quasar | 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
Size

3.1MB
MD5

aad11067aa90b9d96958aae378c45747
SHA1

13dc757a06a092ab0ef34482c307604a67fd74b9
SHA256

2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA512

8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813
SSDEEP

49152:gvXhBYjCOuDt2d5aKCuVPzlEmVQL0wvwkaE8sV4mzFEoGdCTHHB72eh2NT:gvdt2d5aKCuVPzlEmVQ0wvwfJsVo

Score

10^/10

quasar vm-ku discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

VM-KU

adidya354-21806.portmap.host:21806

Mutex

cf7c4d30-a326-47cc-a5f0-5a19aa014204

Attributes

encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
install_name
Windows Shell Interactive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Shell Interactive

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2596-1-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023bb4-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe

Executes dropped EXE 15 IoCs

pid	Process
4468	Windows Shell Interactive.exe
2696	Windows Shell Interactive.exe
5016	Windows Shell Interactive.exe
896	Windows Shell Interactive.exe
372	Windows Shell Interactive.exe
3308	Windows Shell Interactive.exe
320	Windows Shell Interactive.exe
4328	Windows Shell Interactive.exe
2144	Windows Shell Interactive.exe
1368	Windows Shell Interactive.exe
2752	Windows Shell Interactive.exe
2836	Windows Shell Interactive.exe
3512	Windows Shell Interactive.exe
1668	Windows Shell Interactive.exe
4788	Windows Shell Interactive.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File created	C:\Windows\system32\Windows Shell Interactive.exe	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2696	PING.EXE
1540	PING.EXE
544	PING.EXE
2776	PING.EXE
3820	PING.EXE
3112	PING.EXE
4000	PING.EXE
2500	PING.EXE
3164	PING.EXE
2752	PING.EXE
372	PING.EXE
4432	PING.EXE
1660	PING.EXE
4420	PING.EXE
1404	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3820	PING.EXE
4000	PING.EXE
372	PING.EXE
3112	PING.EXE
1540	PING.EXE
1404	PING.EXE
2752	PING.EXE
544	PING.EXE
2696	PING.EXE
1660	PING.EXE
2500	PING.EXE
3164	PING.EXE
4420	PING.EXE
2776	PING.EXE
4432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe
3536	schtasks.exe
4384	schtasks.exe
4804	schtasks.exe
4808	schtasks.exe
1664	schtasks.exe
4548	schtasks.exe
1984	schtasks.exe
5100	schtasks.exe
5060	schtasks.exe
1152	schtasks.exe
3628	schtasks.exe
4292	schtasks.exe
3816	schtasks.exe
4268	schtasks.exe
4636	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
Token: SeDebugPrivilege	4468	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2696	Windows Shell Interactive.exe
Token: SeDebugPrivilege	5016	Windows Shell Interactive.exe
Token: SeDebugPrivilege	896	Windows Shell Interactive.exe
Token: SeDebugPrivilege	372	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3308	Windows Shell Interactive.exe
Token: SeDebugPrivilege	320	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4328	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2144	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1368	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2752	Windows Shell Interactive.exe
Token: SeDebugPrivilege	2836	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3512	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1668	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4788	Windows Shell Interactive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4268	2596	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	82
PID 2596 wrote to memory of 4268	2596	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	82
PID 2596 wrote to memory of 4468	2596	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	84
PID 2596 wrote to memory of 4468	2596	2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe	84
PID 4468 wrote to memory of 4636	4468	Windows Shell Interactive.exe	85
PID 4468 wrote to memory of 4636	4468	Windows Shell Interactive.exe	85
PID 4468 wrote to memory of 3700	4468	Windows Shell Interactive.exe	87
PID 4468 wrote to memory of 3700	4468	Windows Shell Interactive.exe	87
PID 3700 wrote to memory of 2408	3700	cmd.exe	89
PID 3700 wrote to memory of 2408	3700	cmd.exe	89
PID 3700 wrote to memory of 3164	3700	cmd.exe	90
PID 3700 wrote to memory of 3164	3700	cmd.exe	90
PID 3700 wrote to memory of 2696	3700	cmd.exe	91
PID 3700 wrote to memory of 2696	3700	cmd.exe	91
PID 2696 wrote to memory of 5060	2696	Windows Shell Interactive.exe	92
PID 2696 wrote to memory of 5060	2696	Windows Shell Interactive.exe	92
PID 2696 wrote to memory of 1472	2696	Windows Shell Interactive.exe	94
PID 2696 wrote to memory of 1472	2696	Windows Shell Interactive.exe	94
PID 1472 wrote to memory of 1828	1472	cmd.exe	96
PID 1472 wrote to memory of 1828	1472	cmd.exe	96
PID 1472 wrote to memory of 4420	1472	cmd.exe	97
PID 1472 wrote to memory of 4420	1472	cmd.exe	97
PID 1472 wrote to memory of 5016	1472	cmd.exe	105
PID 1472 wrote to memory of 5016	1472	cmd.exe	105
PID 5016 wrote to memory of 1152	5016	Windows Shell Interactive.exe	106
PID 5016 wrote to memory of 1152	5016	Windows Shell Interactive.exe	106
PID 5016 wrote to memory of 3232	5016	Windows Shell Interactive.exe	108
PID 5016 wrote to memory of 3232	5016	Windows Shell Interactive.exe	108
PID 3232 wrote to memory of 1540	3232	cmd.exe	110
PID 3232 wrote to memory of 1540	3232	cmd.exe	110
PID 3232 wrote to memory of 1404	3232	cmd.exe	111
PID 3232 wrote to memory of 1404	3232	cmd.exe	111
PID 3232 wrote to memory of 896	3232	cmd.exe	114
PID 3232 wrote to memory of 896	3232	cmd.exe	114
PID 896 wrote to memory of 1984	896	Windows Shell Interactive.exe	115
PID 896 wrote to memory of 1984	896	Windows Shell Interactive.exe	115
PID 896 wrote to memory of 3612	896	Windows Shell Interactive.exe	117
PID 896 wrote to memory of 3612	896	Windows Shell Interactive.exe	117
PID 3612 wrote to memory of 4000	3612	cmd.exe	119
PID 3612 wrote to memory of 4000	3612	cmd.exe	119
PID 3612 wrote to memory of 2752	3612	cmd.exe	120
PID 3612 wrote to memory of 2752	3612	cmd.exe	120
PID 3612 wrote to memory of 372	3612	cmd.exe	121
PID 3612 wrote to memory of 372	3612	cmd.exe	121
PID 372 wrote to memory of 4384	372	Windows Shell Interactive.exe	122
PID 372 wrote to memory of 4384	372	Windows Shell Interactive.exe	122
PID 372 wrote to memory of 4332	372	Windows Shell Interactive.exe	124
PID 372 wrote to memory of 4332	372	Windows Shell Interactive.exe	124
PID 4332 wrote to memory of 1468	4332	cmd.exe	126
PID 4332 wrote to memory of 1468	4332	cmd.exe	126
PID 4332 wrote to memory of 3820	4332	cmd.exe	127
PID 4332 wrote to memory of 3820	4332	cmd.exe	127
PID 4332 wrote to memory of 3308	4332	cmd.exe	128
PID 4332 wrote to memory of 3308	4332	cmd.exe	128
PID 3308 wrote to memory of 4804	3308	Windows Shell Interactive.exe	129
PID 3308 wrote to memory of 4804	3308	Windows Shell Interactive.exe	129
PID 3308 wrote to memory of 2548	3308	Windows Shell Interactive.exe	131
PID 3308 wrote to memory of 2548	3308	Windows Shell Interactive.exe	131
PID 2548 wrote to memory of 4272	2548	cmd.exe	133
PID 2548 wrote to memory of 4272	2548	cmd.exe	133
PID 2548 wrote to memory of 544	2548	cmd.exe	134
PID 2548 wrote to memory of 544	2548	cmd.exe	134
PID 2548 wrote to memory of 320	2548	cmd.exe	135
PID 2548 wrote to memory of 320	2548	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe
"C:\Users\Admin\AppData\Local\Temp\2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4268
- C:\Windows\system32\Windows Shell Interactive.exe
  "C:\Windows\system32\Windows Shell Interactive.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\08X68xFGxkZB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2408
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3164
  - - C:\Windows\system32\Windows Shell Interactive.exe
      "C:\Windows\system32\Windows Shell Interactive.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTuBTljuzB0m.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1828
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
      - C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q1H9w4WBFCNz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1404
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viuezd07A5ur.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYKnxB4YvQ9B.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3820
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkNnORbdgvh9.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6iE7KXkaDc7V.bat" "
        15⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqCvLakjm78w.bat" "
        17⤵
        
        PID:3028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWzCg2ryZv8C.bat" "
        19⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3112
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PFNkMq9iCqBj.bat" "
        21⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4000
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aJxURL545TLE.bat" "
        23⤵
        
        PID:4456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:372
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekrUanhaTP8C.bat" "
        25⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4432
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPd52PwABiaz.bat" "
        27⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MtLc4vSlrxl6.bat" "
        29⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAbn8Y3vbtbN.bat" "
        31⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Shell Interactive.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\08X68xFGxkZB.bat

Filesize
208B

MD5
88e1b2cdf60a9db2002d5b0c969a8e13

SHA1
d9f1b12695c32dcc25826048b68bf78345046a34

SHA256
9aca03436a7dbdb52d459bb442ac04ac40fef96042c94bd5377580462930837c

SHA512
f561cfea98c2a75996cd6594c18ff23d3754923f1a6d7a90f807834cfc1a909850f4f56d5583f1374a644f55ce8b425af73263820bef3cf9c5709c3eaae4eed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6iE7KXkaDc7V.bat

Filesize
208B

MD5
28dc5804b0b919bd5da8bb90db6b7959

SHA1
6bd706aee73d48360fb2e233be73354c0efd5904

SHA256
fd22d4f5d4e781ca5d61908328170e058706ca69d9f86e5a675dadb9e1ed23b3

SHA512
771e2532dc957ef85ccc253766467300898e77108fec20c136a5db3daaf360f86dca933c5f53dab711f383354cf5e796580160b906f227e3ef28093cae72f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWzCg2ryZv8C.bat

Filesize
208B

MD5
d048bb57483699968a9729fba85a625e

SHA1
c7d84aeddcf49be6000b9944f0da0ae0aab0eaad

SHA256
8b0d3bad5fdcd2eac36f4b64179bd9e3ad3bcba7e4db50520934896028288b83

SHA512
3e6e9a3bc1b7a10e582f68aa3bc26d93dc4d2c12fc64986b4465620189d48c2509d69468bba57c5cb39d3b577ec99e8232d32f7c4a603d12973016a42ac57dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MtLc4vSlrxl6.bat

Filesize
208B

MD5
f094af13c550f1775b73d6026751ae0b

SHA1
c2d41110e88a0dbee8dded7e47a5906bb0991e3d

SHA256
a9cf9939079d0121fbc5a50619adfb2d9e96184f6f14973e72fe132ddf66d1e3

SHA512
6ab8d3ce1788fc5481dfb298a018f185acf3d71a9f6e04fe34e029667916c39fb5f8bd22095afb952633314994a89022c59b83fb9be4b305b11a0fcbd88b58f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PFNkMq9iCqBj.bat

Filesize
208B

MD5
718da5326e0c5016c6dca0595b3568b6

SHA1
e15d6f15e42b7f224d2244ac10b22de9730a7e01

SHA256
209e389e1b49f08424149a064d32a7225a6460f149f8183db958f7600979f80a

SHA512
7b645b8dffc8324c5b6c3e32518037c17fc01723256d6bd76b87d84969cae63f7279b74a62f788b675bb603e18e187c726042c73b3e862f2a440950b251b3dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1H9w4WBFCNz.bat

Filesize
208B

MD5
1f53ef2cbb6bd28399b7970936227eac

SHA1
7c347956fec9449245a380b47649452884e7f307

SHA256
c4cd59162f0c0fa0ccf50a0f15bebde27c04a6f979dea6f6c924f5aa20b90d60

SHA512
dc98944329c3f9208187093fe2f3a6d7505b5a26f71eae2be5428ee8edd7f9d5fce7f61ad6d51ab3e2deff0930314f0beb8754315517089ba39478a753c52af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqCvLakjm78w.bat

Filesize
208B

MD5
cbd3ec1f3c9685fb20ef0bf0fe5e7154

SHA1
d8ad4a2ba050417ba0faa9f8adef1895b54c6590

SHA256
8a67d9224f087bf3f5d170c374452b5729609496cda3110e33d157b75f8c2d98

SHA512
71ea53086a0131d3cdb1117b889f179fb48b52350f567d78fa5561145384725a94a3707f1922f3e5dec785edea11e49426d8d3ed2dccf5f63bd83bb2c4f4c7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJxURL545TLE.bat

Filesize
208B

MD5
321e64e8c71e5fc4672b3ebe48348fe6

SHA1
0d653b167fa45290a5e556b5e23b903a5e29808f

SHA256
689b6ef47d5de2c24824f5ed49087446eb32bc1f572a6dba11c8fb3ef6396ac0

SHA512
07f632731d707768bf6cee76041c1a1f00d572bdf9e46c21e36a98e21dca1cf10f3d779da74194411b024917343665193702ad328ed351be8d3a2ff82e4af3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYKnxB4YvQ9B.bat

Filesize
208B

MD5
eb8f263112e2464c6d8a3eb27b344471

SHA1
92c94e082c74b48f55670782958d01128c41c720

SHA256
9c897079ce9c7e216aa05ba916b3a9faa9247c439477b2873d3a45857ff88070

SHA512
18f72eb5d15cf30d52f4d08f8f760494e9dddb47792f090f2aa6061ad684a571058396e9893574839e82c84825e78c4af7558fbcf996d8b99f44f9510b5094c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekrUanhaTP8C.bat

Filesize
208B

MD5
6528153ab183d97f7ad001c5707a5fa4

SHA1
102eede6cf2bba65ba06470476037af932de123d

SHA256
6cffb31ff1f13b55a70c27f461f0b5e869ef97c52f5d4600025995a18452812d

SHA512
742537279258caa40d903f154229d5b515889cc2093a5aeb11bad0db5a4b50903a5b5202a6471a96618189b898229c3c058f4a72df5d280da76d0471df9e1585

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTuBTljuzB0m.bat

Filesize
208B

MD5
af7526e8404ffef1ca6984fec7d55794

SHA1
879fdd81098fe41d173c22143d338a3a033806ca

SHA256
1275d4d7170f71d6ff797cda81bf337cfb4d1cf9735a35d76995522f1a0e4f3d

SHA512
9d189d40882e41e917ada47dc3fbaea65056e00f3a0a8b73861d061e99de00e0dce77a3fa11e0cb3908b3072e4bade9c124348b384d324983c0baa0c26425392

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAbn8Y3vbtbN.bat

Filesize
208B

MD5
d58aeaaac49aaa57f541346ceeda6cb7

SHA1
6cfa1ea5588a507c7327c47b86b0c639ae4379c9

SHA256
76ce53b1feeeaaed8ce060124aefba2a41ef698ab67a49740dd201afac796bd8

SHA512
e4a184f306c714bcb758a44d2e82318a8506c1ec7ea532756ed782aec3f61c528ac734174b7e2be81e5d74c6508f464ee67231d18dd97b29bec3d27cca996bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\viuezd07A5ur.bat

Filesize
208B

MD5
11a68b0fd06ee9d7a86fd21cde8e1c25

SHA1
7ade9f76b6edb63eff3d14d02a3aed39ede5574d

SHA256
52e66a6682eee3a5cc67936e9c00decd84013f179a496f8666e2a4596678aa9e

SHA512
1e56d43da952ee68a669d9c3801371de1f96191bd9fe2811654913afa2e7ea3099fb50f01d533b8ea8218a75fbe885b6e591d1ef03cb994cfed43787c445d631

Download Submit
C:\Users\Admin\AppData\Local\Temp\xPd52PwABiaz.bat

Filesize
208B

MD5
b41353f30b0c389c7e342cbe795bc614

SHA1
8d1a4bc6524be709cc93a24d93cb65228bd43547

SHA256
e6801faaefa630815e4c815e7cf8ff680e27560cf1e4f1cb00d194fc2692177b

SHA512
e1438162faf602dd666a9e1e6fe038e27bc5f6a911e8ec507515f02d5065fd40e2c825f1852f36a3064928f9f074a798d1ebda9939c463b8ae234f3478f6eb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkNnORbdgvh9.bat

Filesize
208B

MD5
158e167cfc5076046a876e31aca4ac99

SHA1
5d6faf6ec3aa93214a1ad7154e03ee75758a282b

SHA256
b4321721262f6a8824f19a6d5b3bf86c810d73606afd26bafdd2149523db5b0f

SHA512
d4a88109760e5e407ae2c14862c259811bc59bf9e29ed71c1afdcab423a5637f1a2167bbf5a7c0376df013467ae5d595cd1b8101e30ec08ed7ef3d0f83f80294

Download Submit
C:\Windows\System32\Windows Shell Interactive.exe

Filesize
3.1MB

MD5
aad11067aa90b9d96958aae378c45747

SHA1
13dc757a06a092ab0ef34482c307604a67fd74b9

SHA256
2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

SHA512
8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

Download Submit
memory/2596-0-0x00007FFEF6F03000-0x00007FFEF6F05000-memory.dmp

Filesize
8KB

Download
memory/2596-1-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2596-10-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

Filesize
10.8MB

Download
memory/2596-2-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-13-0x000000001CA60000-0x000000001CB12000-memory.dmp

Filesize
712KB

Download
memory/4468-9-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-11-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-12-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/4468-18-0x00007FFEF6F00000-0x00007FFEF79C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads