quasar | b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
Size

3.4MB
MD5

61a23a5c02f19dda41b5f63b48784a96
SHA1

def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18
SHA256

b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574
SHA512

2e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4
SSDEEP

49152:XvulL26AaNeWgPhlmVqvMQ7XSKeK8FEzUkk/bZLoGd5YTHHB72eh2NT:XveL26AaNeWgPhlmVqkQ7XSKH8tp

Score

10^/10

quasar kaspersky discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Kaspersky

mmdrza.ddns.net:25565

Mutex

fba445f3-0d80-4a93-bed3-c92c762015fc

Attributes

encryption_key
953F5906F7FC4FE5000EA40834065AE361109E51
install_name
kaspsersky32.exe
log_directory
Failture logs
reconnect_delay
3000
startup_key
Kaspersky auto update
subdirectory
Kaspersky

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3344-1-0x0000000000C30000-0x0000000000F96000-memory.dmp	family_quasar
behavioral2/files/0x00070000000242c2-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kaspsersky32.exe

Executes dropped EXE 15 IoCs

pid	Process
4784	kaspsersky32.exe
5152	kaspsersky32.exe
3248	kaspsersky32.exe
1976	kaspsersky32.exe
4340	kaspsersky32.exe
1312	kaspsersky32.exe
1876	kaspsersky32.exe
3716	kaspsersky32.exe
4436	kaspsersky32.exe
456	kaspsersky32.exe
5784	kaspsersky32.exe
4508	kaspsersky32.exe
1524	kaspsersky32.exe
1904	kaspsersky32.exe
4784	kaspsersky32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5388	PING.EXE
6084	PING.EXE
5696	PING.EXE
5984	PING.EXE
4844	PING.EXE
1192	PING.EXE
5088	PING.EXE
5988	PING.EXE
1980	PING.EXE
2972	PING.EXE
3768	PING.EXE
6092	PING.EXE
5908	PING.EXE
3960	PING.EXE
4176	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2972	PING.EXE
3768	PING.EXE
6084	PING.EXE
5088	PING.EXE
5988	PING.EXE
5908	PING.EXE
1980	PING.EXE
5388	PING.EXE
4176	PING.EXE
5696	PING.EXE
4844	PING.EXE
3960	PING.EXE
6092	PING.EXE
5984	PING.EXE
1192	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1712	schtasks.exe
5512	schtasks.exe
5616	schtasks.exe
6040	schtasks.exe
2040	schtasks.exe
3016	schtasks.exe
4268	schtasks.exe
4680	schtasks.exe
744	schtasks.exe
5584	schtasks.exe
4832	schtasks.exe
5552	schtasks.exe
4052	schtasks.exe
968	schtasks.exe
1952	schtasks.exe
3740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
Token: SeDebugPrivilege	4784	kaspsersky32.exe
Token: SeDebugPrivilege	5152	kaspsersky32.exe
Token: SeDebugPrivilege	3248	kaspsersky32.exe
Token: SeDebugPrivilege	1976	kaspsersky32.exe
Token: SeDebugPrivilege	4340	kaspsersky32.exe
Token: SeDebugPrivilege	1312	kaspsersky32.exe
Token: SeDebugPrivilege	1876	kaspsersky32.exe
Token: SeDebugPrivilege	3716	kaspsersky32.exe
Token: SeDebugPrivilege	4436	kaspsersky32.exe
Token: SeDebugPrivilege	456	kaspsersky32.exe
Token: SeDebugPrivilege	5784	kaspsersky32.exe
Token: SeDebugPrivilege	4508	kaspsersky32.exe
Token: SeDebugPrivilege	1524	kaspsersky32.exe
Token: SeDebugPrivilege	1904	kaspsersky32.exe
Token: SeDebugPrivilege	4784	kaspsersky32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 5512	3344	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	89
PID 3344 wrote to memory of 5512	3344	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	89
PID 3344 wrote to memory of 4784	3344	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	91
PID 3344 wrote to memory of 4784	3344	b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe	91
PID 4784 wrote to memory of 4680	4784	kaspsersky32.exe	92
PID 4784 wrote to memory of 4680	4784	kaspsersky32.exe	92
PID 4784 wrote to memory of 4840	4784	kaspsersky32.exe	96
PID 4784 wrote to memory of 4840	4784	kaspsersky32.exe	96
PID 4840 wrote to memory of 4596	4840	cmd.exe	98
PID 4840 wrote to memory of 4596	4840	cmd.exe	98
PID 4840 wrote to memory of 5908	4840	cmd.exe	99
PID 4840 wrote to memory of 5908	4840	cmd.exe	99
PID 4840 wrote to memory of 5152	4840	cmd.exe	104
PID 4840 wrote to memory of 5152	4840	cmd.exe	104
PID 5152 wrote to memory of 5616	5152	kaspsersky32.exe	106
PID 5152 wrote to memory of 5616	5152	kaspsersky32.exe	106
PID 5152 wrote to memory of 1448	5152	kaspsersky32.exe	108
PID 5152 wrote to memory of 1448	5152	kaspsersky32.exe	108
PID 1448 wrote to memory of 744	1448	cmd.exe	110
PID 1448 wrote to memory of 744	1448	cmd.exe	110
PID 1448 wrote to memory of 1192	1448	cmd.exe	111
PID 1448 wrote to memory of 1192	1448	cmd.exe	111
PID 1448 wrote to memory of 3248	1448	cmd.exe	112
PID 1448 wrote to memory of 3248	1448	cmd.exe	112
PID 3248 wrote to memory of 6040	3248	kaspsersky32.exe	113
PID 3248 wrote to memory of 6040	3248	kaspsersky32.exe	113
PID 3248 wrote to memory of 2760	3248	kaspsersky32.exe	115
PID 3248 wrote to memory of 2760	3248	kaspsersky32.exe	115
PID 2760 wrote to memory of 2860	2760	cmd.exe	117
PID 2760 wrote to memory of 2860	2760	cmd.exe	117
PID 2760 wrote to memory of 3960	2760	cmd.exe	118
PID 2760 wrote to memory of 3960	2760	cmd.exe	118
PID 2760 wrote to memory of 1976	2760	cmd.exe	120
PID 2760 wrote to memory of 1976	2760	cmd.exe	120
PID 1976 wrote to memory of 2040	1976	kaspsersky32.exe	121
PID 1976 wrote to memory of 2040	1976	kaspsersky32.exe	121
PID 1976 wrote to memory of 5724	1976	kaspsersky32.exe	123
PID 1976 wrote to memory of 5724	1976	kaspsersky32.exe	123
PID 5724 wrote to memory of 1820	5724	cmd.exe	125
PID 5724 wrote to memory of 1820	5724	cmd.exe	125
PID 5724 wrote to memory of 1980	5724	cmd.exe	126
PID 5724 wrote to memory of 1980	5724	cmd.exe	126
PID 5724 wrote to memory of 4340	5724	cmd.exe	135
PID 5724 wrote to memory of 4340	5724	cmd.exe	135
PID 4340 wrote to memory of 5552	4340	kaspsersky32.exe	136
PID 4340 wrote to memory of 5552	4340	kaspsersky32.exe	136
PID 4340 wrote to memory of 1896	4340	kaspsersky32.exe	138
PID 4340 wrote to memory of 1896	4340	kaspsersky32.exe	138
PID 1896 wrote to memory of 1052	1896	cmd.exe	140
PID 1896 wrote to memory of 1052	1896	cmd.exe	140
PID 1896 wrote to memory of 2972	1896	cmd.exe	141
PID 1896 wrote to memory of 2972	1896	cmd.exe	141
PID 1896 wrote to memory of 1312	1896	cmd.exe	142
PID 1896 wrote to memory of 1312	1896	cmd.exe	142
PID 1312 wrote to memory of 3016	1312	kaspsersky32.exe	143
PID 1312 wrote to memory of 3016	1312	kaspsersky32.exe	143
PID 1312 wrote to memory of 4704	1312	kaspsersky32.exe	145
PID 1312 wrote to memory of 4704	1312	kaspsersky32.exe	145
PID 4704 wrote to memory of 4744	4704	cmd.exe	147
PID 4704 wrote to memory of 4744	4704	cmd.exe	147
PID 4704 wrote to memory of 3768	4704	cmd.exe	148
PID 4704 wrote to memory of 3768	4704	cmd.exe	148
PID 4704 wrote to memory of 1876	4704	cmd.exe	149
PID 4704 wrote to memory of 1876	4704	cmd.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
"C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5512
- C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
  "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RejGaYZiX0q3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4596
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5908
  - - C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
      "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5152
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BlzGlALCGsKh.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:744
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1192
      - C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\thDKlGoMsxcQ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JugNUxkhTNCe.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yDtT09bqUoIa.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izGYdjVBIaqq.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bFbhE1dlkNbO.bat" "
        15⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5388
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsbTykbspjTX.bat" "
        17⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vX2rhtwSvcKq.bat" "
        19⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6084
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xVl8zMM0Te1x.bat" "
        21⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M4IQEQp4hOqN.bat" "
        23⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6092
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3SF1dMiLCD0n.bat" "
        25⤵
        
        PID:4020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97qXp8kB1mNs.bat" "
        27⤵
        
        PID:5552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywprRBbXZLOY.bat" "
        29⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5984
        
        C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe
        
        "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToPiVsIQ5YkP.bat" "
        31⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kaspsersky32.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SF1dMiLCD0n.bat

Filesize
216B

MD5
a540685b1a733f85fc03940e8b848923

SHA1
6e71e6e90488e1ad1408e10a6208e02812c22997

SHA256
deb50e680448ee2a736f060d26a021d63a97bc37a724bda3fcf57b907dd8a5ce

SHA512
515f775201d3e5280ea49b444ed3c82715e6667875fccb210db620207fed99d1b03018a1d079c6cb392d36288a0f2af881f653e0852d5e51882e063fdc5d0b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\97qXp8kB1mNs.bat

Filesize
216B

MD5
4be7a07562de1b76f3ae12dd671e3e28

SHA1
532a88427f0d278ee5a7eec95ce8255adeab542a

SHA256
9223ecfca96447df8da37aac92c9fe50b2703534fe1f9a58e0f0bf7363606434

SHA512
e7e4d96d72cac6512db317795a620d4a37671276a1ee27b145728c5aca774effdd8a49ef3075e39c7313d37b1a1bc7c820b5ddaaeb8525cc413fe4181f60b26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlzGlALCGsKh.bat

Filesize
216B

MD5
a8ad6c497360070dc3705cd626bb3b55

SHA1
319c0d6266c483f6d38e210498f541eab99fafb6

SHA256
bdefbed62d5405495cf3b349a0506641ae52a4900084e48d364afa1f22d25da5

SHA512
ba2f90e5b1b1e0019a8851521932db3cd678532dcc8903890ab9c9a75a178f1c64ff9c9c0035a40f17792dc5839ecd625d9cf16e2ea59695164d26aa1ddc876e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JugNUxkhTNCe.bat

Filesize
216B

MD5
0adbc607bb5a14acd2ea803da7203038

SHA1
2db4c8b52ac4a38407d9de2be71a888f515da7cb

SHA256
2c552dea06cb479c137006b4113b59c55978ed4885774d6f6507a4f444fe1362

SHA512
aff4b1e5ef84f05a668a327180da49d316dda2f7de541ab5d82cd1daf2be8983226c1406670e4fb6c1e379a3be63f972510b31cfa17900c23687ddd05e70bb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\M4IQEQp4hOqN.bat

Filesize
216B

MD5
fc4a1cdb68b4d9ac5b7bb14f23dc5910

SHA1
f6b181d13ed7d7300ad1e3b65259038ca4c766e3

SHA256
c98c7e4c9081a70aa70241034c8494a3362bb5e83c5e935d33c29c88a65f1a99

SHA512
1a7d651eb001846bc4a31a2802c8e84acd691610a2c96a4afec7b8892f15ab8d187dbf3dc5a911b0413393f5eca157abef06356c556046e1e5d0eac0781fadb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RejGaYZiX0q3.bat

Filesize
216B

MD5
ea431e643c7647cd9a8f5b36ecb00e16

SHA1
a7e5bffd79771fec3ce91c1ef0f98f8adb712e94

SHA256
c6e530c9aa8b2f2c0721443e65a2eef3c0c20b82c28fb2f43fe2230584594b50

SHA512
d2b3cfe30607968d45887b62691229e2491880d259e6ae9054a2ecd67d3132757be7d22458e9bc6ad52b8e05fb2219f40bfc3432c92bf0ae7a470ac846a9b5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToPiVsIQ5YkP.bat

Filesize
216B

MD5
34baf49223c55976200657eae70b3e75

SHA1
871835342badbe7ad22aa9320e90fe1046beae4d

SHA256
d54df46e7cc7b80c1bd44affd97d4050e1c5cbabc8267ca4735f5deb05296751

SHA512
2da00c315227743d31ca9058be5194dae0b6c55058144f96b054afa85f4360d1019324cbf931f3759e82ea91746c75e4fd36347655594db057c0c845ecb1bd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFbhE1dlkNbO.bat

Filesize
216B

MD5
15cdf7fe9c9931d529af0139f9810f84

SHA1
46dcb5a2dccbfdeb955c5655b022db0af5c20fd1

SHA256
7336b06c7131680a3b1e79a1a68cff8b0ae7c9c3068cf6d4a9ec028ef712e8b3

SHA512
ceb7cf07d229dbd6d092237974512a71bbb8c9fca010b23d900627ac75310a669b438aaa8d5cf11ebde23cf68a255d0b56f50973e543bafb8e24832ce55b1b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsbTykbspjTX.bat

Filesize
216B

MD5
91a26167892354689e87839a0613b69b

SHA1
cd5834d9f17258a18dc5d69c00cd2ec0068bb9f7

SHA256
4fe7d45dba42d8b70009803b95aaba8dff57aea23eac87ee5d16e5d222a5d79f

SHA512
170a07babad348ad1c2796082229113fbb60c95e16e378acd6487facce1338ec36819798e26c4ec9bf690311047c5b86e2f430033ae6e0049b292253d6a8b816

Download Submit
C:\Users\Admin\AppData\Local\Temp\izGYdjVBIaqq.bat

Filesize
216B

MD5
66418a3950c838c627998901241cfd8d

SHA1
3e128155fd4c7eec27816150b6cc585e66d0d87a

SHA256
6115fb77b348007f348a67f4adad61e4139d0d815c429bef459617338002b89c

SHA512
2f4d7cf672da36d58887cc2bab5c81950ad748456e1a4ba8e6506ce4e96191cbefcfea9e844ee3260e36b6ab94b4e55c335e60f19bd2f447f20d0efa5a4a5c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\thDKlGoMsxcQ.bat

Filesize
216B

MD5
79866c0ec1549755f7dcad527bd050dc

SHA1
a51e1a816c6c226c46ee94b74129baed160364f2

SHA256
9f505973c28fd0cceb0d6fb812daa39db1122b950984999fb29c8411ef9f5860

SHA512
759fc47c1b6056bc7442be4739cc680a7b5f253577ff2327e9159525f9a225ef5142cdc84c485e653c0eec0ed801bf986aaca130379c98281591405455414911

Download Submit
C:\Users\Admin\AppData\Local\Temp\vX2rhtwSvcKq.bat

Filesize
216B

MD5
309049f2d95f61737ed61210df177671

SHA1
dc3cb5dd735ea2dd869f751f949c1e49d5c43f57

SHA256
5a422f04d9cbad14101dce3ecf561f8d8e4156130201e19c03a96e462591f0d2

SHA512
f2c04f89e32ccc7711b3022e78ea00bb50c5beeb3aab578f368aa13b636f6b7e7ec930bef81bcefbc33bbbfc4179777ea85339f03ccffaea022abb7ebf45872d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xVl8zMM0Te1x.bat

Filesize
216B

MD5
c5695a51a2a7346755e9184220a1819b

SHA1
0e125a6416fdea3853ecda7589fd9eac909f27ae

SHA256
3abe934479ab717d24208a3030328055d68bcf94d4d74c712bdc650ab9ca1a40

SHA512
663be304699f778ab2b07ff96c5012f0b10d8aa3be3cf34e4ab5760c301a1f48764cc259e6b3c93a7cf833b665a3d0abdce562622c0f6a237bb8f3386bf67281

Download Submit
C:\Users\Admin\AppData\Local\Temp\yDtT09bqUoIa.bat

Filesize
216B

MD5
03c15a307485fded0a4f856db5fda906

SHA1
7a47baace766401329fca268735acfe24558d932

SHA256
880fe42e695a2ded6afe864b989a5c4e3ea2b3c3ee7ef1be6580d57d21d47243

SHA512
e949db792974807108fbde0852a7999b810f7034e30f275280075c7c4d2e54ad71b4908754258669289f0907cf3bd9039b3b804a8c999aa1eaf03c4ef689b868

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywprRBbXZLOY.bat

Filesize
216B

MD5
9b7970185eaef5f3ec76a09d45f5632a

SHA1
b00f03299b5e9f9451b470e3541c8083d97119b4

SHA256
fd5ab15a4f7b672507dd4b5f74971dd352d2380aef491fd7555234ec9f7c2c1c

SHA512
bafe00726ba86cf1e8f8bd9c8d67f291f3938221fac17c61f9fb7c46df48397ac5972d3bf8e278431b35c614ad870c2ebb87b04d999394353c88725ad2a50506

Download Submit
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe

Filesize
3.4MB

MD5
61a23a5c02f19dda41b5f63b48784a96

SHA1
def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18

SHA256
b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574

SHA512
2e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4

Download Submit
memory/3344-0-0x00007FFD9D7B3000-0x00007FFD9D7B5000-memory.dmp

Filesize
8KB

Download
memory/3344-10-0x00007FFD9D7B0000-0x00007FFD9E271000-memory.dmp

Filesize
10.8MB

Download
memory/3344-2-0x00007FFD9D7B0000-0x00007FFD9E271000-memory.dmp

Filesize
10.8MB

Download
memory/3344-1-0x0000000000C30000-0x0000000000F96000-memory.dmp

Filesize
3.4MB

Download
memory/4784-18-0x00007FFD9D7B0000-0x00007FFD9E271000-memory.dmp

Filesize
10.8MB

Download
memory/4784-9-0x00007FFD9D7B0000-0x00007FFD9E271000-memory.dmp

Filesize
10.8MB

Download
memory/4784-11-0x00007FFD9D7B0000-0x00007FFD9E271000-memory.dmp

Filesize
10.8MB

Download
memory/4784-12-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/4784-13-0x000000001C0A0000-0x000000001C152000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads