latentbot | a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CACert/CACert.exe
Size

3.1MB
MD5

66c0c400c027e476edc8452c4355150c
SHA1

2212e14ea0ec4393046217f837b107d20274c618
SHA256

d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924
SHA512

10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53
SSDEEP

49152:KvyI22SsaNYfdPBldt698dBcjHpND6kCWZLoGUqnTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHpNDTp

Score

10^/10

latentbot quasar noah discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Noah

creditagricole.zapto.org:4444

Mutex

35b7f2fc-d3c2-4c55-949a-438b2c403cbf

Attributes

encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
install_name
CACert.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Credit Agricole Cert
subdirectory
SubDir

Extracted

Family

latentbot

creditagricole.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3644-1-0x0000000000650000-0x0000000000974000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ca4-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CACert.exe

Executes dropped EXE 15 IoCs

pid	Process
4916	CACert.exe
3316	CACert.exe
1700	CACert.exe
2632	CACert.exe
4524	CACert.exe
4228	CACert.exe
4988	CACert.exe
2320	CACert.exe
3744	CACert.exe
2508	CACert.exe
3836	CACert.exe
3724	CACert.exe
3288	CACert.exe
2864	CACert.exe
2844	CACert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4448	PING.EXE
3884	PING.EXE
1248	PING.EXE
1504	PING.EXE
3008	PING.EXE
4456	PING.EXE
1576	PING.EXE
4760	PING.EXE
1552	PING.EXE
4244	PING.EXE
4300	PING.EXE
2660	PING.EXE
5044	PING.EXE
2688	PING.EXE
536	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2688	PING.EXE
2660	PING.EXE
1504	PING.EXE
4244	PING.EXE
4448	PING.EXE
5044	PING.EXE
3884	PING.EXE
4456	PING.EXE
1552	PING.EXE
3008	PING.EXE
1248	PING.EXE
1576	PING.EXE
536	PING.EXE
4760	PING.EXE
4300	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1344	schtasks.exe
1452	schtasks.exe
184	schtasks.exe
3368	schtasks.exe
3432	schtasks.exe
2516	schtasks.exe
4428	schtasks.exe
4780	schtasks.exe
3172	schtasks.exe
3884	schtasks.exe
2540	schtasks.exe
1000	schtasks.exe
3604	schtasks.exe
4228	schtasks.exe
4896	schtasks.exe
4520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	CACert.exe
Token: SeDebugPrivilege	4916	CACert.exe
Token: SeDebugPrivilege	3316	CACert.exe
Token: SeDebugPrivilege	1700	CACert.exe
Token: SeDebugPrivilege	2632	CACert.exe
Token: SeDebugPrivilege	4524	CACert.exe
Token: SeDebugPrivilege	4228	CACert.exe
Token: SeDebugPrivilege	4988	CACert.exe
Token: SeDebugPrivilege	2320	CACert.exe
Token: SeDebugPrivilege	3744	CACert.exe
Token: SeDebugPrivilege	2508	CACert.exe
Token: SeDebugPrivilege	3836	CACert.exe
Token: SeDebugPrivilege	3724	CACert.exe
Token: SeDebugPrivilege	3288	CACert.exe
Token: SeDebugPrivilege	2864	CACert.exe
Token: SeDebugPrivilege	2844	CACert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4228	3644	CACert.exe	82
PID 3644 wrote to memory of 4228	3644	CACert.exe	82
PID 3644 wrote to memory of 4916	3644	CACert.exe	84
PID 3644 wrote to memory of 4916	3644	CACert.exe	84
PID 4916 wrote to memory of 4896	4916	CACert.exe	85
PID 4916 wrote to memory of 4896	4916	CACert.exe	85
PID 4916 wrote to memory of 4744	4916	CACert.exe	87
PID 4916 wrote to memory of 4744	4916	CACert.exe	87
PID 4744 wrote to memory of 1712	4744	cmd.exe	89
PID 4744 wrote to memory of 1712	4744	cmd.exe	89
PID 4744 wrote to memory of 1552	4744	cmd.exe	90
PID 4744 wrote to memory of 1552	4744	cmd.exe	90
PID 4744 wrote to memory of 3316	4744	cmd.exe	96
PID 4744 wrote to memory of 3316	4744	cmd.exe	96
PID 3316 wrote to memory of 4520	3316	CACert.exe	97
PID 3316 wrote to memory of 4520	3316	CACert.exe	97
PID 3316 wrote to memory of 640	3316	CACert.exe	99
PID 3316 wrote to memory of 640	3316	CACert.exe	99
PID 640 wrote to memory of 776	640	cmd.exe	101
PID 640 wrote to memory of 776	640	cmd.exe	101
PID 640 wrote to memory of 5044	640	cmd.exe	102
PID 640 wrote to memory of 5044	640	cmd.exe	102
PID 640 wrote to memory of 1700	640	cmd.exe	105
PID 640 wrote to memory of 1700	640	cmd.exe	105
PID 1700 wrote to memory of 3432	1700	CACert.exe	106
PID 1700 wrote to memory of 3432	1700	CACert.exe	106
PID 1700 wrote to memory of 936	1700	CACert.exe	108
PID 1700 wrote to memory of 936	1700	CACert.exe	108
PID 936 wrote to memory of 2660	936	cmd.exe	110
PID 936 wrote to memory of 2660	936	cmd.exe	110
PID 936 wrote to memory of 4448	936	cmd.exe	111
PID 936 wrote to memory of 4448	936	cmd.exe	111
PID 936 wrote to memory of 2632	936	cmd.exe	113
PID 936 wrote to memory of 2632	936	cmd.exe	113
PID 2632 wrote to memory of 4780	2632	CACert.exe	114
PID 2632 wrote to memory of 4780	2632	CACert.exe	114
PID 2632 wrote to memory of 3392	2632	CACert.exe	116
PID 2632 wrote to memory of 3392	2632	CACert.exe	116
PID 3392 wrote to memory of 4280	3392	cmd.exe	118
PID 3392 wrote to memory of 4280	3392	cmd.exe	118
PID 3392 wrote to memory of 4244	3392	cmd.exe	119
PID 3392 wrote to memory of 4244	3392	cmd.exe	119
PID 3392 wrote to memory of 4524	3392	cmd.exe	121
PID 3392 wrote to memory of 4524	3392	cmd.exe	121
PID 4524 wrote to memory of 2540	4524	CACert.exe	122
PID 4524 wrote to memory of 2540	4524	CACert.exe	122
PID 4524 wrote to memory of 2080	4524	CACert.exe	124
PID 4524 wrote to memory of 2080	4524	CACert.exe	124
PID 2080 wrote to memory of 2028	2080	cmd.exe	126
PID 2080 wrote to memory of 2028	2080	cmd.exe	126
PID 2080 wrote to memory of 1504	2080	cmd.exe	127
PID 2080 wrote to memory of 1504	2080	cmd.exe	127
PID 2080 wrote to memory of 4228	2080	cmd.exe	128
PID 2080 wrote to memory of 4228	2080	cmd.exe	128
PID 4228 wrote to memory of 2516	4228	CACert.exe	129
PID 4228 wrote to memory of 2516	4228	CACert.exe	129
PID 4228 wrote to memory of 4848	4228	CACert.exe	131
PID 4228 wrote to memory of 4848	4228	CACert.exe	131
PID 4848 wrote to memory of 4700	4848	cmd.exe	133
PID 4848 wrote to memory of 4700	4848	cmd.exe	133
PID 4848 wrote to memory of 4300	4848	cmd.exe	134
PID 4848 wrote to memory of 4300	4848	cmd.exe	134
PID 4848 wrote to memory of 4988	4848	cmd.exe	135
PID 4848 wrote to memory of 4988	4848	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe
"C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4228
- C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cndoHwRem7zj.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1712
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1552
  - - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nARRNJUzRfbN.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:776
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5044
      - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RjdFateXzJky.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q4l6PsdamkuF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4244
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuepTMiAzvep.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYBL9PopRJb.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ELnEVcJkAQzS.bat" "
        15⤵
        
        PID:1348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mVCz4kMEXJed.bat" "
        17⤵
        
        PID:3388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TD4lq8apYZ6k.bat" "
        19⤵
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoG5JcqCAbSu.bat" "
        21⤵
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmTKd0281S8E.bat" "
        23⤵
        
        PID:964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ILRXx3OuPPm.bat" "
        25⤵
        
        PID:4632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mRPYWBNAPfrQ.bat" "
        27⤵
        
        PID:3412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiVM4zG05aSK.bat" "
        29⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yb27IQjBOKFW.bat" "
        31⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CACert.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ILRXx3OuPPm.bat

Filesize
207B

MD5
a58e44d5f2e7cf9c26278521ada7346a

SHA1
313ec6f72a4432d7713730e16e65c3dd7dd2b966

SHA256
4b64a51e53bbff078a5cb46ad7734f8837c7c1526a31b9c9828d0f86bafc98ec

SHA512
914c5920facfa445f83152c8b589419761824c76ea0eb008bd417b57cb06a7e7a0ac43249def445034df790542d921254e045175fde00555962a087beaee56c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELnEVcJkAQzS.bat

Filesize
207B

MD5
32d1b7d36cc33d49d318ee85aaf86720

SHA1
7e03f0179785f65291418dc9f522f4c11ee57eed

SHA256
9ba10d93e3ca7e40d221945100b34b5aa0f96738839b8506658e31d7c8eea49d

SHA512
72eca76de22309b18c185d48a4fcfb3319f29d8644f1c2a6d5acf93d29d6a94dcdc3580ef6d00f3b3b5f3e30763daf0d9f13da643d3c9a763a1eb1abc454f378

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmTKd0281S8E.bat

Filesize
207B

MD5
c9f56503dcfa07e546d307ab4da62695

SHA1
dcb3223e70a42c1936d8b2168c12cdba41bf9dbf

SHA256
938663e557aa848455ff3398c11d5d68d1cfcd8100a019a364e7a59a6df4277b

SHA512
3c24e0045fb4be775df78c7662b34cc30a4f848da779273adf6c4037b36f1038e03cae09a4badeb8736a715cef7eda178399b300f97c6c6ee5b174b9b7bbc9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuepTMiAzvep.bat

Filesize
207B

MD5
b8fb5f880a06d355183c8aacd06f47fc

SHA1
1843441dbb8c868c680319feea3f72ff06873ad7

SHA256
292f19c278159299d2b8970f905258b52e8207d0e73a6d3bccf433f3f0c4cbc1

SHA512
a2fcf29ed3d0c5e08f1082bc33ba62ce71b3194c8c49f6a9b7c09061ea78e28eb3b3af01e335682280c1a7e5959a2deff31d709740516c2a2cbc5a04a76f0f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoG5JcqCAbSu.bat

Filesize
207B

MD5
fd555de9e7b56712bac11c6ad17721f3

SHA1
a83faa2c3071c3ddd8b72c2d2bb8db69ef334a6b

SHA256
7724bead77aecdb67120f2ccebf0759d2bb287faca02741f1a8c0acfde135d61

SHA512
9cced1d42ef99bd26cfbaad700fd178f27add7d9813bbc451dda89a3efaa1432eba0ae6e0d5a12f5956258115850299f6476508bbfc08b4206c9d66998a1ed5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjdFateXzJky.bat

Filesize
207B

MD5
b5a69ec8765b07646c7c6ba90bc489cd

SHA1
2e5594e88cb04e15fa4437d861724d07f06aaf44

SHA256
781a2724c321273cce12101033c6beb3409befb0aba787b323d2e269daa848b2

SHA512
00fb6330534020a8cc8cbc4d9810b22bb23538e718861f13a3f84f2326a4a69647166f8f16e6cfd1cefdceaa367925055c071bce6bc231d27acf8a42b8dba517

Download Submit
C:\Users\Admin\AppData\Local\Temp\TD4lq8apYZ6k.bat

Filesize
207B

MD5
ff28f032ad2b33e321dad2f50ee7a6b4

SHA1
3f8e42d27ccbded50e28c24a4e57376d48b2c2f1

SHA256
46503b2d2ec0d29a55a7ed61f8d40c30c216638731bfd9780692591360f540d2

SHA512
3d4f5168d698312fcbd5f4d1b08f1ceda6d95e834bb980a400ae62aedfba410ff09b84d39af5924cb8a71d895abc0c3626f587b3e50527f7ed1b7ec064f1dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yb27IQjBOKFW.bat

Filesize
207B

MD5
00c7cf1d33d51d235a9e28a9c1646751

SHA1
4801aaf7f1b4ad3418f464bf00571f863ae71949

SHA256
5081f62685d5a69c1c05777ed26e65b498ae9c3fdd3cc4191ebca9bbeba16c0e

SHA512
9b5c93a086099fdaf33ddeb18362fde87bad6f3fb6bb43d9864a5ec04810d44754cce59b2819ede8bf71ac6da79e12f75a08943b2089580e447dfb365563de0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cndoHwRem7zj.bat

Filesize
207B

MD5
91fe7e6de45b563a8d3bc37f0d9cd19c

SHA1
b26569948c8b9654a3b253f05cec0c60c46caee7

SHA256
01f91b88189fe88966e6949aff5af25ad91e57f1cd5247b87b02cc4a60ae2095

SHA512
d439d184a6c402bb699d8480aa804f3a5e3ff5bc36d55ce55b7863b4e0898cfaf2396911bed46e6e0be5beb4b0f7ef709048b23a80b161d281e79adb144ed544

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyYBL9PopRJb.bat

Filesize
207B

MD5
bbfe2de7de36a745fff6c6bfbf3fc310

SHA1
611ffaf9a91c3a5732457f7ff8af6dac982a70b0

SHA256
0a80f6f37af635815ccbe2a58544c50a560cffbf1c226de8ca4afc8bcfba695b

SHA512
6e5fd2f5fc908ee206c72e4fb5eccfe4e0e785dd2f6d778960681f7a1921ad44c11f02ae276c4d1f5015892804223c28de4428bde0bb18c6b5430a26e0041ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mRPYWBNAPfrQ.bat

Filesize
207B

MD5
cddafcde7b5e6cd47b48581c25250bea

SHA1
8570160142d0d358bd1b7564ff2ccc2904297369

SHA256
5b4313bb21530ff8b786170e6dd96826fea2f5131acc4e420c6ed8f4b141eab6

SHA512
a5b6396e46a6ce62f1b1d04f2a65f95bd5c4eba6a12af5b968c2b1a572bf0345c60318b00b2e698d4dbf4e15bdafc0a0040407190e31aa43c9b699d9956e93f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mVCz4kMEXJed.bat

Filesize
207B

MD5
39625779f78e8e6df9bdac251d56fdcf

SHA1
30a56533b357e9123a87f4903176f1cf81df6b21

SHA256
7a83dd3055f1db0e49710e0446d35f44e4169ea97aabd01ccf3cd632eddba64e

SHA512
f79a5b64735cf63389ae04984296355b09604ab31709b30c89763afbb583699b07f862312a1829f8b0343f0c6cedf6b85bd166f72b1705b9b72fa58cd751e7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nARRNJUzRfbN.bat

Filesize
207B

MD5
03cc96843764f6de72ec447adfb72873

SHA1
b0a078b65894d6d3a246edcd0ec260528b83d939

SHA256
ce4c463cee1c3da23281a2d151a46077725c9ab9707d10ccc67cbb89c077f1c1

SHA512
3ef1deb425edb2016eb2c32831d1521f4d8d7a89680f6ea87c9fdff06276e5de15db7100e584e6c73f826069dd7bc4fcb26603f86766c7975c4de5be152d9caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\q4l6PsdamkuF.bat

Filesize
207B

MD5
4c239f20ca826f40ffd5ad6c1b8306d6

SHA1
1acb10ff99a94f741923f64467815f4e64987e53

SHA256
e2a2e5f851d8e0651f424a95e0de06aed679594a6b8b99064c764b614d11369a

SHA512
3e2e22695a1806da5882b7343ccea5b0eaa205b0b86f0cb8e4dffd3ba072d37b52b9ffdd05b866d4fb83bedd17b517788402d0d62cde75d3dc2e9f51ba7fa344

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiVM4zG05aSK.bat

Filesize
207B

MD5
a4f7fd79281bc530284e0d7728ba0cdb

SHA1
7dd1f9569f3a9707259d4cb3442fa75aabd4fa10

SHA256
9e856b4a18ec4822c8ba117a5dd8016dad1cba161e2f4a1ee8e104565ba074cc

SHA512
bb64bdeab463c95f486e5b78dc872e5be606d4c9402ac6d116df62133095121f2dba8b2994d7834ee723fa4f03ba0e5dd601a4bb58602c0e0406183edb80d0a9

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe

Filesize
3.1MB

MD5
66c0c400c027e476edc8452c4355150c

SHA1
2212e14ea0ec4393046217f837b107d20274c618

SHA256
d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924

SHA512
10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53

Download Submit
memory/3644-0-0x00007FFCE9D23000-0x00007FFCE9D25000-memory.dmp

Filesize
8KB

Download
memory/3644-10-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-2-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-1-0x0000000000650000-0x0000000000974000-memory.dmp

Filesize
3.1MB

Download
memory/4916-18-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-13-0x000000001D940000-0x000000001D9F2000-memory.dmp

Filesize
712KB

Download
memory/4916-12-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/4916-11-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-9-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads