quasar | 2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
Size

3.1MB
MD5

7c1fd7240072a6a6f53d93f191d769f0
SHA1

c0f3004513ea69aca854da4a740b176d04be8a35
SHA256

2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432
SHA512

513f39e50c98b9bc22e7e97291df9577dd22c7a75405c86a0c49df8101b84ec67f96372d974c27dfd421bec3e8dc2b77984609136cda6e9ab39e0081ec84e493
SSDEEP

49152:/v4uf2NUaNmwzPWlvdaKM7ZxTwkCC1JdLoGdeTHHB72eh2NT:/v3f2NUaNmwzPWlvdaB7ZxTwkCI

Score

10^/10

quasar stinky discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

ef3243fsert34.ddns.net:47820

oj42315j346ng2134.myvnc.com:47820

Mutex

448b82a7-900f-48ac-b52b-73d8b9b1a9fa

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
sru.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
sru

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3204-1-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023cbe-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sru.exe

Executes dropped EXE 15 IoCs

pid	Process
4412	sru.exe
996	sru.exe
3680	sru.exe
3860	sru.exe
1396	sru.exe
3056	sru.exe
1692	sru.exe
404	sru.exe
2456	sru.exe
2692	sru.exe
2680	sru.exe
1980	sru.exe
4264	sru.exe
3132	sru.exe
4520	sru.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File created	C:\Windows\system32\sru\sru.exe	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5108	PING.EXE
2092	PING.EXE
3848	PING.EXE
2352	PING.EXE
432	PING.EXE
904	PING.EXE
3668	PING.EXE
2304	PING.EXE
4896	PING.EXE
2464	PING.EXE
1932	PING.EXE
3600	PING.EXE
2644	PING.EXE
1812	PING.EXE
2908	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1812	PING.EXE
4896	PING.EXE
2464	PING.EXE
3600	PING.EXE
904	PING.EXE
2908	PING.EXE
2092	PING.EXE
2644	PING.EXE
5108	PING.EXE
1932	PING.EXE
2304	PING.EXE
3848	PING.EXE
3668	PING.EXE
2352	PING.EXE
432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
4824	schtasks.exe
1628	schtasks.exe
4372	schtasks.exe
4484	schtasks.exe
3324	schtasks.exe
5056	schtasks.exe
3612	schtasks.exe
436	schtasks.exe
3328	schtasks.exe
4936	schtasks.exe
1648	schtasks.exe
8	schtasks.exe
3904	schtasks.exe
4348	schtasks.exe
4264	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
Token: SeDebugPrivilege	4412	sru.exe
Token: SeDebugPrivilege	996	sru.exe
Token: SeDebugPrivilege	3680	sru.exe
Token: SeDebugPrivilege	3860	sru.exe
Token: SeDebugPrivilege	1396	sru.exe
Token: SeDebugPrivilege	3056	sru.exe
Token: SeDebugPrivilege	1692	sru.exe
Token: SeDebugPrivilege	404	sru.exe
Token: SeDebugPrivilege	2456	sru.exe
Token: SeDebugPrivilege	2692	sru.exe
Token: SeDebugPrivilege	2680	sru.exe
Token: SeDebugPrivilege	1980	sru.exe
Token: SeDebugPrivilege	4264	sru.exe
Token: SeDebugPrivilege	3132	sru.exe
Token: SeDebugPrivilege	4520	sru.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3324	3204	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	82
PID 3204 wrote to memory of 3324	3204	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	82
PID 3204 wrote to memory of 4412	3204	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	84
PID 3204 wrote to memory of 4412	3204	2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe	84
PID 4412 wrote to memory of 5056	4412	sru.exe	85
PID 4412 wrote to memory of 5056	4412	sru.exe	85
PID 4412 wrote to memory of 2028	4412	sru.exe	87
PID 4412 wrote to memory of 2028	4412	sru.exe	87
PID 2028 wrote to memory of 1624	2028	cmd.exe	89
PID 2028 wrote to memory of 1624	2028	cmd.exe	89
PID 2028 wrote to memory of 2304	2028	cmd.exe	90
PID 2028 wrote to memory of 2304	2028	cmd.exe	90
PID 2028 wrote to memory of 996	2028	cmd.exe	91
PID 2028 wrote to memory of 996	2028	cmd.exe	91
PID 996 wrote to memory of 4936	996	sru.exe	92
PID 996 wrote to memory of 4936	996	sru.exe	92
PID 996 wrote to memory of 2560	996	sru.exe	94
PID 996 wrote to memory of 2560	996	sru.exe	94
PID 2560 wrote to memory of 1928	2560	cmd.exe	96
PID 2560 wrote to memory of 1928	2560	cmd.exe	96
PID 2560 wrote to memory of 4896	2560	cmd.exe	97
PID 2560 wrote to memory of 4896	2560	cmd.exe	97
PID 2560 wrote to memory of 3680	2560	cmd.exe	103
PID 2560 wrote to memory of 3680	2560	cmd.exe	103
PID 3680 wrote to memory of 1648	3680	sru.exe	106
PID 3680 wrote to memory of 1648	3680	sru.exe	106
PID 3680 wrote to memory of 112	3680	sru.exe	108
PID 3680 wrote to memory of 112	3680	sru.exe	108
PID 112 wrote to memory of 2020	112	cmd.exe	110
PID 112 wrote to memory of 2020	112	cmd.exe	110
PID 112 wrote to memory of 3848	112	cmd.exe	111
PID 112 wrote to memory of 3848	112	cmd.exe	111
PID 112 wrote to memory of 3860	112	cmd.exe	114
PID 112 wrote to memory of 3860	112	cmd.exe	114
PID 3860 wrote to memory of 3612	3860	sru.exe	115
PID 3860 wrote to memory of 3612	3860	sru.exe	115
PID 3860 wrote to memory of 3968	3860	sru.exe	117
PID 3860 wrote to memory of 3968	3860	sru.exe	117
PID 3968 wrote to memory of 1776	3968	cmd.exe	119
PID 3968 wrote to memory of 1776	3968	cmd.exe	119
PID 3968 wrote to memory of 2352	3968	cmd.exe	120
PID 3968 wrote to memory of 2352	3968	cmd.exe	120
PID 3968 wrote to memory of 1396	3968	cmd.exe	121
PID 3968 wrote to memory of 1396	3968	cmd.exe	121
PID 1396 wrote to memory of 4348	1396	sru.exe	122
PID 1396 wrote to memory of 4348	1396	sru.exe	122
PID 1396 wrote to memory of 4900	1396	sru.exe	124
PID 1396 wrote to memory of 4900	1396	sru.exe	124
PID 4900 wrote to memory of 1512	4900	cmd.exe	126
PID 4900 wrote to memory of 1512	4900	cmd.exe	126
PID 4900 wrote to memory of 432	4900	cmd.exe	127
PID 4900 wrote to memory of 432	4900	cmd.exe	127
PID 4900 wrote to memory of 3056	4900	cmd.exe	128
PID 4900 wrote to memory of 3056	4900	cmd.exe	128
PID 3056 wrote to memory of 436	3056	sru.exe	129
PID 3056 wrote to memory of 436	3056	sru.exe	129
PID 3056 wrote to memory of 328	3056	sru.exe	131
PID 3056 wrote to memory of 328	3056	sru.exe	131
PID 328 wrote to memory of 4004	328	cmd.exe	133
PID 328 wrote to memory of 4004	328	cmd.exe	133
PID 328 wrote to memory of 2464	328	cmd.exe	134
PID 328 wrote to memory of 2464	328	cmd.exe	134
PID 328 wrote to memory of 1692	328	cmd.exe	135
PID 328 wrote to memory of 1692	328	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe
"C:\Users\Admin\AppData\Local\Temp\2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3324
- C:\Windows\system32\sru\sru.exe
  "C:\Windows\system32\sru\sru.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65K9VfIaiPjc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1624
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2304
  - - C:\Windows\system32\sru\sru.exe
      "C:\Windows\system32\sru\sru.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f0bwL5Bel4bS.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1928
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
      - C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u8wA2fv86ExE.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3848
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuqzYnceYAvP.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4bFnj9a0H5kP.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:432
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8cNDe1w8Zs2X.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZhX1JDrasQG.bat" "
        15⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOut1Xofv3eI.bat" "
        17⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5108
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3NqyPMaTzYf.bat" "
        19⤵
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0aJon5mbXKk8.bat" "
        21⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3668
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2iQCnB26xBmZ.bat" "
        23⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnoCeDCE9yOJ.bat" "
        25⤵
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmKvNKrmSfrf.bat" "
        27⤵
        
        PID:4376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Plcjyfcrbs4W.bat" "
        29⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ok48o3U3IhSi.bat" "
        31⤵
        
        PID:3580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sru.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aJon5mbXKk8.bat

Filesize
190B

MD5
2360af26f66b9dc1084dad56f5756543

SHA1
2c13dc8dcfddb516099e29a5f9fedc41c8888b4b

SHA256
5a713e41dd8a47a9f21bdf858d154ccba275f6ea92bc0f415d88dc0cb4d1be3a

SHA512
76ca5fe96ca345e56eb05d0820bb0f9132b22f5d7a34c4420eeebb8cd6199e45d2abb04f5902f377976d08c9f215bbcdfd31ff453d105e72b6414d4545058f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iQCnB26xBmZ.bat

Filesize
190B

MD5
15d1266c3f8ebe08c91a8e66a4bf21dc

SHA1
7d144b8a2cb4289907a7486e7489b1f0244f8fd9

SHA256
e48956c4fd9e226f050932afd3aef51f903d67a2241954488fb42e300fadabed

SHA512
4c4ea79192b382686124a35a440fc4ec7e99ca94e8bd7f251811bc879b4caeb23ea68b05f0b2bfaf1d1cff34622ac154057fbb1004be703ef16216b00b172f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bFnj9a0H5kP.bat

Filesize
190B

MD5
97cdcc3bd1054ba363ad054bc2eaaf79

SHA1
f7a48898cf0bcae55d73feb9721fc4f1531ac498

SHA256
19d7a71338b74e22577542f923ff902a856a414bbb55a5346b1959ac2fb9346e

SHA512
5bc45357b6c1d3624d8dffa6249c99a0e8472994ed2bc933b35aed5ccc68543bad3194bb8acd6f52fe3a8a42e2db27df5e8c65b3805d9f201da062d955ce0986

Download Submit
C:\Users\Admin\AppData\Local\Temp\65K9VfIaiPjc.bat

Filesize
190B

MD5
0ea39104cd588040462f37a87accf07c

SHA1
5904becfc2e75db0865005d0c804efea175341a3

SHA256
41eac002fc9f7fb53a3f5b8c3e5b9200041f84542c48efe9cd91339478165cdc

SHA512
8f97e05a9996e2a2e8cac5b262435d43b2f9fde2cab9446799d70e28f21809b7c4a6232dc445cf9fec51f2ef8bf33a0a3d0614d35a02e46c2c19715a2c7dc0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cNDe1w8Zs2X.bat

Filesize
190B

MD5
2e80056cec350f3bd62f856f04ad40a0

SHA1
1ce27a39139fb86a6c706057e1fa7a4b19c66b35

SHA256
c400b191bebb83f8d3ea41f7827f5cfa8ed753b4e7f6c15f9a9cce2f97722280

SHA512
b5f8ca9dd73585760f514dea9d7f37504fdc627d89b3e7a9fbe9c79d477330809144181a25b9439c86d959c5ebef082540c59277c8bdf5a2550a343c3269e914

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnoCeDCE9yOJ.bat

Filesize
190B

MD5
bf771a2ff12c404e70ebc1693ca48eb5

SHA1
d8015df4be388cceabdf96f62e23da2e8abd9676

SHA256
a9fd8b0d2428fe19b4b054a11117a73e9d42e9ec15a7a1fe9e8e1b70b12e1f7f

SHA512
4e4c86d3a6485e74956301fc8c1c3e2eb88d2f61d833cec86e1f615f0be7b35be86cc2ec849753b1752a707f68c32f078729e58c7e1bd278192d979b6671ba18

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmKvNKrmSfrf.bat

Filesize
190B

MD5
0183e7bdb50e44da4cb18b9059e2b850

SHA1
0c3522981e76853906baf4a95ddb929343b16e4b

SHA256
61de92f9b9734f0ee04b05b4af6fac970ccf0a6ff40e1436ed6c3a42d1416d3d

SHA512
ef55dd0a99034c70657755481f25c399323140e475c29f081cc53f3390eda7b0e34f9a8a3a36105470c5df485355888ffdc29ac26e538e6ee6290266d2b9178f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ok48o3U3IhSi.bat

Filesize
190B

MD5
6b39d6be42d430d65f490cad1ed78be0

SHA1
382bacc7697a9be6b700673c8ae31298c88ae66d

SHA256
a4d9bfc39f1f64f974a9e2a9744b6120a9737f1c5f63ea4683c36b33abd6b1e6

SHA512
558d4cf12a2ad9f44fc6fa68a612703bdbbc5e57a718369b9ade0992fbfd18f2d4813444fe7774b69d41bfba5c688be244a7507e7fa6f706f73daada22084ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\P3NqyPMaTzYf.bat

Filesize
190B

MD5
20a4c87a2f66d7176908d833d9722649

SHA1
282c6ce16c383a24ac203ab4b20f7278f72d3d01

SHA256
e1ab9eacca7e3fb5169cbe380f87f1e1cbde87b64bb1c1d4417dd5bd47369a6d

SHA512
12f6338874c094ca35055ad22ab54ec7629a867853da74c00d231989ecb05d84b7ca04ff6f643ff2937c557ec7bd8d2d7d8a6c96ca709ad7fc15399dc8f7152f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plcjyfcrbs4W.bat

Filesize
190B

MD5
213e8e68a7fea542cda3d163a3ed3f16

SHA1
d363e676e9d68da191438563b91b22ce81853123

SHA256
c804432234c3d268cb4f79f25b1c6065b757596ee912201cf8bb4252cce4ae78

SHA512
fdb0257893572baa4cc09aab1941fe8ee31888b9bd0f70bc285d24664c2447a61420b0e548254a0c16c3f64fbc63d418cbd982674a6fa1fef44c59de802a8892

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZhX1JDrasQG.bat

Filesize
190B

MD5
5ed2ed4c4db4f0b3184138d78274efc1

SHA1
b9463a233c1dd88a72de32618c82adc27d239fcc

SHA256
c15b0b25b18e54424c79c262f81999b107079fd21ed7c7c2dce634a3b44b9168

SHA512
915788b449090ee931515951105b5d3c32ac0f829aa104df34e7fc6b36f685287fd80d4d98c5b6a7c261967f5095f46864b79c715796b0ce57844faad7c119ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0bwL5Bel4bS.bat

Filesize
190B

MD5
51819db97160ccbbfc1041a7330356f3

SHA1
1fe8b00a94acb68c9c05440c6de7230e9f75673c

SHA256
b4863a0ac25f8433d058a1be646f73e66c17535a73ae179adb19a5d30ea841bd

SHA512
ac6b94caedfb36889912473331c338ee751b047604ecf04ce19a69e57d6fb133c977eeef1db80d4749090d5ed94827700e9d1ad34043d2eba0de2677e77457bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOut1Xofv3eI.bat

Filesize
190B

MD5
bca53fc1430c7d0ad98003534ca3683b

SHA1
5947bf8a8bc2ce90ab4412be0a82697938628c1e

SHA256
c5119e317481d90a3036f22cda17b77dba432842fb8519dba8c97c5238f35093

SHA512
ae1babd40f942d40f1eebfd6941ad68864a19c7e6be3b2514a9f1a27f81f2b8941f29c965c030ab53e76fd851e0c9f356ee94da2a298bdc62329e403a1f8f664

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuqzYnceYAvP.bat

Filesize
190B

MD5
2ee189fab75aa6392e8909b6163c3451

SHA1
ad120b26bdc69f037165080c6c4e6c9b5fdc18ac

SHA256
54a4d6b5e3cd4ef875e665b081eeb716fbef4c4c09f53e6550012a47ae66ce89

SHA512
bbd2a9b8104e5f33697241816713751ab48756e37892d2d957a364219d38b912cac41bd03f87eb09349d5092e4459fd7ef94296e207e4e4524c58c9d90148540

Download Submit
C:\Users\Admin\AppData\Local\Temp\u8wA2fv86ExE.bat

Filesize
190B

MD5
0bdfc1ac781e81b6deeec1cab1e7d2d5

SHA1
a2558aab789487e6a80cb9b9d6cdc320432b6727

SHA256
687a3793a0a1aff321983d0cd810b4b14d5d565aa05352a1616a353b9ea6cc11

SHA512
f742aa256ffab92746dd19fcf459630126422ec647171c5aea32483f5f4c595b1fc915f363ff6fb38eed398379444f1c17aa1f20162bbd61f5dad2250605fbc1

Download Submit
C:\Windows\System32\sru\sru.exe

Filesize
3.1MB

MD5
7c1fd7240072a6a6f53d93f191d769f0

SHA1
c0f3004513ea69aca854da4a740b176d04be8a35

SHA256
2b556da7af4e05fdc5c0a47bbdcc999bc9f3f708f7aa88f07ed3083f88d45432

SHA512
513f39e50c98b9bc22e7e97291df9577dd22c7a75405c86a0c49df8101b84ec67f96372d974c27dfd421bec3e8dc2b77984609136cda6e9ab39e0081ec84e493

Download Submit
memory/3204-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

Filesize
8KB

Download
memory/3204-9-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/3204-2-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/3204-1-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download
memory/4412-18-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4412-13-0x000000001D810000-0x000000001D8C2000-memory.dmp

Filesize
712KB

Download
memory/4412-12-0x0000000002D50000-0x0000000002DA0000-memory.dmp

Filesize
320KB

Download
memory/4412-11-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4412-10-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads