latentbot | a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236

Analysis

max time kernel
146s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CACert/CACert.exe
Size

3.1MB
MD5

66c0c400c027e476edc8452c4355150c
SHA1

2212e14ea0ec4393046217f837b107d20274c618
SHA256

d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924
SHA512

10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53
SSDEEP

49152:KvyI22SsaNYfdPBldt698dBcjHpND6kCWZLoGUqnTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHpNDTp

Score

10^/10

latentbot quasar noah discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Noah

creditagricole.zapto.org:4444

Mutex

35b7f2fc-d3c2-4c55-949a-438b2c403cbf

Attributes

encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
install_name
CACert.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Credit Agricole Cert
subdirectory
SubDir

Extracted

Family

latentbot

creditagricole.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1628-1-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar
behavioral1/files/0x000b000000016cab-5.dat	family_quasar
behavioral1/memory/1984-9-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar
behavioral1/memory/1304-44-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/memory/856-55-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral1/memory/1204-67-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/2212-78-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar
behavioral1/memory/2920-89-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/1324-111-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
1984	CACert.exe
2928	CACert.exe
2276	CACert.exe
1304	CACert.exe
856	CACert.exe
1204	CACert.exe
2212	CACert.exe
2920	CACert.exe
1552	CACert.exe
1324	CACert.exe
1304	CACert.exe
2544	CACert.exe
1524	CACert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2808	PING.EXE
2600	PING.EXE
2284	PING.EXE
2120	PING.EXE
1600	PING.EXE
2848	PING.EXE
1084	PING.EXE
2404	PING.EXE
2752	PING.EXE
2944	PING.EXE
2904	PING.EXE
2576	PING.EXE
892	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
2808	PING.EXE
2944	PING.EXE
2904	PING.EXE
2600	PING.EXE
892	PING.EXE
1084	PING.EXE
2120	PING.EXE
2284	PING.EXE
2576	PING.EXE
2848	PING.EXE
2404	PING.EXE
1600	PING.EXE
2752	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
2908	schtasks.exe
2352	schtasks.exe
1840	schtasks.exe
2892	schtasks.exe
2880	schtasks.exe
1992	schtasks.exe
2424	schtasks.exe
2960	schtasks.exe
1500	schtasks.exe
2508	schtasks.exe
2732	schtasks.exe
2936	schtasks.exe
2096	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	CACert.exe
Token: SeDebugPrivilege	1984	CACert.exe
Token: SeDebugPrivilege	2928	CACert.exe
Token: SeDebugPrivilege	2276	CACert.exe
Token: SeDebugPrivilege	1304	CACert.exe
Token: SeDebugPrivilege	856	CACert.exe
Token: SeDebugPrivilege	1204	CACert.exe
Token: SeDebugPrivilege	2212	CACert.exe
Token: SeDebugPrivilege	2920	CACert.exe
Token: SeDebugPrivilege	1552	CACert.exe
Token: SeDebugPrivilege	1324	CACert.exe
Token: SeDebugPrivilege	1304	CACert.exe
Token: SeDebugPrivilege	2544	CACert.exe
Token: SeDebugPrivilege	1524	CACert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2424	1628	CACert.exe	30
PID 1628 wrote to memory of 2424	1628	CACert.exe	30
PID 1628 wrote to memory of 2424	1628	CACert.exe	30
PID 1628 wrote to memory of 1984	1628	CACert.exe	32
PID 1628 wrote to memory of 1984	1628	CACert.exe	32
PID 1628 wrote to memory of 1984	1628	CACert.exe	32
PID 1984 wrote to memory of 2960	1984	CACert.exe	33
PID 1984 wrote to memory of 2960	1984	CACert.exe	33
PID 1984 wrote to memory of 2960	1984	CACert.exe	33
PID 1984 wrote to memory of 3040	1984	CACert.exe	35
PID 1984 wrote to memory of 3040	1984	CACert.exe	35
PID 1984 wrote to memory of 3040	1984	CACert.exe	35
PID 3040 wrote to memory of 2848	3040	cmd.exe	37
PID 3040 wrote to memory of 2848	3040	cmd.exe	37
PID 3040 wrote to memory of 2848	3040	cmd.exe	37
PID 3040 wrote to memory of 2944	3040	cmd.exe	38
PID 3040 wrote to memory of 2944	3040	cmd.exe	38
PID 3040 wrote to memory of 2944	3040	cmd.exe	38
PID 3040 wrote to memory of 2928	3040	cmd.exe	39
PID 3040 wrote to memory of 2928	3040	cmd.exe	39
PID 3040 wrote to memory of 2928	3040	cmd.exe	39
PID 2928 wrote to memory of 2540	2928	CACert.exe	40
PID 2928 wrote to memory of 2540	2928	CACert.exe	40
PID 2928 wrote to memory of 2540	2928	CACert.exe	40
PID 2928 wrote to memory of 944	2928	CACert.exe	42
PID 2928 wrote to memory of 944	2928	CACert.exe	42
PID 2928 wrote to memory of 944	2928	CACert.exe	42
PID 944 wrote to memory of 2332	944	cmd.exe	44
PID 944 wrote to memory of 2332	944	cmd.exe	44
PID 944 wrote to memory of 2332	944	cmd.exe	44
PID 944 wrote to memory of 2904	944	cmd.exe	45
PID 944 wrote to memory of 2904	944	cmd.exe	45
PID 944 wrote to memory of 2904	944	cmd.exe	45
PID 944 wrote to memory of 2276	944	cmd.exe	46
PID 944 wrote to memory of 2276	944	cmd.exe	46
PID 944 wrote to memory of 2276	944	cmd.exe	46
PID 2276 wrote to memory of 1500	2276	CACert.exe	47
PID 2276 wrote to memory of 1500	2276	CACert.exe	47
PID 2276 wrote to memory of 1500	2276	CACert.exe	47
PID 2276 wrote to memory of 1408	2276	CACert.exe	49
PID 2276 wrote to memory of 1408	2276	CACert.exe	49
PID 2276 wrote to memory of 1408	2276	CACert.exe	49
PID 1408 wrote to memory of 1632	1408	cmd.exe	51
PID 1408 wrote to memory of 1632	1408	cmd.exe	51
PID 1408 wrote to memory of 1632	1408	cmd.exe	51
PID 1408 wrote to memory of 2600	1408	cmd.exe	52
PID 1408 wrote to memory of 2600	1408	cmd.exe	52
PID 1408 wrote to memory of 2600	1408	cmd.exe	52
PID 1408 wrote to memory of 1304	1408	cmd.exe	53
PID 1408 wrote to memory of 1304	1408	cmd.exe	53
PID 1408 wrote to memory of 1304	1408	cmd.exe	53
PID 1304 wrote to memory of 2508	1304	CACert.exe	54
PID 1304 wrote to memory of 2508	1304	CACert.exe	54
PID 1304 wrote to memory of 2508	1304	CACert.exe	54
PID 1304 wrote to memory of 2412	1304	CACert.exe	56
PID 1304 wrote to memory of 2412	1304	CACert.exe	56
PID 1304 wrote to memory of 2412	1304	CACert.exe	56
PID 2412 wrote to memory of 1260	2412	cmd.exe	58
PID 2412 wrote to memory of 1260	2412	cmd.exe	58
PID 2412 wrote to memory of 1260	2412	cmd.exe	58
PID 2412 wrote to memory of 2284	2412	cmd.exe	59
PID 2412 wrote to memory of 2284	2412	cmd.exe	59
PID 2412 wrote to memory of 2284	2412	cmd.exe	59
PID 2412 wrote to memory of 856	2412	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe
"C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2424
- C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2960
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\i6qvDcFnxFw0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2848
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2944
  - - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ku6XPizuAXMz.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2332
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
      - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XVpk7kEsFChz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4Ym4cCouZoAV.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e2zZVbjiSJam.bat" "
        11⤵
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksCMQB1uMApu.bat" "
        13⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cvF3REoLtzJq.bat" "
        15⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMVKRyXSvoBw.bat" "
        17⤵
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ahPNWTjMEmRq.bat" "
        19⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oc1CsZCAL7Sp.bat" "
        21⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgY3pFkydsZP.bat" "
        23⤵
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IhY9lNCTUnIy.bat" "
        25⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaiV9aXSPAul.bat" "
        27⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Ym4cCouZoAV.bat

Filesize
207B

MD5
9bcd4dc3e46a96f2aa4256a15b344927

SHA1
b4d89f25371015685d623fb5a44979277f71ca91

SHA256
4e240789a5f5e03d1d971c5b8f8469325a5e80aded3a4ce4c48617b9aef45071

SHA512
16238826099be6622cd1882fbc380fb25f47e58015235eb00433b71fb2a2e2c41bc7cfdb5789ba51a80c464ba12af4c5917dc8483519ea71b0bd02f938025d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMVKRyXSvoBw.bat

Filesize
207B

MD5
e73b833e62d93c65cfb3aa1db2be13c6

SHA1
80971a0c4366528600d90ab062401433b474a258

SHA256
02acc4e9b1350ae7d8338a414ac1db9acf5ce0c791fd2727f24577e46f6a062f

SHA512
ccb72f4c7a9b8ef80ccf6e3a41f276f6e269733681aea5013d545ecfb36a33a3b18325f2c13d6744d5633be174f500b4c16c458d8d3049f362fb0853467a9477

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhY9lNCTUnIy.bat

Filesize
207B

MD5
2520acb8d91eb22842c0eda4e85d2a9f

SHA1
37a704039db0ac090b8b2c4c39bb2f6932f23dbd

SHA256
f3fb6c79893d4843100af05914dbe32cf4eac63de3d6562ecb3f8c054b66dbdd

SHA512
209cf15ac7461299a012a0575f3fbd44e2870a6d35ce8ce04e2361f40747638af4252943aa8dc434737e4fac17cf275e2ab19a8bb74b5486ccadf27b82413945

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVpk7kEsFChz.bat

Filesize
207B

MD5
69c2ffe992befaa856236cabee2110e0

SHA1
26125fbb50cb8d4754b1a88e427d0e839d14d485

SHA256
c115d00fe972f26e1e33f030cc08bd9c9c2b893a07c78eeb0d3cdbe5480786ae

SHA512
9f0fed25c3aad9e97efe0e8336b04ab7ade5f65ccf1d4ed159a76cfe21d6e7f4f7988dd19d170b1d213f95271a4dcc74965cef6257aae4f119d3997e0e92f6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahPNWTjMEmRq.bat

Filesize
207B

MD5
03c68950b732459db5c2f9b02e08ead7

SHA1
bd78b1ff59d16559a62d45760e951155a1b1433c

SHA256
bb439361dfeca6acf18fde97807eff54f64a804961b2178673d2ca1577a0a094

SHA512
3dffa8c43eddbdd645116c6d59cc2a14a0da15cc9442b51b3a130b38ad0868f3f03b1ce0fd010ed2f8e6d499673f08ea08bc6227768f279ad84fc46921e1e0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvF3REoLtzJq.bat

Filesize
207B

MD5
7a36b63dccf84423e445260623bf87a0

SHA1
4bc8784d0acfe03d889a033c875ef837d465f915

SHA256
74e485df60f7d9b4ab03e8766f1ee0ce28ded5adebbbff15a4acb79e4f6f8b0f

SHA512
f90603e5902365a222c19627aa4fd22a5069a82d7bacc15f207b99290212d8c3166210b493dcb5e86fba791a6a3c3acd72121b14d05d29b97b5e93e1199cf8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2zZVbjiSJam.bat

Filesize
207B

MD5
f560a784762bcbef19c3c5d96ad01f23

SHA1
e8a54e096794c6f68aea3b2a1defcc8ee2712a3f

SHA256
94951b09fb98fe8e16677026e05118c3a0744109fb1d1018b5df306d7fd32663

SHA512
21e00ab6c4d6535991aa8923175156dfa4dae39226f7a2d3ba969d9d3b554d11aeb103525c74a80f2ef2b9b5d9a46f5e65e5d0aa11b7a9401af60eda6f373806

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6qvDcFnxFw0.bat

Filesize
207B

MD5
e6dd4b9f1c4158d816771a5403badd20

SHA1
8b88d314b231e2dc6e7a4c56686729af874f519b

SHA256
50671ac647f9338c704b231ec8aa84805cfff7d17a2410a6627c77af4431a2d7

SHA512
fd80814dc67e3b0611980c62b9d11ea0d77a16b7a7205a5a2b0e98c625984f2e9601777f8976bbb4b32afae753fbc446c876f5c684cdde81ee17f06f3e5e868c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksCMQB1uMApu.bat

Filesize
207B

MD5
51e7e07a392243097aed2843874d7446

SHA1
3285b8f271674b176c168dadd2a61800c8a5a42c

SHA256
14df31a4c02f5fda5e1ea11525798104323b5d9c69637093acf1ced211607ed3

SHA512
10d1b7ca43a2f93e4ff4ea189d15ef885f67518f045603fe3d2fb4f234e785085f02efe19ca5f77370d31736cec439920d65687e2b200d5b55c8a2b8071908f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ku6XPizuAXMz.bat

Filesize
207B

MD5
102156766149c8561705cf744535d657

SHA1
029e3fc273035ea9577c6457caf689cd837c3a19

SHA256
99e90c73d614dfad67080f425e1e611cf7d75933a4f64972fd617543ca77e330

SHA512
caa05ac3622bdc2693ef1633547c5cabe7222a39329b95e4895206e9ffda67e99819d8bcc4f0cde0164cbca4918c2937a272015eae1d6206761538583259d0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgY3pFkydsZP.bat

Filesize
207B

MD5
7a2870e7a73391a9a933872e6f8ae58f

SHA1
9a35a7fda4ed2eeb5c9d069ff09f14bafad46b8e

SHA256
f79a7935d1c59ee97c6123dc97da929e98a4cb8bcf8ce904c1a21680feef03c1

SHA512
3f9530c4884d8f10097bc508a8eba5a7e7e1cdd9c6106ff48ddbc0e0670bdaf3830c836e5f981db9bfc46021ecec3ec75defb0fb23b06de36482ce58d900c64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oc1CsZCAL7Sp.bat

Filesize
207B

MD5
eed1451cc8d3a2865a08a3375da9b2f8

SHA1
ca6d42bfa957d77f08c3f6f60921cfcf6c2b7375

SHA256
08273636d8b156bd7a4ab3203ab84725a1ec12b01a9156bb1d7190a8e396280a

SHA512
0fbcb0a21e52d085cbc8146ada120442a97ceeb9df51b9a8ca05a4ea6850421eb5c242e011b8bce7f5d8dd7b0822b3d7120d25a3a81d331efd328006d90f1e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaiV9aXSPAul.bat

Filesize
207B

MD5
5036bddc21c504c706a9926b8abfacea

SHA1
416388122b0701f7c1fe4e439e0542019184b2b7

SHA256
81db4f00e6ae9d448f0358517f4113824a2a9b6aa4ea660deda1d5926ff3d214

SHA512
51414052aaac1d4905ba3b62c06b064bbea78a89ab24bdbf6c0941a28fe2512094ba88934bde62244e56413334a95303ef0482882a908fc8ed6dd633d22d33b6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe

Filesize
3.1MB

MD5
66c0c400c027e476edc8452c4355150c

SHA1
2212e14ea0ec4393046217f837b107d20274c618

SHA256
d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924

SHA512
10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53

Download Submit
memory/856-55-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/1204-67-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/1304-44-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/1324-111-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/1628-10-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1628-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-1-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/1984-11-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-21-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-9-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/1984-8-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-78-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/2920-89-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads