e0e09b8bb5a6b807d8651658f60d20757

SHA512
8ea48d587b15666a9418eb7cfc041817d223f348b0486e0f0a8da869418b5af29c60e8e8543106b3ff3e350530cb54a689888ca83b07b7baad5aa90905e4368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IakkcADJ3YYK.bat

Filesize
208B

MD5
2d31ce223e67ff999f2f9ceae1159d4e

SHA1
3ca745390cfbae3d21ceb76d89c86c2a8d823a0f

SHA256
468f5f844c106de637da49dd7d8e4040bf823e01ae3e8364a86eca2dd9c2c298

SHA512
f62c6c9d3276ee31b331bd9c454d713cd7744fd00f424f612b4fae55608807d8ca4810683d731d48b6654cfca2758a4328e30a62b5103eb2c454e338f75d64bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2IdQikaqoKk.bat

Filesize
208B

MD5
3790297743f11fc5138bdc0ffd96fb23

SHA1
03d76a3c7187672acee721be85d73fd7af028e60

SHA256
2fdc936385e9168632dd991f059284479e6989493afddd497a0fa343007d1dec

SHA512
f8dcff253528d4abd47218bba97b75338e3588a96b6db87507624963d6e11af4581d25f5a2903c2d19061bb2edb7cf8f334044ba5c976532336a9ea603d8916e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVMJPL897cOW.bat

Filesize
208B

MD5
799e5527fef30f5453dd79be4858dd9c

SHA1
fc970d2014642d67b4a11fee32d9c60d6f973eb0

SHA256
8817efb7517ecd390268bf3a50c72f721664328519d9fb391952047f2ca774a2

SHA512
709b80d411d647ae5acc15289699c1327697b487d6ab6810ac52a5dc337bbd857d7a9a1214d583f2d83e4924578ad10bd80a0b85b0d5145c5410c4bac0e41850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFr5IM6XuicF.bat

Filesize
208B

MD5
b0376a5aef15a348f2cf66e905454d02

SHA1
660b20d1b650fe4078929ff2aaa7148f4f1a436a

SHA256
14e0fff10cbd0e8080f214e593198d6b4069e69087c956ccb84556fd77ffba2b

SHA512
18297056129146ca082910d40fff47570f66abbdb7d9cf37007c05e9822cbce200994a64c73def7b30546c69a0e80942a3f6a664862710e6a63827855a3de6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAv3IZ2pbwKK.bat

Filesize
208B

MD5
5887c19701150f52bd39f7f01fb5b316

SHA1
8ca6c92a47a25a8616ec259574dba615bf9b81bd

SHA256
2a14761d3308dfcd91a208fe812ed01b2d9ac786e3281493b43674dad19c4d70

SHA512
db1555e86ad17db0bf442d1113fc33e2c479584c45e90c6077cd5b7de6932d33487a9b4a82f80de9e42c2f042fbc1ef39046eb509acdc748b3571b54603cc41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fA5BpgiaYBAA.bat

Filesize
208B

MD5
5de26ca6df9845c76c1fe27e30e6dbf8

SHA1
95041d67078efedfdc5a1480e3bad57ca67771b0

SHA256
3d16cfc3e4a76fe5b1b706c2fb6e4b9164d0a3d54c107c483a1fb17c67ec7455

SHA512
6da3b2e7fc0f4d4bccd08ef15ecb1700b049c01876d6efa00afee43f62300647ece326cbfe0511820bb703b74c6e391f7ac06198bf6ee0df73d385aa45c8e4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oBKn3UV9e063.bat

Filesize
208B

MD5
f7f76f62f7ca9c85b3806869870b3276

SHA1
8ad0c4ad93f3fcd27a4c15789d77344c8aa28ada

SHA256
1018cdc35d31cc75e28c953c6c1984325feb9968af0dccefd536b5ba250e9035

SHA512
2d415ac09ca9dda9a92c380784b0ac515d1bb3665df2e2622efe8103f80859f4e7090440bda234f802f99ed22dd4e5534c1890cd4e6ca265e89dd75f301dad91

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0coGT8hZ7sT.bat

Filesize
208B

MD5
4e07c4a7a286f187080de34f9d7220bb

SHA1
aa9dd951453316b3ac96f17991e8ed4116e62b62

SHA256
631a3d1842fbe42a95a00346be4a1d10a9ea239a78a84cd986e98c82831b6563

SHA512
a58b940d44e50bd95b59489c2525305be683629ce0f592a125bb9dafbc6b3c0e26b3101675fbd4e5db627e913443f422ce84df760c09ce95d9d170e086ba8537

Download Submit
C:\Users\Admin\AppData\Local\Temp\ro77aHn4OKU9.bat

Filesize
208B

MD5
a38139bf0d42bf0bd4f493adddbb9675

SHA1
243a4e3c582877a587bb1a8f5a3f33f183293837

SHA256
a4f00a021f944f4cd75e748f46d6c459d3f0869b8ac668f860c5743cb3a11241

SHA512
ec8a7c5ebd4f794da29471723b4801476b0451c5674abfd7129af1ee920feb6d897d7b43aef772369fe85bd2b3715e882057d56580c04beaf4b20fdc484dcd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sI9zWsaEnZU8.bat

Filesize
208B

MD5
b52c89232c58340d8d8be17a506a019d

SHA1
b4974b6bf07aa29df2797d49b44cf9e1e54cbb4b

SHA256
084c30d8e5f870ccd841d800f6742481b4656067bbcd52403b043a47fcba99e5

SHA512
ed3f8b24845acf3ef08d90b01b79e5aff268fd6ea17d463bf74385b1eb55362acc981b9fbd4d72655d58aaa071213815e9ff53793ebbc910df081c0a9ed6ff15

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWbqR0c6BbXi.bat

Filesize
208B

MD5
253c1c08ebf2ecfc93822212a8082562

SHA1
2def8a740a9b8263fd0aba0940c934e642d0abc1

SHA256
ca168b0746d822b1de094c34e1d519d15ad61198d46bd1aa0151ae58290aaead

SHA512
a0979ff58943b44f5f8828f2cb88be7fe56b4ce814cf1e3574d6df12c94a22d10a4ba26ce07c6dba36b44a166fee13acf1b4aee8efecbbeba45bc03ae50e0cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xT2OLpJUkhCJ.bat

Filesize
208B

MD5
1c4f066b5055192aad7e7e465809e0f7

SHA1
08a90550b9c9ecf24c26eec2be235bd7f2d449be

SHA256
5647221e9ee18fa520b5fd56abee1a382a141e98107d08071c67f955945e2b8f

SHA512
6bbc9e08dcefd5064d98a41d5b8959f7d4d7c5aab8cbf38807c6670ad9c269d2390a55460eac0ca10bd5773e033b51f726c29e8a461ccad16b133f8962ad7c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0p0NVBFMZ2Z.bat

Filesize
208B

MD5
a268ea94441291bafe29fc20057f5dee

SHA1
a00b6990ab593211239b39d55d15c3921d64b3a4

SHA256
0d6efda875a8b2b1840bd5c79b963956d7afabda94becb88c56426d0020c05be

SHA512
cd56ac40a0b36c380999debf6a3a9c007fa397371f515f20374642cfa1ba0b1ef7249fe09955b9eeec821a695dd460ef2c1a7202a3f7d02f9ffa1c9cb1a9baa2

Download Submit
C:\Windows\system32\Windows Shell Interactive.exe

Filesize
3.1MB

MD5
aad11067aa90b9d96958aae378c45747

SHA1
13dc757a06a092ab0ef34482c307604a67fd74b9

SHA256
2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

SHA512
8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

Download Submit
memory/560-53-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/924-64-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/988-131-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/1208-109-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/1252-98-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/1508-75-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/1608-153-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2232-120-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2312-142-0x0000000000B60000-0x0000000000E84000-memory.dmp

Filesize
3.1MB

Download
memory/2380-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-1-0x0000000000F60000-0x0000000001284000-memory.dmp

Filesize
3.1MB

Download
memory/2836-86-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/2996-11-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-9-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-10-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2996-21-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads