quasar | 136d4f11ca284be9615ee652f493d2e357d164091029286eee7b3350c2e7d4c3

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

3.1MB
MD5

89e0f8d71958e344d1071cab560dd305
SHA1

f106a720d7b80d373bbe84792c53aab491a30924
SHA256

136d4f11ca284be9615ee652f493d2e357d164091029286eee7b3350c2e7d4c3
SHA512

4ae82e52ccb2a20b4781ef906edbfabf030c178b45eafe672f163ae668ce02cd20911f898ab5280bf75b66c241478715236da2edc5864b275504d14e35ec42ad
SSDEEP

49152:SvyI22SsaNYfdPBldt698dBcjHQnhabRjPLoGdtaTHHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHQnhOT

Score

10^/10

quasar hacked spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hacked

them-recommended.gl.at.ply.gg:37993

Mutex

145f9813-188a-4b62-ba7f-be07578e5a8f

Attributes

encryption_key
9B76C981C0602003513D6F00F317713EF0E2A660
install_name
Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Updater
subdirectory
Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1440-1-0x0000000000C00000-0x0000000000F24000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\Update\Updater.exe family_quasar

resource	yara_rule
behavioral1/memory/1440-1-0x0000000000C00000-0x0000000000F24000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Update\Updater.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Updater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe

Executes dropped EXE 10 IoCs

Processes:

Updater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe

pid process

2968 Updater.exe
2576 Updater.exe
4924 Updater.exe
1872 Updater.exe
4772 Updater.exe
4404 Updater.exe
1424 Updater.exe
4980 Updater.exe
1036 Updater.exe
1384 Updater.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5112 PING.EXE
4564 PING.EXE
3284 PING.EXE
1880 PING.EXE
3932 PING.EXE
3104 PING.EXE
3548 PING.EXE
332 PING.EXE
1900 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2424 schtasks.exe
3896 schtasks.exe
3224 schtasks.exe
3396 schtasks.exe
3372 schtasks.exe
2636 schtasks.exe
5044 schtasks.exe
2408 schtasks.exe
1520 schtasks.exe
180 schtasks.exe
384 schtasks.exe

pid	process
2968	Updater.exe
2576	Updater.exe
4924	Updater.exe
1872	Updater.exe
4772	Updater.exe
4404	Updater.exe
1424	Updater.exe
4980	Updater.exe
1036	Updater.exe
1384	Updater.exe

pid	process
5112	PING.EXE
4564	PING.EXE
3284	PING.EXE
1880	PING.EXE
3932	PING.EXE
3104	PING.EXE
3548	PING.EXE
332	PING.EXE
1900	PING.EXE

pid	process
2424	schtasks.exe
3896	schtasks.exe
3224	schtasks.exe
3396	schtasks.exe
3372	schtasks.exe
2636	schtasks.exe
5044	schtasks.exe
2408	schtasks.exe
1520	schtasks.exe
180	schtasks.exe
384	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Server.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe

description	pid	process
Token: SeDebugPrivilege	1440	Server.exe
Token: SeDebugPrivilege	2968	Updater.exe
Token: SeDebugPrivilege	2576	Updater.exe
Token: SeDebugPrivilege	4924	Updater.exe
Token: SeDebugPrivilege	1872	Updater.exe
Token: SeDebugPrivilege	4772	Updater.exe
Token: SeDebugPrivilege	4404	Updater.exe
Token: SeDebugPrivilege	1424	Updater.exe
Token: SeDebugPrivilege	4980	Updater.exe
Token: SeDebugPrivilege	1036	Updater.exe
Token: SeDebugPrivilege	1384	Updater.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Updater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe

pid process

2968 Updater.exe
2576 Updater.exe
4924 Updater.exe
1872 Updater.exe
4772 Updater.exe
4404 Updater.exe
1424 Updater.exe
4980 Updater.exe
1036 Updater.exe
1384 Updater.exe
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Updater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe

pid process

2968 Updater.exe
2576 Updater.exe
4924 Updater.exe
1872 Updater.exe
4772 Updater.exe
4404 Updater.exe
1424 Updater.exe
4980 Updater.exe
1036 Updater.exe
1384 Updater.exe

pid	process
2968	Updater.exe
2576	Updater.exe
4924	Updater.exe
1872	Updater.exe
4772	Updater.exe
4404	Updater.exe
1424	Updater.exe
4980	Updater.exe
1036	Updater.exe
1384	Updater.exe

pid	process
2968	Updater.exe
2576	Updater.exe
4924	Updater.exe
1872	Updater.exe
4772	Updater.exe
4404	Updater.exe
1424	Updater.exe
4980	Updater.exe
1036	Updater.exe
1384	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Server.exeUpdater.execmd.exeUpdater.execmd.exeUpdater.execmd.exeUpdater.execmd.exeUpdater.execmd.exeUpdater.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 2408	1440	Server.exe	schtasks.exe
PID 1440 wrote to memory of 2408	1440	Server.exe	schtasks.exe
PID 1440 wrote to memory of 2968	1440	Server.exe	Updater.exe
PID 1440 wrote to memory of 2968	1440	Server.exe	Updater.exe
PID 2968 wrote to memory of 2424	2968	Updater.exe	schtasks.exe
PID 2968 wrote to memory of 2424	2968	Updater.exe	schtasks.exe
PID 2968 wrote to memory of 3256	2968	Updater.exe	cmd.exe
PID 2968 wrote to memory of 3256	2968	Updater.exe	cmd.exe
PID 3256 wrote to memory of 4256	3256	cmd.exe	chcp.com
PID 3256 wrote to memory of 4256	3256	cmd.exe	chcp.com
PID 3256 wrote to memory of 3284	3256	cmd.exe	PING.EXE
PID 3256 wrote to memory of 3284	3256	cmd.exe	PING.EXE
PID 3256 wrote to memory of 2576	3256	cmd.exe	Updater.exe
PID 3256 wrote to memory of 2576	3256	cmd.exe	Updater.exe
PID 2576 wrote to memory of 384	2576	Updater.exe	schtasks.exe
PID 2576 wrote to memory of 384	2576	Updater.exe	schtasks.exe
PID 2576 wrote to memory of 652	2576	Updater.exe	cmd.exe
PID 2576 wrote to memory of 652	2576	Updater.exe	cmd.exe
PID 652 wrote to memory of 2592	652	cmd.exe	chcp.com
PID 652 wrote to memory of 2592	652	cmd.exe	chcp.com
PID 652 wrote to memory of 1880	652	cmd.exe	PING.EXE
PID 652 wrote to memory of 1880	652	cmd.exe	PING.EXE
PID 652 wrote to memory of 4924	652	cmd.exe	Updater.exe
PID 652 wrote to memory of 4924	652	cmd.exe	Updater.exe
PID 4924 wrote to memory of 1520	4924	Updater.exe	schtasks.exe
PID 4924 wrote to memory of 1520	4924	Updater.exe	schtasks.exe
PID 4924 wrote to memory of 4132	4924	Updater.exe	cmd.exe
PID 4924 wrote to memory of 4132	4924	Updater.exe	cmd.exe
PID 4132 wrote to memory of 2504	4132	cmd.exe	chcp.com
PID 4132 wrote to memory of 2504	4132	cmd.exe	chcp.com
PID 4132 wrote to memory of 3932	4132	cmd.exe	PING.EXE
PID 4132 wrote to memory of 3932	4132	cmd.exe	PING.EXE
PID 4132 wrote to memory of 1872	4132	cmd.exe	Updater.exe
PID 4132 wrote to memory of 1872	4132	cmd.exe	Updater.exe
PID 1872 wrote to memory of 3896	1872	Updater.exe	schtasks.exe
PID 1872 wrote to memory of 3896	1872	Updater.exe	schtasks.exe
PID 1872 wrote to memory of 4492	1872	Updater.exe	cmd.exe
PID 1872 wrote to memory of 4492	1872	Updater.exe	cmd.exe
PID 4492 wrote to memory of 1656	4492	cmd.exe	chcp.com
PID 4492 wrote to memory of 1656	4492	cmd.exe	chcp.com
PID 4492 wrote to memory of 3104	4492	cmd.exe	PING.EXE
PID 4492 wrote to memory of 3104	4492	cmd.exe	PING.EXE
PID 4492 wrote to memory of 4772	4492	cmd.exe	Updater.exe
PID 4492 wrote to memory of 4772	4492	cmd.exe	Updater.exe
PID 4772 wrote to memory of 180	4772	Updater.exe	schtasks.exe
PID 4772 wrote to memory of 180	4772	Updater.exe	schtasks.exe
PID 4772 wrote to memory of 1560	4772	Updater.exe	cmd.exe
PID 4772 wrote to memory of 1560	4772	Updater.exe	cmd.exe
PID 1560 wrote to memory of 740	1560	cmd.exe	chcp.com
PID 1560 wrote to memory of 740	1560	cmd.exe	chcp.com
PID 1560 wrote to memory of 5112	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 5112	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 4404	1560	cmd.exe	Updater.exe
PID 1560 wrote to memory of 4404	1560	cmd.exe	Updater.exe
PID 4404 wrote to memory of 3224	4404	Updater.exe	schtasks.exe
PID 4404 wrote to memory of 3224	4404	Updater.exe	schtasks.exe
PID 4404 wrote to memory of 1500	4404	Updater.exe	cmd.exe
PID 4404 wrote to memory of 1500	4404	Updater.exe	cmd.exe
PID 1500 wrote to memory of 4608	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 4608	1500	cmd.exe	chcp.com
PID 1500 wrote to memory of 3548	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 3548	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 1424	1500	cmd.exe	Updater.exe
PID 1500 wrote to memory of 1424	1500	cmd.exe	Updater.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DO21OQixycCV.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4256

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3284

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7KPUVpPFPgq.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2592

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1880

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZyFzSkfvSms.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3932

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0taVy4FU47dt.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1656

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3104

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmb3Gqs1Gwcx.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:740

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:5112

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWRQMJWylyES.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3548

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3wCspfoCj6GB.bat" "
15⤵
PID:1440

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:332

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoBYNTIlBCBr.bat" "
17⤵
PID:2508

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2284

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U6tdSRI92bkZ.bat" "
19⤵
PID:3840

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:4652

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4564

C:\Users\Admin\AppData\Roaming\Update\Updater.exe
"C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\Updater.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Updater.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0taVy4FU47dt.bat
Filesize
208B

MD5
a86be8e3748f2aaa32527339188909aa

SHA1
167bb5d77d951eec5c7702c91e723cc2ce9cedc6

SHA256
bf073fbfbc8cb8ee3da22dbb3e0aa9660ac813afb68b61699e54d09dc5bf7eda

SHA512
f424dc5f0c2e449d6690e39532f27c8b36710bd25cfeb75460d6b97be77e908fbd9c22e2bfadf950e8ed4b872b35bfdfb052614ade57b5ff40e82d7f3d1faead

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wCspfoCj6GB.bat
Filesize
208B

MD5
85d0227db5c64a56fc9ed4eda0485590

SHA1
a57b61b315d212cb77d9ee96ca12431215e14cad

SHA256
472ac3007fc39f714035be96e906e30292e95c39c0824518bcaf9ab564e70d36

SHA512
0af89421b75cc9995cfc191f7465a6c71325eb7545220a3356955c5570fbc822bb698c376ed8ea876d890e8963be351d95d8a3024bfeb4a162896c3d36581282

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoBYNTIlBCBr.bat
Filesize
208B

MD5
c02f3344499cd1e16e39e0eceaf96280

SHA1
5120d459845d25d62752c773799103227da99765

SHA256
a69e683ffdf262173252997a316ea5fdff0cc08aba4808c76aeb16b1e58a9497

SHA512
8f42a671060650f3b1d873742198436dc7695103b3a160580ee704268fb28b2a56437837527af48398e93497b28cacdeebf695ce1692823d92b4121dc45f2222

Download Submit
C:\Users\Admin\AppData\Local\Temp\DO21OQixycCV.bat
Filesize
208B

MD5
01cdee49debe8e0ad775076ca44bc19e

SHA1
c82f7497337e17d1145b36d9a4454ef3cb3203c3

SHA256
a1effc113d6f4ad8afa1e5fd550c9a52515035dbb5466bdfd459f692c3982ea2

SHA512
41eea265f0f3a1c6c8e4974b401bc74885876515149614a94570b36e0c327b6d2534c18ffa581faea0bfc7ee60862ca964f37e553100a0adc32090b931d8b55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWRQMJWylyES.bat
Filesize
208B

MD5
c060e5fe701e615db201ffc0503d66b5

SHA1
2189e11be552153cc60721e6f3a0d0efe1c24e66

SHA256
9826f95cb5853b1213454a3f3da97cbc0803947b3d68db7972402ab41b76a5f6

SHA512
fcbf34978834cd527a220ea9c32f062cc7eea63870995cc88d77e6de7c82632e37e1e336bee9b9fdc3311b49ee38460bd8f6c900a6fdfd5f17e2a72e7cb248aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZyFzSkfvSms.bat
Filesize
208B

MD5
87151fe456543380c0e8369e6adcb520

SHA1
345e5b8c7e3f54d480b9cbe39f600b9d70084e9c

SHA256
e1aac18a3553c3277c8f3260b72f0c887cdb4d3a275215b622705df0dbe37d09

SHA512
4b026ad098cb5cbdb8a32e72f5a515ed5389160b171fe517d88a6a30aa0fa4785416bc4a20c8b5698885ea3456929edf2aff98fea38a9df1a6aaa45f23e9acb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\U6tdSRI92bkZ.bat
Filesize
208B

MD5
10a712dc71fdcc9978534d16ffffc6d5

SHA1
e3ce5aaa65a2e42bf3a86289b256d66da8ec9bdd

SHA256
d85e2bde20e90cc108eba722ba107155a9897e59b1bda617724a7b674299a350

SHA512
36297e7aeb3f4bfbbac71d58eda6a0d3b2929a3bf5e7505f25857cb58c89af8d96022974be87a6c4a7aa5ba300840e7a4d216454d0d2276f2cf7136de372cc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmb3Gqs1Gwcx.bat
Filesize
208B

MD5
76e9527142f56e7734bcccc4a78eaf0c

SHA1
eb1fa2b33bdff514a857ca4b9ed1f2e912e3b67b

SHA256
7247a6f906291955536d8a3445076b86e4a66ddb891f820107c2077a923ae2b9

SHA512
bb0732c5191baecd272cb6666d60e132efc63ff54f78753e2c3fdb1ec93113579f72842af0aedc7a70e30e0c4a703de94fd55c92ac4c3a587abf80fb8ae66cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7KPUVpPFPgq.bat
Filesize
208B

MD5
d9dd311180c1e1c1d32e9694945f657c

SHA1
bcf80541c09a34928b66a8a16bb311e0c5982487

SHA256
03ed80081cefe962e6f29f3ea41f1322f5dc0d309c329e4f8a11b73238a549c5

SHA512
299cd7fcd20acbe46c5d21efde58d502fbfae9b4b6e85f2e64932469be38db58ec50bca98e6c77d49504e4a22fdc88b72927bfff8e70d1d7dc2d82cb4bc5f64d

Download Submit
C:\Users\Admin\AppData\Roaming\Update\Updater.exe
Filesize
3.1MB

MD5
89e0f8d71958e344d1071cab560dd305

SHA1
f106a720d7b80d373bbe84792c53aab491a30924

SHA256
136d4f11ca284be9615ee652f493d2e357d164091029286eee7b3350c2e7d4c3

SHA512
4ae82e52ccb2a20b4781ef906edbfabf030c178b45eafe672f163ae668ce02cd20911f898ab5280bf75b66c241478715236da2edc5864b275504d14e35ec42ad

Download Submit
memory/1440-9-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-0-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

Filesize
8KB

Download
memory/1440-2-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-1-0x0000000000C00000-0x0000000000F24000-memory.dmp

Filesize
3.1MB

Download
memory/2968-18-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-13-0x000000001DA60000-0x000000001DB12000-memory.dmp

Filesize
712KB

Download
memory/2968-12-0x000000001D950000-0x000000001D9A0000-memory.dmp

Filesize
320KB

Download
memory/2968-11-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-10-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

Filesize
10.8MB

Download