quasar | 2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
Size

3.1MB
MD5

7c1fd7240072a6a6f53d93f191d769f0
SHA1

c0f3004513ea69aca854da4a740b176d04be8a35
SHA256

2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432
SHA512

513f39e50c98b9bc22e7e97291df9577dd22c7a75405c86a0c49df8101b84ec67f96372d974c27dfd421bec3e8dc2b77984609136cda6e9ab39e0081ec84e493
SSDEEP

49152:/v4uf2NUaNmwzPWlvdaKM7ZxTwkCC1JdLoGdeTHHB72eh2NT:/v3f2NUaNmwzPWlvdaB7ZxTwkCI

Score

10^/10

quasar stinky discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

ef3243fsert34.ddns.net:47820

oj42315j346ng2134.myvnc.com:47820

Mutex

448b82a7-900f-48ac-b52b-73d8b9b1a9fa

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
sru.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
sru

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/2480-1-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/files/0x000700000001924c-6.dat	family_quasar
behavioral1/memory/1928-10-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/memory/2868-23-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/2972-35-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/3048-46-0x00000000010D0000-0x00000000013F4000-memory.dmp	family_quasar
behavioral1/memory/1772-67-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/908-78-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/2820-89-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/2476-100-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1288-111-0x0000000001010000-0x0000000001334000-memory.dmp	family_quasar
behavioral1/memory/2984-133-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar
behavioral1/memory/1048-144-0x0000000000930000-0x0000000000C54000-memory.dmp	family_quasar
behavioral1/memory/2384-155-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar
behavioral1/memory/2908-166-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1928	sru.exe
2868	sru.exe
2972	sru.exe
3048	sru.exe
2584	sru.exe
1772	sru.exe
908	sru.exe
2820	sru.exe
2476	sru.exe
1288	sru.exe
2132	sru.exe
2984	sru.exe
1048	sru.exe
2384	sru.exe
2908	sru.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\sru	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File created	C:\Windows\system32\sru\sru.exe	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1504	PING.EXE
776	PING.EXE
2084	PING.EXE
2880	PING.EXE
2164	PING.EXE
1672	PING.EXE
1524	PING.EXE
1728	PING.EXE
2752	PING.EXE
2292	PING.EXE
2156	PING.EXE
1112	PING.EXE
1004	PING.EXE
1736	PING.EXE
2740	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1672	PING.EXE
1112	PING.EXE
1736	PING.EXE
1504	PING.EXE
2084	PING.EXE
2156	PING.EXE
1004	PING.EXE
2164	PING.EXE
2292	PING.EXE
776	PING.EXE
1524	PING.EXE
2740	PING.EXE
2752	PING.EXE
1728	PING.EXE
2880	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2700	schtasks.exe
2588	schtasks.exe
2296	schtasks.exe
2144	schtasks.exe
2036	schtasks.exe
3016	schtasks.exe
2196	schtasks.exe
2324	schtasks.exe
2648	schtasks.exe
3036	schtasks.exe
336	schtasks.exe
1088	schtasks.exe
1936	schtasks.exe
2224	schtasks.exe
1824	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
Token: SeDebugPrivilege	1928	sru.exe
Token: SeDebugPrivilege	2868	sru.exe
Token: SeDebugPrivilege	2972	sru.exe
Token: SeDebugPrivilege	3048	sru.exe
Token: SeDebugPrivilege	2584	sru.exe
Token: SeDebugPrivilege	1772	sru.exe
Token: SeDebugPrivilege	908	sru.exe
Token: SeDebugPrivilege	2820	sru.exe
Token: SeDebugPrivilege	2476	sru.exe
Token: SeDebugPrivilege	1288	sru.exe
Token: SeDebugPrivilege	2132	sru.exe
Token: SeDebugPrivilege	2984	sru.exe
Token: SeDebugPrivilege	1048	sru.exe
Token: SeDebugPrivilege	2384	sru.exe
Token: SeDebugPrivilege	2908	sru.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2196	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	30
PID 2480 wrote to memory of 2196	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	30
PID 2480 wrote to memory of 2196	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	30
PID 2480 wrote to memory of 1928	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	32
PID 2480 wrote to memory of 1928	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	32
PID 2480 wrote to memory of 1928	2480	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	32
PID 1928 wrote to memory of 2700	1928	sru.exe	33
PID 1928 wrote to memory of 2700	1928	sru.exe	33
PID 1928 wrote to memory of 2700	1928	sru.exe	33
PID 1928 wrote to memory of 2892	1928	sru.exe	35
PID 1928 wrote to memory of 2892	1928	sru.exe	35
PID 1928 wrote to memory of 2892	1928	sru.exe	35
PID 2892 wrote to memory of 588	2892	cmd.exe	37
PID 2892 wrote to memory of 588	2892	cmd.exe	37
PID 2892 wrote to memory of 588	2892	cmd.exe	37
PID 2892 wrote to memory of 2752	2892	cmd.exe	38
PID 2892 wrote to memory of 2752	2892	cmd.exe	38
PID 2892 wrote to memory of 2752	2892	cmd.exe	38
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2892 wrote to memory of 2868	2892	cmd.exe	40
PID 2868 wrote to memory of 2648	2868	sru.exe	41
PID 2868 wrote to memory of 2648	2868	sru.exe	41
PID 2868 wrote to memory of 2648	2868	sru.exe	41
PID 2868 wrote to memory of 340	2868	sru.exe	43
PID 2868 wrote to memory of 340	2868	sru.exe	43
PID 2868 wrote to memory of 340	2868	sru.exe	43
PID 340 wrote to memory of 844	340	cmd.exe	45
PID 340 wrote to memory of 844	340	cmd.exe	45
PID 340 wrote to memory of 844	340	cmd.exe	45
PID 340 wrote to memory of 1504	340	cmd.exe	46
PID 340 wrote to memory of 1504	340	cmd.exe	46
PID 340 wrote to memory of 1504	340	cmd.exe	46
PID 340 wrote to memory of 2972	340	cmd.exe	47
PID 340 wrote to memory of 2972	340	cmd.exe	47
PID 340 wrote to memory of 2972	340	cmd.exe	47
PID 2972 wrote to memory of 2588	2972	sru.exe	48
PID 2972 wrote to memory of 2588	2972	sru.exe	48
PID 2972 wrote to memory of 2588	2972	sru.exe	48
PID 2972 wrote to memory of 1004	2972	sru.exe	50
PID 2972 wrote to memory of 1004	2972	sru.exe	50
PID 2972 wrote to memory of 1004	2972	sru.exe	50
PID 1004 wrote to memory of 2092	1004	cmd.exe	52
PID 1004 wrote to memory of 2092	1004	cmd.exe	52
PID 1004 wrote to memory of 2092	1004	cmd.exe	52
PID 1004 wrote to memory of 776	1004	cmd.exe	53
PID 1004 wrote to memory of 776	1004	cmd.exe	53
PID 1004 wrote to memory of 776	1004	cmd.exe	53
PID 1004 wrote to memory of 3048	1004	cmd.exe	54
PID 1004 wrote to memory of 3048	1004	cmd.exe	54
PID 1004 wrote to memory of 3048	1004	cmd.exe	54
PID 3048 wrote to memory of 3036	3048	sru.exe	55
PID 3048 wrote to memory of 3036	3048	sru.exe	55
PID 3048 wrote to memory of 3036	3048	sru.exe	55
PID 3048 wrote to memory of 1720	3048	sru.exe	57
PID 3048 wrote to memory of 1720	3048	sru.exe	57
PID 3048 wrote to memory of 1720	3048	sru.exe	57
PID 1720 wrote to memory of 2704	1720	cmd.exe	59
PID 1720 wrote to memory of 2704	1720	cmd.exe	59
PID 1720 wrote to memory of 2704	1720	cmd.exe	59
PID 1720 wrote to memory of 2084	1720	cmd.exe	60
PID 1720 wrote to memory of 2084	1720	cmd.exe	60
PID 1720 wrote to memory of 2084	1720	cmd.exe	60
PID 1720 wrote to memory of 2584	1720	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
"C:\Users\Admin\AppData\Local\Temp\2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2196
- C:\Windows\system32\sru\sru.exe
  "C:\Windows\system32\sru\sru.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\augr6d4DoGcy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:588
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2752
  - - C:\Windows\system32\sru\sru.exe
      "C:\Windows\system32\sru\sru.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I5IEg9wHD12m.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:844
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
      - C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6yusiwAsvhQv.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B9OVLSw4L5Kd.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwBdMCEkzM5g.bat" "
        11⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOB86gK7cTc5.bat" "
        13⤵
        
        PID:316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOAYtZZJb4Au.bat" "
        15⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MM1BeBIPU386.bat" "
        17⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiykKl7JEqP2.bat" "
        19⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSJCtV80A3wi.bat" "
        21⤵
        
        PID:856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MNfIm3HeuaUo.bat" "
        23⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HZbiW4RcTVS6.bat" "
        25⤵
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yzpDUMHVINuM.bat" "
        27⤵
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FbaA7QW2l2HR.bat" "
        29⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\taskA3DWkoUN.bat" "
        31⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6yusiwAsvhQv.bat

Filesize
190B

MD5
9d788527fdcace757d89d53450af3747

SHA1
a98f0658e694b72aa1664a699f47b238536fff56

SHA256
4f35100945dbaf41e1c6e4b689fa24a18a5b73f1179e90e37b61a9764d38681f

SHA512
d7a53e7c24e47389fc5272004439ca5c7da8c90d706db7b0a01592999a52f4bc54c8acc5b732ca0889ecf63cd0baac40baaafd9a13578220b5e89b2de0582315

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9OVLSw4L5Kd.bat

Filesize
190B

MD5
eaf245e8b13e0128543027ae3077a78e

SHA1
fabf28c4416a65e6da5131efdac94f992266f6f5

SHA256
298f18453135b53152b83b1404f62e176e619916717fe9e04eeb69e3b76341a6

SHA512
411800119c1f6f20116a4479236c72d87dc0f837099b46c37ebcd2c7f96251963841755aaa48f2255209c556cbf1da9ff1fdc9e5b5fd43d11cd4de02929ef4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FbaA7QW2l2HR.bat

Filesize
190B

MD5
8a5f4b52c89a929f5a1c9d1c69d24075

SHA1
09f158b106cbed0722b1ee9c4cd6f84c3257a518

SHA256
0368125988fc770d3f3b3de220274d1500ca9616fbf7f3bba12314791f54d0d8

SHA512
4b8797e19964276c5db0fc630d40f4ea2ff49a284d1b601553abf19545efd8c060b3bb178aa09dc857f279417d35b4d16b241621c9869079202eb7140cf21a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSJCtV80A3wi.bat

Filesize
190B

MD5
68e7a5fc80c0a0eb16b5d91d5529fd72

SHA1
5ef2699247214756321f007e9c615e348be61330

SHA256
cd32390a59e1703fcaa9349bcf67179baa0c773e2b7ad63a16be665c2c6856a2

SHA512
39f9d62d2d41f198017ad638abf145e6296b3bb093285b62696a8d4e51ecd2b972018f67dfbc02261297e3c5415461a07d9a44118b3524f3a798ec8bf7446239

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZbiW4RcTVS6.bat

Filesize
190B

MD5
4e216664a22e5264338b543dd35769bf

SHA1
9f20b24aa84090cfa4c6d1ab63488e6cf699c153

SHA256
ebac14c3fa5485f2a4a4951ca26244b33e280d4b6cb3b6cdf61ed06eb9e403fe

SHA512
85d5041b80cc3bc19da7724d6362c447a8fa33936b1954f395bd0658d70eb9afc58ac3a4a7bb8236eb1f4cfb9e62b8f239dba4d6e5a9d054a5deb9369690a26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\I5IEg9wHD12m.bat

Filesize
190B

MD5
b39421521889f00e5a1a647427091b01

SHA1
43ddbbadbe96ed916711e60d59d53e16fba0b667

SHA256
44aa37da04e0a949bc521b65fceb4391f402e92fc37b3a6d1c8a470f8f9b5028

SHA512
0063d40d2ef520ecb62cdae90e7cf42e6751b0c299570906e6cc9711c4a5d0ee61f1fa5891810ac446037ebe29e34f5b700bab88aba7dbeb9dda09e23d0a7f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MM1BeBIPU386.bat

Filesize
190B

MD5
5eaa505ef0a835510b8c6c5727110e79

SHA1
35f979186719249ecf1ab1abb01b6d2790961589

SHA256
e4bb2f91beec0595e1d9fd26c33e10fa4d637975aee4ce99b068f4760fdeec12

SHA512
b6ecf244955b1f94b9d8617c1af623f248bc836dbf6a017382b88c243434eeec9a5dba65d310a19405389dd4bfc50fb81f1c5be0f202974661b59332cd38b801

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNfIm3HeuaUo.bat

Filesize
190B

MD5
58a0986c5369cacaef101d892d891926

SHA1
457facc54c3684bc8630069cfc616d58fffbee84

SHA256
8425e0df557a5b631c7cd791e57ac8bbff05d6a4c08d99f72968f30547b914a9

SHA512
f97e9ba493329f29fa83d24db59b811e68933096c7ee136f610afce1015d14eeedec09e58c754380ac073d8b2da9854bdaa5595a7274e86236c65d53d0dd878e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwBdMCEkzM5g.bat

Filesize
190B

MD5
99fb53e3deb761511de44fe2c8758f15

SHA1
32429f3539f0ea07e77b4a27395c3387cecae414

SHA256
70fd19865be756db6f327f1ca9ba452913a51bbe9ff4295836dee5d4fa801b18

SHA512
528a5077eaacedef19aaf1a1f8051642ea64afbef21424be46446c81e6a5720226a5258c512c10c1f936d13a2b9ac0f5dbd68083bc0a2893ebc5797a3c80a11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\augr6d4DoGcy.bat

Filesize
190B

MD5
03e1affe5f5ae6ffb821ee3a83cc50e2

SHA1
4e8762352ef0508b2019088d9a0d679edd7c9d8c

SHA256
e67f13fd500f631ac402b03161c19a1b64d21c9ae5f94b0ad11e3da9313d65e8

SHA512
299076618050677aa9e62c0b75c22187b41b16809587c59e4ef675db73fecbd2bb41b86b561102ebf01a4485d59edc7dfc8b1207d111d470582df5c088f14693

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOAYtZZJb4Au.bat

Filesize
190B

MD5
9e88b39ac025aeef29fba118b0701413

SHA1
57c04ab562a0aecab9b9f3b27d0dd8f35c783441

SHA256
80ba025f1b5180b2e6c9fccbb46093e0cecd546cd1b26c5a42c2c3a5eedefff8

SHA512
44d351f9782f4bf906b5a6d6489fdb539a2a91279ca4fc24f8db6063593848c627ff03bb618ee21e61cd9c850e6a3ec2fe5699a4bc83fb161df5b90177a283d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOB86gK7cTc5.bat

Filesize
190B

MD5
6ad0afefa99368d0dab1fdf255750729

SHA1
084f8801198f907e4f5fd51425e80064a479f913

SHA256
bb0b2d271df2cdf57ec42d6d4a9472f50092b879e21c4d5c88b642268da45c41

SHA512
a3c3ef20959e324c053dee7b75fc886453d13cf1f949bb94ccb34c230a804f6f78cc60f019fbf7fbcf93bc36c7e700121aa4ae8db38d6fb0140d6abcd23f9d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskA3DWkoUN.bat

Filesize
190B

MD5
7561ef2e5c62d18519025c14f6eadad8

SHA1
bdc3f8d556bf3fb3e4ceffdef176723e56a9bcd9

SHA256
9aa079941507773383e665cf9e6b8c99e504fccf9304859aad945b0268bbe86a

SHA512
15bef495c7ec3e937a9b0631426211141597bceef08c1004e2254f644bd3a1abc79040d068b39ac5f758ddadd2cf6b1574025de7436d7e3d863194ae3d884516

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiykKl7JEqP2.bat

Filesize
190B

MD5
045f31dabc60d070d4d3be7bfaa74466

SHA1
20866e19107cd075bae4821f74aaa0d41fc8f30b

SHA256
ae927d485db0473a7cd7260215116185ebfeec36fd4d5460e2e41addda2031c7

SHA512
558b401f2aef55f4f50aa7a3ed798dcd6f3a7db72eb3cd1cecb7e2ab07de21626c65be29468acb465852f17d983a859f1439c2c47a380a8c2bfc241ffb9bd5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzpDUMHVINuM.bat

Filesize
190B

MD5
3339bc860e9b8fac7ccf3b166b656ae4

SHA1
4c77f13f154378954d1e52b9095d34c548ab2c07

SHA256
d18eb304ec76d9c963f420c8e8f1f7171c5fe2797488fadf6198d2787fad1457

SHA512
3a0def6ea3784af539d8531f6da89256715a410777d2101df4ad19c751751ceaddcc188d425a1e914358139a2da2a17446697539d5993ee1bea88c750b945278

Download Submit
C:\Windows\System32\sru\sru.exe

Filesize
3.1MB

MD5
7c1fd7240072a6a6f53d93f191d769f0

SHA1
c0f3004513ea69aca854da4a740b176d04be8a35

SHA256
2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432

SHA512
513f39e50c98b9bc22e7e97291df9577dd22c7a75405c86a0c49df8101b84ec67f96372d974c27dfd421bec3e8dc2b77984609136cda6e9ab39e0081ec84e493

Download Submit
memory/908-78-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/1048-144-0x0000000000930000-0x0000000000C54000-memory.dmp

Filesize
3.1MB

Download
memory/1288-111-0x0000000001010000-0x0000000001334000-memory.dmp

Filesize
3.1MB

Download
memory/1772-67-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/1928-10-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download
memory/1928-20-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-11-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-9-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-155-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/2476-100-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2480-1-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/2480-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

Filesize
4KB

Download
memory/2480-2-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-7-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-89-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2868-23-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/2908-166-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/2972-35-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/2984-133-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download
memory/3048-46-0x00000000010D0000-0x00000000013F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads