quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317a46786b73fccfafa5b5678c1a21a1.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/392-1-0x00000000003F0000-0x0000000000714000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar

resource	yara_rule
behavioral2/memory/392-1-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe

Executes dropped EXE 10 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3224 Opera GX.exe
1048 Opera GX.exe
4832 Opera GX.exe
4504 Opera GX.exe
2020 Opera GX.exe
1588 Opera GX.exe
4640 Opera GX.exe
3272 Opera GX.exe
4568 Opera GX.exe
4360 Opera GX.exe

pid	process
3224	Opera GX.exe
1048	Opera GX.exe
4832	Opera GX.exe
4504	Opera GX.exe
2020	Opera GX.exe
1588	Opera GX.exe
4640	Opera GX.exe
3272	Opera GX.exe
4568	Opera GX.exe
4360	Opera GX.exe

Drops file in Program Files directory 23 IoCs

Processes:

317a46786b73fccfafa5b5678c1a21a1.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File created	C:\Program Files\common Files\Opera GX.exe	317a46786b73fccfafa5b5678c1a21a1.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	317a46786b73fccfafa5b5678c1a21a1.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	317a46786b73fccfafa5b5678c1a21a1.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4092 PING.EXE
4648 PING.EXE
4852 PING.EXE
2896 PING.EXE
2996 PING.EXE
1972 PING.EXE
1592 PING.EXE
1204 PING.EXE
4044 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3092 schtasks.exe
1992 schtasks.exe
2540 schtasks.exe
4536 schtasks.exe
3092 schtasks.exe
3000 schtasks.exe
4912 schtasks.exe
2844 schtasks.exe
1860 schtasks.exe
528 schtasks.exe
3620 schtasks.exe

pid	process
4092	PING.EXE
4648	PING.EXE
4852	PING.EXE
2896	PING.EXE
2996	PING.EXE
1972	PING.EXE
1592	PING.EXE
1204	PING.EXE
4044	PING.EXE

pid	process
3092	schtasks.exe
1992	schtasks.exe
2540	schtasks.exe
4536	schtasks.exe
3092	schtasks.exe
3000	schtasks.exe
4912	schtasks.exe
2844	schtasks.exe
1860	schtasks.exe
528	schtasks.exe
3620	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

317a46786b73fccfafa5b5678c1a21a1.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	392	317a46786b73fccfafa5b5678c1a21a1.exe
Token: SeDebugPrivilege	3224	Opera GX.exe
Token: SeDebugPrivilege	1048	Opera GX.exe
Token: SeDebugPrivilege	4832	Opera GX.exe
Token: SeDebugPrivilege	4504	Opera GX.exe
Token: SeDebugPrivilege	2020	Opera GX.exe
Token: SeDebugPrivilege	1588	Opera GX.exe
Token: SeDebugPrivilege	4640	Opera GX.exe
Token: SeDebugPrivilege	3272	Opera GX.exe
Token: SeDebugPrivilege	4568	Opera GX.exe
Token: SeDebugPrivilege	4360	Opera GX.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3224 Opera GX.exe
1048 Opera GX.exe
4832 Opera GX.exe
4504 Opera GX.exe
2020 Opera GX.exe
1588 Opera GX.exe
4640 Opera GX.exe
3272 Opera GX.exe
4568 Opera GX.exe
4360 Opera GX.exe
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3224 Opera GX.exe
1048 Opera GX.exe
4832 Opera GX.exe
4504 Opera GX.exe
2020 Opera GX.exe
1588 Opera GX.exe
4640 Opera GX.exe
3272 Opera GX.exe
4568 Opera GX.exe
4360 Opera GX.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3224 Opera GX.exe
1588 Opera GX.exe
4640 Opera GX.exe
3272 Opera GX.exe
4568 Opera GX.exe
4360 Opera GX.exe

pid	process
3224	Opera GX.exe
1048	Opera GX.exe
4832	Opera GX.exe
4504	Opera GX.exe
2020	Opera GX.exe
1588	Opera GX.exe
4640	Opera GX.exe
3272	Opera GX.exe
4568	Opera GX.exe
4360	Opera GX.exe

pid	process
3224	Opera GX.exe
1048	Opera GX.exe
4832	Opera GX.exe
4504	Opera GX.exe
2020	Opera GX.exe
1588	Opera GX.exe
4640	Opera GX.exe
3272	Opera GX.exe
4568	Opera GX.exe
4360	Opera GX.exe

pid	process
3224	Opera GX.exe
1588	Opera GX.exe
4640	Opera GX.exe
3272	Opera GX.exe
4568	Opera GX.exe
4360	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

317a46786b73fccfafa5b5678c1a21a1.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 392 wrote to memory of 3092	392	317a46786b73fccfafa5b5678c1a21a1.exe	schtasks.exe
PID 392 wrote to memory of 3092	392	317a46786b73fccfafa5b5678c1a21a1.exe	schtasks.exe
PID 392 wrote to memory of 3224	392	317a46786b73fccfafa5b5678c1a21a1.exe	Opera GX.exe
PID 392 wrote to memory of 3224	392	317a46786b73fccfafa5b5678c1a21a1.exe	Opera GX.exe
PID 3224 wrote to memory of 1992	3224	Opera GX.exe	schtasks.exe
PID 3224 wrote to memory of 1992	3224	Opera GX.exe	schtasks.exe
PID 3224 wrote to memory of 3524	3224	Opera GX.exe	cmd.exe
PID 3224 wrote to memory of 3524	3224	Opera GX.exe	cmd.exe
PID 3524 wrote to memory of 2840	3524	cmd.exe	chcp.com
PID 3524 wrote to memory of 2840	3524	cmd.exe	chcp.com
PID 3524 wrote to memory of 1972	3524	cmd.exe	PING.EXE
PID 3524 wrote to memory of 1972	3524	cmd.exe	PING.EXE
PID 3524 wrote to memory of 1048	3524	cmd.exe	Opera GX.exe
PID 3524 wrote to memory of 1048	3524	cmd.exe	Opera GX.exe
PID 1048 wrote to memory of 4912	1048	Opera GX.exe	schtasks.exe
PID 1048 wrote to memory of 4912	1048	Opera GX.exe	schtasks.exe
PID 1048 wrote to memory of 2352	1048	Opera GX.exe	cmd.exe
PID 1048 wrote to memory of 2352	1048	Opera GX.exe	cmd.exe
PID 2352 wrote to memory of 3156	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 3156	2352	cmd.exe	chcp.com
PID 2352 wrote to memory of 1592	2352	cmd.exe	PING.EXE
PID 2352 wrote to memory of 1592	2352	cmd.exe	PING.EXE
PID 2352 wrote to memory of 4832	2352	cmd.exe	Opera GX.exe
PID 2352 wrote to memory of 4832	2352	cmd.exe	Opera GX.exe
PID 4832 wrote to memory of 2540	4832	Opera GX.exe	schtasks.exe
PID 4832 wrote to memory of 2540	4832	Opera GX.exe	schtasks.exe
PID 4832 wrote to memory of 4232	4832	Opera GX.exe	cmd.exe
PID 4832 wrote to memory of 4232	4832	Opera GX.exe	cmd.exe
PID 4232 wrote to memory of 3924	4232	cmd.exe	chcp.com
PID 4232 wrote to memory of 3924	4232	cmd.exe	chcp.com
PID 4232 wrote to memory of 4092	4232	cmd.exe	PING.EXE
PID 4232 wrote to memory of 4092	4232	cmd.exe	PING.EXE
PID 4232 wrote to memory of 4504	4232	cmd.exe	Opera GX.exe
PID 4232 wrote to memory of 4504	4232	cmd.exe	Opera GX.exe
PID 4504 wrote to memory of 2844	4504	Opera GX.exe	schtasks.exe
PID 4504 wrote to memory of 2844	4504	Opera GX.exe	schtasks.exe
PID 4504 wrote to memory of 3428	4504	Opera GX.exe	cmd.exe
PID 4504 wrote to memory of 3428	4504	Opera GX.exe	cmd.exe
PID 3428 wrote to memory of 2256	3428	cmd.exe	chcp.com
PID 3428 wrote to memory of 2256	3428	cmd.exe	chcp.com
PID 3428 wrote to memory of 1204	3428	cmd.exe	PING.EXE
PID 3428 wrote to memory of 1204	3428	cmd.exe	PING.EXE
PID 3428 wrote to memory of 2020	3428	cmd.exe	Opera GX.exe
PID 3428 wrote to memory of 2020	3428	cmd.exe	Opera GX.exe
PID 2020 wrote to memory of 4536	2020	Opera GX.exe	schtasks.exe
PID 2020 wrote to memory of 4536	2020	Opera GX.exe	schtasks.exe
PID 2020 wrote to memory of 4348	2020	Opera GX.exe	cmd.exe
PID 2020 wrote to memory of 4348	2020	Opera GX.exe	cmd.exe
PID 4348 wrote to memory of 1808	4348	cmd.exe	chcp.com
PID 4348 wrote to memory of 1808	4348	cmd.exe	chcp.com
PID 4348 wrote to memory of 4648	4348	cmd.exe	PING.EXE
PID 4348 wrote to memory of 4648	4348	cmd.exe	PING.EXE
PID 4348 wrote to memory of 1588	4348	cmd.exe	Opera GX.exe
PID 4348 wrote to memory of 1588	4348	cmd.exe	Opera GX.exe
PID 1588 wrote to memory of 3092	1588	Opera GX.exe	schtasks.exe
PID 1588 wrote to memory of 3092	1588	Opera GX.exe	schtasks.exe
PID 1588 wrote to memory of 2684	1588	Opera GX.exe	cmd.exe
PID 1588 wrote to memory of 2684	1588	Opera GX.exe	cmd.exe
PID 2684 wrote to memory of 1716	2684	cmd.exe	chcp.com
PID 2684 wrote to memory of 1716	2684	cmd.exe	chcp.com
PID 2684 wrote to memory of 4852	2684	cmd.exe	PING.EXE
PID 2684 wrote to memory of 4852	2684	cmd.exe	PING.EXE
PID 2684 wrote to memory of 4640	2684	cmd.exe	Opera GX.exe
PID 2684 wrote to memory of 4640	2684	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\317a46786b73fccfafa5b5678c1a21a1.exe
"C:\Users\Admin\AppData\Local\Temp\317a46786b73fccfafa5b5678c1a21a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K0aapzA38yXR.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1972

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwNgAu7AXJgQ.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3156

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1592

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQOKI7nRMUb5.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4092

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EiTVNQrl05m.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2256

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1204

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rU3aUKjFl5OT.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4648

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmFBVEKnuMBP.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1716

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4852

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qTMoEthKqVNS.bat" "
15⤵
PID:4300

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2896

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByGYOsEqpFxE.bat" "
17⤵
PID:428

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:5032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4044

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCzaJyfM16lm.bat" "
19⤵
PID:3148

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2448

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2996

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
317a46786b73fccfafa5b5678c1a21a1

SHA1
e72c0001fb47a477514f5abdb348ae489de65f72

SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Opera GX.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EiTVNQrl05m.bat
Filesize
201B

MD5
047f263ed5412713ce9824777ff2a808

SHA1
e6c209bdb48cc3a92aaa7deb18a2c4b2f9ed595c

SHA256
752e34979a989a9d45a7fddf60f772dafc3133dc76b7efd2d0823454ad0f62a7

SHA512
354c9269232abf52e44bc8a0bb5ebdc7f444df211bcb1b39b22a7bd5b3420bd8ffed62cc7f7d71f15ebe8e008d006ab8d1e9eff243187646460aa41e0487ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByGYOsEqpFxE.bat
Filesize
201B

MD5
8ccca5bd213511bc648d8d817e44f27f

SHA1
e9297ad39af379d5b4b19cee5c9d752308ca8ea2

SHA256
2206a83b34bb9d9ac59600019bb0b1aeee69e71cf262fe6296a47a0cd35e249e

SHA512
edc6b87bdb223df281bcf0e9c4a03fc9b70be9096362187866837fd85e0d2200f60d187ede30a4502fae38800e9e14a862efc784e7fa7edc3d9dd80a7b2c5ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0aapzA38yXR.bat
Filesize
201B

MD5
f52ff0f2cf45cb60e6c303cf42122b0a

SHA1
aec51bd64829ca971ddb6929cdcc6ee6cab8015f

SHA256
e48f6c38a3461846fc08b6b1b0fa9bd950c5a12d7c26137bb8d48fdcf4bbd228

SHA512
68797fcff2b1947af5b755709364aef3fbc5b1c45f3243061629eefb52f15c54b0e5cdb63870ea83513d9d9b0d72fb012418e2e70a470bfdae8c070a2fdc643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmFBVEKnuMBP.bat
Filesize
201B

MD5
bd92bd628d4c16840abd6f8551c4c51b

SHA1
8e191c77e48a8a7688ef0e3a59066a2bbe9179ce

SHA256
1df116b9eef5d2991af7486870669d16d6f0caba8b094b8698069fa8744b5a3c

SHA512
020bb612448c535ed16c8c42d95c7f963e0406a33fdc56f53980809534c3c261dd92266679ba81ca24b65f67ed6d4240010d0a955f40e001498ee7f6f52f2992

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCzaJyfM16lm.bat
Filesize
201B

MD5
f21602d1ec5398de86dbe2cec56510ad

SHA1
1e54fd720c84e4785c9ae876a887e6e40fcd5a6a

SHA256
f1370dad733ecf63c88b05e726813bf23c24a46bb11eb43f8062d2bb9cbd6340

SHA512
0780494b9eaecf99167c0ddab6b6423bb6f4ee364543ea86815a3a0a3ae36ac6d3bb1a3e0449adf981553142014f8200e3167c545bf9e4115238de430d7f2a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQOKI7nRMUb5.bat
Filesize
201B

MD5
81fe129fd98241348316e6f6c1841bea

SHA1
db33dc275d8b5b7d02364e61982ed3e96cb35058

SHA256
a13e0fd080e4c08dc5175bec5f9c9d7a42fb6e00fc13290806e57e93e3c4e19d

SHA512
09b049c365e9bcca76c6f5417e9d52aa3fd5abc4f9128b2ba1b68dca5e871f155af746465eabd56246b0cee8d82df5c540be023117fe7a14ff60467ea56dbeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTMoEthKqVNS.bat
Filesize
201B

MD5
15f4a946c38315b803aa7c09518f24a5

SHA1
11d471e2cfa3b71f499af2b2754a6c9a7fb7d461

SHA256
063c73c1446e0d873da2e1d5a087fc25c99b7de4750def1e12d8bc9bc5f136df

SHA512
833474cf75821cc793ce5fcad361f42a0ae19b545850cf6242c76448ebf8a1d40cbba56c98ffe03ec8f9cc11ca10bd1b6d2077bec2ff4e67c2a83b2aa73eec10

Download Submit
C:\Users\Admin\AppData\Local\Temp\rU3aUKjFl5OT.bat
Filesize
201B

MD5
a9f1599bbf717ec155fd6cf666009ba8

SHA1
f6293199313ecb73808b712afb5d54f63a38bdc4

SHA256
d5646a33dbfee007742f927da2c2bb81ff804f038a63607064a5c4ddec242ee3

SHA512
23c3e3d2e8ea41575de8c59ab697fe757a29970a7aba72dc33a683130029df0b9acce7df04f767dfaf2d0ea6342159acb90db94e4e338adfb4f78091b9542fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwNgAu7AXJgQ.bat
Filesize
201B

MD5
7a502b65caae62f79ca2315a93cc9063

SHA1
3183200f4eee50ad9594646f220e28b4cfda33de

SHA256
80f6563854b70c5d48e5fe6e3fdf4096ca6a60ab6de86021ad546ca5bf3b3f71

SHA512
d5ed214e08caf3a77ae9b4a158d0872c4981e111dc7dc13c783d5cfc3363625b3f3ef3b47513f29c777bbc3c297addf054207800831fc1336723375a372acf91

Download Submit
memory/392-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

Filesize
8KB

Download
memory/392-9-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/392-2-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/392-1-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/3224-18-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/3224-13-0x000000001E2C0000-0x000000001E372000-memory.dmp

Filesize
712KB

Download
memory/3224-12-0x000000001E1B0000-0x000000001E200000-memory.dmp

Filesize
320KB

Download
memory/3224-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/3224-10-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download