quasar | b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
Size

3.4MB
MD5

61a23a5c02f19dda41b5f63b48784a96
SHA1

def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18
SHA256

b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574
SHA512

2e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4
SSDEEP

49152:XvulL26AaNeWgPhlmVqvMQ7XSKeK8FEzUkk/bZLoGd5YTHHB72eh2NT:XveL26AaNeWgPhlmVqkQ7XSKH8tp

Score

10^/10

quasar kaspersky discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Kaspersky

mmdrza.ddns.net:25565

Mutex

fba445f3-0d80-4a93-bed3-c92c762015fc

Attributes

encryption_key
953F5906F7FC4FE5000EA40834065AE361109E51
install_name
kaspsersky32.exe
log_directory
Failture logs
reconnect_delay
3000
startup_key
Kaspersky auto update
subdirectory
Kaspersky

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2644-1-0x0000000001090000-0x00000000013F6000-memory.dmp	family_quasar
behavioral1/files/0x00070000000191f3-6.dat	family_quasar
behavioral1/memory/916-9-0x0000000000D80000-0x00000000010E6000-memory.dmp	family_quasar
behavioral1/memory/2560-23-0x0000000001320000-0x0000000001686000-memory.dmp	family_quasar
behavioral1/memory/1296-34-0x00000000000D0000-0x0000000000436000-memory.dmp	family_quasar
behavioral1/memory/2900-46-0x00000000012B0000-0x0000000001616000-memory.dmp	family_quasar
behavioral1/memory/1188-68-0x00000000002C0000-0x0000000000626000-memory.dmp	family_quasar
behavioral1/memory/2964-79-0x0000000000DD0000-0x0000000001136000-memory.dmp	family_quasar
behavioral1/memory/316-91-0x0000000001270000-0x00000000015D6000-memory.dmp	family_quasar
behavioral1/memory/2060-113-0x00000000000B0000-0x0000000000416000-memory.dmp	family_quasar
behavioral1/memory/2000-124-0x00000000012E0000-0x0000000001646000-memory.dmp	family_quasar
behavioral1/memory/552-135-0x0000000000080000-0x00000000003E6000-memory.dmp	family_quasar
behavioral1/memory/2780-147-0x0000000000200000-0x0000000000566000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
916	kaspsersky32.exe
2560	kaspsersky32.exe
1296	kaspsersky32.exe
2900	kaspsersky32.exe
2444	kaspsersky32.exe
1188	kaspsersky32.exe
2964	kaspsersky32.exe
316	kaspsersky32.exe
2120	kaspsersky32.exe
2060	kaspsersky32.exe
2000	kaspsersky32.exe
552	kaspsersky32.exe
2780	kaspsersky32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1328	PING.EXE
2116	PING.EXE
3040	PING.EXE
2796	PING.EXE
1356	PING.EXE
1744	PING.EXE
2864	PING.EXE
2432	PING.EXE
1308	PING.EXE
2952	PING.EXE
1272	PING.EXE
2420	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE
2796	PING.EXE
1356	PING.EXE
2420	PING.EXE
1744	PING.EXE
2864	PING.EXE
2432	PING.EXE
1328	PING.EXE
1272	PING.EXE
1308	PING.EXE
2116	PING.EXE
2952	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2460	schtasks.exe
2764	schtasks.exe
1968	schtasks.exe
2256	schtasks.exe
1408	schtasks.exe
2184	schtasks.exe
2216	schtasks.exe
2624	schtasks.exe
2260	schtasks.exe
1584	schtasks.exe
2768	schtasks.exe
2784	schtasks.exe
2816	schtasks.exe
2396	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
Token: SeDebugPrivilege	916	kaspsersky32.exe
Token: SeDebugPrivilege	2560	kaspsersky32.exe
Token: SeDebugPrivilege	1296	kaspsersky32.exe
Token: SeDebugPrivilege	2900	kaspsersky32.exe
Token: SeDebugPrivilege	2444	kaspsersky32.exe
Token: SeDebugPrivilege	1188	kaspsersky32.exe
Token: SeDebugPrivilege	2964	kaspsersky32.exe
Token: SeDebugPrivilege	316	kaspsersky32.exe
Token: SeDebugPrivilege	2120	kaspsersky32.exe
Token: SeDebugPrivilege	2060	kaspsersky32.exe
Token: SeDebugPrivilege	2000	kaspsersky32.exe
Token: SeDebugPrivilege	552	kaspsersky32.exe
Token: SeDebugPrivilege	2780	kaspsersky32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2460	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	31
PID 2644 wrote to memory of 2460	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	31
PID 2644 wrote to memory of 2460	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	31
PID 2644 wrote to memory of 916	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	33
PID 2644 wrote to memory of 916	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	33
PID 2644 wrote to memory of 916	2644	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	33
PID 916 wrote to memory of 2764	916	kaspsersky32.exe	34
PID 916 wrote to memory of 2764	916	kaspsersky32.exe	34
PID 916 wrote to memory of 2764	916	kaspsersky32.exe	34
PID 916 wrote to memory of 2860	916	kaspsersky32.exe	36
PID 916 wrote to memory of 2860	916	kaspsersky32.exe	36
PID 916 wrote to memory of 2860	916	kaspsersky32.exe	36
PID 2860 wrote to memory of 2588	2860	cmd.exe	38
PID 2860 wrote to memory of 2588	2860	cmd.exe	38
PID 2860 wrote to memory of 2588	2860	cmd.exe	38
PID 2860 wrote to memory of 3040	2860	cmd.exe	39
PID 2860 wrote to memory of 3040	2860	cmd.exe	39
PID 2860 wrote to memory of 3040	2860	cmd.exe	39
PID 2860 wrote to memory of 2560	2860	cmd.exe	40
PID 2860 wrote to memory of 2560	2860	cmd.exe	40
PID 2860 wrote to memory of 2560	2860	cmd.exe	40
PID 2560 wrote to memory of 2624	2560	kaspsersky32.exe	41
PID 2560 wrote to memory of 2624	2560	kaspsersky32.exe	41
PID 2560 wrote to memory of 2624	2560	kaspsersky32.exe	41
PID 2560 wrote to memory of 1304	2560	kaspsersky32.exe	43
PID 2560 wrote to memory of 1304	2560	kaspsersky32.exe	43
PID 2560 wrote to memory of 1304	2560	kaspsersky32.exe	43
PID 1304 wrote to memory of 320	1304	cmd.exe	45
PID 1304 wrote to memory of 320	1304	cmd.exe	45
PID 1304 wrote to memory of 320	1304	cmd.exe	45
PID 1304 wrote to memory of 2796	1304	cmd.exe	46
PID 1304 wrote to memory of 2796	1304	cmd.exe	46
PID 1304 wrote to memory of 2796	1304	cmd.exe	46
PID 1304 wrote to memory of 1296	1304	cmd.exe	47
PID 1304 wrote to memory of 1296	1304	cmd.exe	47
PID 1304 wrote to memory of 1296	1304	cmd.exe	47
PID 1296 wrote to memory of 1968	1296	kaspsersky32.exe	48
PID 1296 wrote to memory of 1968	1296	kaspsersky32.exe	48
PID 1296 wrote to memory of 1968	1296	kaspsersky32.exe	48
PID 1296 wrote to memory of 1516	1296	kaspsersky32.exe	50
PID 1296 wrote to memory of 1516	1296	kaspsersky32.exe	50
PID 1296 wrote to memory of 1516	1296	kaspsersky32.exe	50
PID 1516 wrote to memory of 1544	1516	cmd.exe	52
PID 1516 wrote to memory of 1544	1516	cmd.exe	52
PID 1516 wrote to memory of 1544	1516	cmd.exe	52
PID 1516 wrote to memory of 1272	1516	cmd.exe	53
PID 1516 wrote to memory of 1272	1516	cmd.exe	53
PID 1516 wrote to memory of 1272	1516	cmd.exe	53
PID 1516 wrote to memory of 2900	1516	cmd.exe	54
PID 1516 wrote to memory of 2900	1516	cmd.exe	54
PID 1516 wrote to memory of 2900	1516	cmd.exe	54
PID 2900 wrote to memory of 2256	2900	kaspsersky32.exe	55
PID 2900 wrote to memory of 2256	2900	kaspsersky32.exe	55
PID 2900 wrote to memory of 2256	2900	kaspsersky32.exe	55
PID 2900 wrote to memory of 2040	2900	kaspsersky32.exe	57
PID 2900 wrote to memory of 2040	2900	kaspsersky32.exe	57
PID 2900 wrote to memory of 2040	2900	kaspsersky32.exe	57
PID 2040 wrote to memory of 1856	2040	cmd.exe	59
PID 2040 wrote to memory of 1856	2040	cmd.exe	59
PID 2040 wrote to memory of 1856	2040	cmd.exe	59
PID 2040 wrote to memory of 1356	2040	cmd.exe	60
PID 2040 wrote to memory of 1356	2040	cmd.exe	60
PID 2040 wrote to memory of 1356	2040	cmd.exe	60
PID 2040 wrote to memory of 2444	2040	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
"C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2460
- C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
  "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\muP5QlcThn5o.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2588
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3040
  - - C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
      "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qbOpyXGI7rAe.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:320
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2796
      - C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E7GncAgFi6pJ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1o4w9l75BACA.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZJNw1vJNCw46.bat" "
        11⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\N0quFsWD8bmT.bat" "
        13⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGn3xjYgNeX1.bat" "
        15⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\brjkgrt2SJKq.bat" "
        17⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M7FNbtnh17hX.bat" "
        19⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gFjdH3R7De9j.bat" "
        21⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u6GZrw9xJI6y.bat" "
        23⤵
        
        PID:844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dTwcfubIgcFW.bat" "
        25⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1o4w9l75BACA.bat

Filesize
216B

MD5
84528c7d9026bb1e363510eb4350767a

SHA1
23f8720dd9c3a9ca226fd3027c82ba36d9eb3ab5

SHA256
9c83e811e17eb40ef66e6b7f82ff05b8cf67a6f929c16843efae6a2e23fbd320

SHA512
1cdef99c18935d1bac18e7a81f5f8665c275d2096c6ccb33af3cb100c2f748440234df1331af0f7dccff1d7a6d50ae908e87aa75fcbce7c4d1a35be36b25eb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7GncAgFi6pJ.bat

Filesize
216B

MD5
bbb41e038f580910f241a9a5bac072f8

SHA1
07c1dab2b79da0d1e1d23a17ea188dbdbdf93b23

SHA256
5b3bffc07310677e8312ffc48a2d5cdb973ec4d4eee8c94b02a90fb2e1bd96db

SHA512
659d755c6cda0957c6065cbbabbd016af33e24b2789068ac9b731d87e80ad7955afd1f71eb57919fbdc90e191cb3586911685629e10e5b91b0ec3b0335d79e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\M7FNbtnh17hX.bat

Filesize
216B

MD5
0585f09eaa51cfe43a6ea24228793d82

SHA1
c53bb8c8accfc6886c519beab4df7c466a62e3a6

SHA256
44eb7656899c75691e68e34a638f30ae70cb85d9f7d6fe3ed01e4a92c8eb0f56

SHA512
dec310f9cd0fdd562c833b22c92b9cf0ff70e387e26aa59c1a5037a61d92d38ddeb31744bbee8a3ecbd0cebd65bd87b35e73bf9777b216a00953c3310f212627

Download Submit
C:\Users\Admin\AppData\Local\Temp\N0quFsWD8bmT.bat

Filesize
216B

MD5
ff563d39611382032af460029b049b63

SHA1
86f94b0fa8fdb9508de37ff86b119418e5b81b68

SHA256
58943338f1eef0b49b6167d467c9934021248ce66a5c968be6db460efd7aad19

SHA512
ff500d7b5355655908e2f400a898f8abb29624d357b45c4e535796de0cd8462b5980e28fb3b1268b3ce5e9e00f8633c4f4e8cb83ea34b534d2c7f905c1fe3306

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZJNw1vJNCw46.bat

Filesize
216B

MD5
47c17f7404dae1a592c3f66dc621b8f4

SHA1
823466656396f6a37d5cd705b749009d00489f1d

SHA256
7c5216b4ff96158e200291ea3fcca6c6f0d28f19c47f543e57a217a7b9ac4253

SHA512
2320f72f4112dcd76240942b6a41b9daaf2d57240621f041907de32dcff572cb8e821f4926a4581b151200e81111cb8ee3a33172c4eb1ec5dfee14e85debb33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\brjkgrt2SJKq.bat

Filesize
216B

MD5
b643fd6e6db05ce148ff470c3566ee8b

SHA1
937461f94f901077f76bc70e5c37960a7d78c81b

SHA256
990ef1dd414da05c23deffd91b268a967bd964d0b9fa4fa847263ea3d8fedb7f

SHA512
b777a691a92f107ee9c0bbe3fccf62867d56ddfa92d51f44d77c9e3d1578563f81c52296164e4abbde8b075ef6558c91b96f4a0a669bf0c47e96f4bcfd06ec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dTwcfubIgcFW.bat

Filesize
216B

MD5
5b7ed4e0a663c19bbe57da3baafcf18f

SHA1
9fb257f782f00564fd76eabb13d42810990a4a08

SHA256
1e880b5516e2f440410b0e426963e9d6f251021e79a4acf5f20e31c982341489

SHA512
63f6da5fc5ecb381fbd32d7b1703165febfe8b387063111be7857ceb434bbcfb13df6d1295eab0e93239f7814c7bb7dd6cc20a68ad4873121f7896e6c26fd193

Download Submit
C:\Users\Admin\AppData\Local\Temp\gFjdH3R7De9j.bat

Filesize
216B

MD5
ee9e73be90192606009e27968f9f8a80

SHA1
7abe3bc6c9cb102d7cfbfe3c8cff91fae4a9c8cb

SHA256
6af7727ca693df6a39d3ea0608031a5a3318caeb5ef7b25a8a2af3b4e30622e3

SHA512
6ee5f489efd24c9d1170f3a9b35208a2830b2cad2cae09dfbfaca97f4950b42c9d72d4961bb6183075836ef556dc6738f94b68d81a755f6f5dd1f15e1130be18

Download Submit
C:\Users\Admin\AppData\Local\Temp\muP5QlcThn5o.bat

Filesize
216B

MD5
28f41d08d3fa01fdb2e6e3aa37a370cf

SHA1
49b9fc395873b3259818426e656f69a132a8231a

SHA256
026634f2b8a6f15c60200001ee548bed8daa1f946c4be55c2bd36ef149d830de

SHA512
06b24dda12cd4cb455c5b44587d03c16c1319d506f4c066792e698c9e2a5a682befb9f43d48154c2d2c2b2fc348c6b1594ceba2b8f1b02c5c8607c0f3b911d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGn3xjYgNeX1.bat

Filesize
216B

MD5
86b4238d0863a1618184cb1606e490c6

SHA1
30ad5520088814debbd413c539449f0977b4754e

SHA256
aa53c5c71532b717454123390dc91532482b8920553230ee3afe32ca8a790923

SHA512
1d85007e23b4bc3dd85195224a725b4ab2502b5dff4dffe07b800d0753d3a531f9974f50574f4721c6158f29536717719d57874a9c442d33ef80da06dde4c42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbOpyXGI7rAe.bat

Filesize
216B

MD5
d5dabd2a705751f5982079fece271eab

SHA1
45b2e2fbb35f7d065a03bf76ccc58c418b3eeceb

SHA256
c0ea33c6fd73da8d0cc9675d8dc0a5812809a9445cd01e6cbbc3200df5ba4bda

SHA512
d83e4b47e9dbf4f42511d9416ddc02eb47a3f56c051937cd6b4efd9225861b35dc1b7671fcbfd95917e4d1a074566155a54cf8ee569c1ff815dc30ba74605de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u6GZrw9xJI6y.bat

Filesize
216B

MD5
f16ca880934f2aba449f09966cd3ec36

SHA1
141727aee81cbc86bfa14888461ef2fda4afc402

SHA256
ee326760ca55957e80967846852194d68cd37113c9fe583327368477aba1342a

SHA512
dd70d26e20b4211f7a140359879fa5d411b13c096c736c6dbb45ee3786025b815427da5c5fe629e319ac172118596bde191e3b9853373f0916e4128236c5aeab

Download Submit
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe

Filesize
3.4MB

MD5
61a23a5c02f19dda41b5f63b48784a96

SHA1
def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18

SHA256
b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574

SHA512
2e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4

Download Submit
memory/316-91-0x0000000001270000-0x00000000015D6000-memory.dmp

Filesize
3.4MB

Download
memory/552-135-0x0000000000080000-0x00000000003E6000-memory.dmp

Filesize
3.4MB

Download
memory/916-20-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/916-11-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/916-9-0x0000000000D80000-0x00000000010E6000-memory.dmp

Filesize
3.4MB

Download
memory/916-8-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1188-68-0x00000000002C0000-0x0000000000626000-memory.dmp

Filesize
3.4MB

Download
memory/1296-34-0x00000000000D0000-0x0000000000436000-memory.dmp

Filesize
3.4MB

Download
memory/2000-124-0x00000000012E0000-0x0000000001646000-memory.dmp

Filesize
3.4MB

Download
memory/2060-113-0x00000000000B0000-0x0000000000416000-memory.dmp

Filesize
3.4MB

Download
memory/2560-23-0x0000000001320000-0x0000000001686000-memory.dmp

Filesize
3.4MB

Download
memory/2644-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000001090000-0x00000000013F6000-memory.dmp

Filesize
3.4MB

Download
memory/2644-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-10-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-147-0x0000000000200000-0x0000000000566000-memory.dmp

Filesize
3.4MB

Download
memory/2900-46-0x00000000012B0000-0x0000000001616000-memory.dmp

Filesize
3.4MB

Download
memory/2964-79-0x0000000000DD0000-0x0000000001136000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads