quasar | b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
Size

3.1MB
MD5

25befffc195ce47401f74afbe942f3ff
SHA1

287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256

b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512

a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
SSDEEP

49152:rv+I22SsaNYfdPBldt698dBcjH0gR04RoGdNdTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjH0gR0k

Score

10^/10

quasar bot discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000F50000-0x0000000001274000-memory.dmp	family_quasar
behavioral1/files/0x0016000000018657-7.dat	family_quasar
behavioral1/memory/2416-10-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/memory/2852-43-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/296-65-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/2084-76-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/1200-129-0x00000000013C0000-0x00000000016E4000-memory.dmp	family_quasar
behavioral1/memory/2248-150-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/2404-161-0x0000000000830000-0x0000000000B54000-memory.dmp	family_quasar
behavioral1/memory/2752-172-0x0000000000FB0000-0x00000000012D4000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2416	msinfo32.exe
2892	msinfo32.exe
1956	msinfo32.exe
2852	msinfo32.exe
400	msinfo32.exe
296	msinfo32.exe
2084	msinfo32.exe
3000	msinfo32.exe
2684	msinfo32.exe
2276	msinfo32.exe
2932	msinfo32.exe
1200	msinfo32.exe
996	msinfo32.exe
2248	msinfo32.exe
2404	msinfo32.exe
2752	msinfo32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3020	PING.EXE
2260	PING.EXE
2896	PING.EXE
3020	PING.EXE
2280	PING.EXE
1576	PING.EXE
2812	PING.EXE
2812	PING.EXE
2184	PING.EXE
1648	PING.EXE
1520	PING.EXE
2144	PING.EXE
776	PING.EXE
3004	PING.EXE
1016	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1576	PING.EXE
2144	PING.EXE
2896	PING.EXE
2812	PING.EXE
776	PING.EXE
3020	PING.EXE
2280	PING.EXE
1648	PING.EXE
3004	PING.EXE
2812	PING.EXE
1016	PING.EXE
3020	PING.EXE
2260	PING.EXE
2184	PING.EXE
1520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe
1872	schtasks.exe
1944	schtasks.exe
1668	schtasks.exe
352	schtasks.exe
2776	schtasks.exe
2740	schtasks.exe
2132	schtasks.exe
1944	schtasks.exe
2664	schtasks.exe
2132	schtasks.exe
2428	schtasks.exe
2248	schtasks.exe
352	schtasks.exe
1556	schtasks.exe
2376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
Token: SeDebugPrivilege	2416	msinfo32.exe
Token: SeDebugPrivilege	2892	msinfo32.exe
Token: SeDebugPrivilege	1956	msinfo32.exe
Token: SeDebugPrivilege	2852	msinfo32.exe
Token: SeDebugPrivilege	400	msinfo32.exe
Token: SeDebugPrivilege	296	msinfo32.exe
Token: SeDebugPrivilege	2084	msinfo32.exe
Token: SeDebugPrivilege	3000	msinfo32.exe
Token: SeDebugPrivilege	2684	msinfo32.exe
Token: SeDebugPrivilege	2276	msinfo32.exe
Token: SeDebugPrivilege	2932	msinfo32.exe
Token: SeDebugPrivilege	1200	msinfo32.exe
Token: SeDebugPrivilege	996	msinfo32.exe
Token: SeDebugPrivilege	2248	msinfo32.exe
Token: SeDebugPrivilege	2404	msinfo32.exe
Token: SeDebugPrivilege	2752	msinfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1944	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	30
PID 2552 wrote to memory of 1944	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	30
PID 2552 wrote to memory of 1944	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	30
PID 2552 wrote to memory of 2416	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	32
PID 2552 wrote to memory of 2416	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	32
PID 2552 wrote to memory of 2416	2552	b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe	32
PID 2416 wrote to memory of 1668	2416	msinfo32.exe	34
PID 2416 wrote to memory of 1668	2416	msinfo32.exe	34
PID 2416 wrote to memory of 1668	2416	msinfo32.exe	34
PID 2416 wrote to memory of 2752	2416	msinfo32.exe	36
PID 2416 wrote to memory of 2752	2416	msinfo32.exe	36
PID 2416 wrote to memory of 2752	2416	msinfo32.exe	36
PID 2752 wrote to memory of 2780	2752	cmd.exe	38
PID 2752 wrote to memory of 2780	2752	cmd.exe	38
PID 2752 wrote to memory of 2780	2752	cmd.exe	38
PID 2752 wrote to memory of 2812	2752	cmd.exe	39
PID 2752 wrote to memory of 2812	2752	cmd.exe	39
PID 2752 wrote to memory of 2812	2752	cmd.exe	39
PID 2752 wrote to memory of 2892	2752	cmd.exe	40
PID 2752 wrote to memory of 2892	2752	cmd.exe	40
PID 2752 wrote to memory of 2892	2752	cmd.exe	40
PID 2892 wrote to memory of 2664	2892	msinfo32.exe	41
PID 2892 wrote to memory of 2664	2892	msinfo32.exe	41
PID 2892 wrote to memory of 2664	2892	msinfo32.exe	41
PID 2892 wrote to memory of 1952	2892	msinfo32.exe	43
PID 2892 wrote to memory of 1952	2892	msinfo32.exe	43
PID 2892 wrote to memory of 1952	2892	msinfo32.exe	43
PID 1952 wrote to memory of 2568	1952	cmd.exe	45
PID 1952 wrote to memory of 2568	1952	cmd.exe	45
PID 1952 wrote to memory of 2568	1952	cmd.exe	45
PID 1952 wrote to memory of 2184	1952	cmd.exe	46
PID 1952 wrote to memory of 2184	1952	cmd.exe	46
PID 1952 wrote to memory of 2184	1952	cmd.exe	46
PID 1952 wrote to memory of 1956	1952	cmd.exe	47
PID 1952 wrote to memory of 1956	1952	cmd.exe	47
PID 1952 wrote to memory of 1956	1952	cmd.exe	47
PID 1956 wrote to memory of 2132	1956	msinfo32.exe	48
PID 1956 wrote to memory of 2132	1956	msinfo32.exe	48
PID 1956 wrote to memory of 2132	1956	msinfo32.exe	48
PID 1956 wrote to memory of 1728	1956	msinfo32.exe	50
PID 1956 wrote to memory of 1728	1956	msinfo32.exe	50
PID 1956 wrote to memory of 1728	1956	msinfo32.exe	50
PID 1728 wrote to memory of 1992	1728	cmd.exe	52
PID 1728 wrote to memory of 1992	1728	cmd.exe	52
PID 1728 wrote to memory of 1992	1728	cmd.exe	52
PID 1728 wrote to memory of 776	1728	cmd.exe	53
PID 1728 wrote to memory of 776	1728	cmd.exe	53
PID 1728 wrote to memory of 776	1728	cmd.exe	53
PID 1728 wrote to memory of 2852	1728	cmd.exe	54
PID 1728 wrote to memory of 2852	1728	cmd.exe	54
PID 1728 wrote to memory of 2852	1728	cmd.exe	54
PID 2852 wrote to memory of 352	2852	msinfo32.exe	55
PID 2852 wrote to memory of 352	2852	msinfo32.exe	55
PID 2852 wrote to memory of 352	2852	msinfo32.exe	55
PID 2852 wrote to memory of 2484	2852	msinfo32.exe	57
PID 2852 wrote to memory of 2484	2852	msinfo32.exe	57
PID 2852 wrote to memory of 2484	2852	msinfo32.exe	57
PID 2484 wrote to memory of 904	2484	cmd.exe	59
PID 2484 wrote to memory of 904	2484	cmd.exe	59
PID 2484 wrote to memory of 904	2484	cmd.exe	59
PID 2484 wrote to memory of 1648	2484	cmd.exe	60
PID 2484 wrote to memory of 1648	2484	cmd.exe	60
PID 2484 wrote to memory of 1648	2484	cmd.exe	60
PID 2484 wrote to memory of 400	2484	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe
"C:\Users\Admin\AppData\Local\Temp\b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1944
- C:\Windows\system32\dll32\msinfo32.exe
  "C:\Windows\system32\dll32\msinfo32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1668
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QC8ej2oFX0Lq.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2780
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2812
  - - C:\Windows\system32\dll32\msinfo32.exe
      "C:\Windows\system32\dll32\msinfo32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wux6IPl2MlU8.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2568
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
      - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RBCiwRk1u8RB.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwTqUDPpQoyF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3OMLK2S9GS8z.bat" "
        11⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngrUuWEvslbS.bat" "
        13⤵
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kJy1KKX4cBK6.bat" "
        15⤵
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Cp3TJef5j49a.bat" "
        17⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwxAhEvxUBnI.bat" "
        19⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WbvR43rW8Dwy.bat" "
        21⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwE2uwY5nfi.bat" "
        23⤵
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKiKV5mEf4QR.bat" "
        25⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h6B4RJ8nA3Wi.bat" "
        27⤵
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8SH7UcgVdNoS.bat" "
        29⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NrL9i0rRj959.bat" "
        31⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3OMLK2S9GS8z.bat

Filesize
197B

MD5
6d0534b5b6e9730d7087b234a91ef8d2

SHA1
678f581184b96ebf1e6b1f55687473c7ae919921

SHA256
f7991e7d99d2e96b4bc062e66ac4397806246b27409565623fbc4b3d35e8c7ef

SHA512
d4b02b3b3b2d7b35f0a8601157cf6439ff494c5131f5e11d60b37668f8fb5c0024c76092647e45556d88dd2e629078e467922db95cb962a5cf21a69449d1d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8SH7UcgVdNoS.bat

Filesize
197B

MD5
7ca7dd30db53c5764247271deea2650f

SHA1
6208cfaeea108ec4b3e8af66312760d8eb491238

SHA256
850e59e01230a3002e84c280bdf48d3ae5f2cbd6841731d219d223ab4100b7e6

SHA512
1ff3d5c2dc1d49a15a17eac1f784c07471a3cdc0083af55d1a8e08949d066c12ffd2579ec2fa0f13fed7d2a4550f1528c1fe6a5b59e04d08434d2be7f4020694

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cp3TJef5j49a.bat

Filesize
197B

MD5
40e2a88df51d4c0c959aded3445fdad2

SHA1
4b79f7482b51607c23be36d2bd68359c0e7f5cdf

SHA256
cdb53cc370977d5f6651e65166ef3ac61ddb8cd3aed2db08ba278570724e87cb

SHA512
ce8e627ea40284fbce8fbc355d06bacd0a51124c45972dfd5f7a40a710677dcc67983d5d708aa320384c33440b9a84886c9dccdea12295511e127329dcccc972

Download Submit
C:\Users\Admin\AppData\Local\Temp\NrL9i0rRj959.bat

Filesize
197B

MD5
d4db7bc6d503eb759f2eab635fad1fd1

SHA1
c7be62ee3079a005b7eb3ef923d90c878a57b405

SHA256
34a081ca7549909f5fa5625decf3d0045fbfd03944ec0f113ea5c10d02f40a04

SHA512
18dd7cf276e71ce1fccaf79cf4691066f2df4ed6f6e699b6f88e948ef7ace3f9f0ff4a458de5599f9e2e04cb549ad278de3aeb93e6fcf9017c30f0a66867aa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\QC8ej2oFX0Lq.bat

Filesize
197B

MD5
3a263e5028d019345cc8429686cf2ac6

SHA1
b391708953e3d69b60f90198b9559e0758505077

SHA256
660d2bf35478769949d0c1c3f0983fc5faf8efe5b7bd746ac37fd26ab3b7ab30

SHA512
dc3d656a17aba89b328127bd3157aefbbd50266a746202851d5e8cba068ddefc2c1eaeebfea5c2f508d96c281daaf4b0a999aa21431f57cc6e861e5d1cde26f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBCiwRk1u8RB.bat

Filesize
197B

MD5
1f75c6ca688a18022718755c46c4d1bb

SHA1
623dcd0f28d4a31ffaee5f9abdbf513429ad8881

SHA256
609234e81841e038eda733aa832c45023245e83c425e605a9cb88064d93d7699

SHA512
e111c68d40c45856e95d002b7d7bce6528968d2b8ec34cfb944de86463d7a53acb4a23ef1644a98e41e9e114c09ae6b5c8d49e82267a5dcdc93a47e87e5cd5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WbvR43rW8Dwy.bat

Filesize
197B

MD5
2ec38afa6e4b3875f6f1c17113f842fd

SHA1
a560db50adae021729ada3fdfec14f310c147236

SHA256
db6e4b42332ac84c646cead4a42ac085f8b1eeab5ea9225846389b7cc8a9d180

SHA512
e82b1f1349b2c80f0a3c28dfdbe80a4aa5f689623494be1131715a90f5fdecbf7a27a06cd688ab75d919b4e375b44f65980b95d82f438f1f1c4c24a9f476236d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKwE2uwY5nfi.bat

Filesize
197B

MD5
5c839653e736ea185424b6965e75969f

SHA1
2aa08cc8f58a60b9738d101ccaa656eff1b520d4

SHA256
911d736a3311052266c830b25279b222d2da4ffdfb83fa6ee53ce9541ed06e85

SHA512
f164fbfc0349e05d8c1c7b9be3c8d60358af3b7ec05cfe64bb82136bf55a83b8616954c6418015b1a400de4385448c7053d0fd9ca1bafc26a68e2b7658947d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6B4RJ8nA3Wi.bat

Filesize
197B

MD5
128d30f7f593dc2fdb7cb14ce7041146

SHA1
e942b17be746a5e87f62fa5cc9c1c2d1b9898040

SHA256
b97cdae12a68346b9594638ef368f51a867c100b93bfeead0216288eec4c48f6

SHA512
b5a70eb4ac46eca5b4c535519bdc0709c098c7a6b96af83ab2f23bf09b22c4f59c6e11224e1efa1cdbfb69398f43ec6863a092abf39dfb87410ef22b2bab7484

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJy1KKX4cBK6.bat

Filesize
197B

MD5
5515986a676ac4b557234ae5a9e85f8a

SHA1
12a12b0438d6130fb0291affb332d6c5ba545e05

SHA256
4b2daba18157af9c2187630f595c956dac6179db0d872fd3d1171b4bc7c2d5e6

SHA512
5bf866879eb1755f925116b73a10dd2333d0450a48ad7982c6abc905db02a17ac8e4a0f06e9976bb349b913ea96ae591385e61d398d9db625dc1e2529c8f0b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwxAhEvxUBnI.bat

Filesize
197B

MD5
cafcfda24dc6198bb53d1aa7ccaa1310

SHA1
522666c8648f296975ebaa94b94bdedf9f7998c8

SHA256
fda39f7bdffbc9624c81147c7734145d2f4de38238848de0c4301b957503adad

SHA512
39cc26f9bffbe5b3fa6ee8d87ea7af25a83e633bda35bdc1843c62e5b2e29653c4cf486932204f1e39e1e80d7cd967532fc5d1ffa553800b1f7ef1147067a3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrUuWEvslbS.bat

Filesize
197B

MD5
80d428516bb6253eb84ab83f9bb2f82f

SHA1
6795b0d831e9c2bbb3738a671cf9a14ab00a9991

SHA256
caf4b1601ce897470787d647e1543db8209fb2dacddc186cdad04d6a42d5bee9

SHA512
d1c1bf47d5427f57da688931ba94286524a45e16cc1a0320a488e73304a5014293c273daadaf08b2c344b9ff21248ab64605153ab76405bf1f9eaecbf9976145

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwTqUDPpQoyF.bat

Filesize
197B

MD5
409523ed7ab66597beae8fd49e5eba37

SHA1
e455b3f29977a14d5abd499d26182250128479e3

SHA256
e378a472baf206b2a00cb6254e8e7691825f50024fbbab131af01ae17cf71de3

SHA512
99e7f6d0dfb35e06f70efd6906c2c9b88693468b9848cdfd2d2032b6295d6ef1bb9b9f222354f6799400e8b69c879660f9a79c3d4be9f3699ccb43a66244c64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKiKV5mEf4QR.bat

Filesize
197B

MD5
49088186f0b794fb10a140102a027499

SHA1
6dd91f8d55de30a7e78b4afbf21752e0830107cb

SHA256
c4c166dcc2dd684bb04027b657cc0c46f4111f60756472d6577317023a449905

SHA512
f1196609e5d524b698637085a959cf354a74db2c1c4ea7a1f143a129798867257894714f4b07f049362804e2a131012dfe0752c14b8a1d320890bbba411b19b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wux6IPl2MlU8.bat

Filesize
197B

MD5
95479e3c02e6ffcb0f26de9d10cc7ff0

SHA1
2b3dfb2e2bbb88bd94c6d937379b8e8a99c42da8

SHA256
140e92df3dfa871b120bf4e250cd71daea8d0b36d0cd128d56515dc98a699e5d

SHA512
edcce73d647aa62dbe1c44a57583d36568b0490abd297e64d9841f21d875721cccc1261cf61329462f000089b3c52e03a37bb19290ef94f47d55968dc6900470

Download Submit
C:\Windows\system32\dll32\msinfo32.exe

Filesize
3.1MB

MD5
25befffc195ce47401f74afbe942f3ff

SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160

SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

Download Submit
memory/296-65-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1200-129-0x00000000013C0000-0x00000000016E4000-memory.dmp

Filesize
3.1MB

Download
memory/2084-76-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/2248-150-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2404-161-0x0000000000830000-0x0000000000B54000-memory.dmp

Filesize
3.1MB

Download
memory/2416-21-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-11-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-10-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/2416-9-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-8-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-1-0x0000000000F50000-0x0000000001274000-memory.dmp

Filesize
3.1MB

Download
memory/2752-172-0x0000000000FB0000-0x00000000012D4000-memory.dmp

Filesize
3.1MB

Download
memory/2852-43-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads