quasar | f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

3.1MB
MD5

d1fa508b46362032225fd17c5bb85859
SHA1

7690e280c35cb4bf9a71aaad70ff4885393e680a
SHA256

f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7
SHA512

d1613ea3284a8cf4032632a5594f4d995deb25473cf76c8efd763dbf8fbc8a7e9345d5d3c3aca179773a42a6cb1932c97e3633747ad4d197fc54646dfe9fc184
SSDEEP

49152:TvHlL26AaNeWgPhlmVqvMQ7XSKWLRJ6EbR3LoGdiSTHHB72eh2NT:TvFL26AaNeWgPhlmVqkQ7XSKWLRJ6O

Score

10^/10

quasar solarabootstrapper spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SolaraBootstrapper

DESKTOP-JVK5CI7:4782

Mutex

39c5c45c-62a0-4623-a904-5cbad2aa6b55

Attributes

encryption_key
41AD0502F025DD3F47720DC4BDEED540F3EAFD12
install_name
securekerneI.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1116-1-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\securekerneI.exe	family_quasar
behavioral1/memory/2100-9-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/1672-33-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/856-65-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/2180-76-0x0000000000850000-0x0000000000B74000-memory.dmp	family_quasar
behavioral1/memory/2728-87-0x00000000008C0000-0x0000000000BE4000-memory.dmp	family_quasar
behavioral1/memory/2548-99-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar
behavioral1/memory/1800-110-0x0000000001230000-0x0000000001554000-memory.dmp	family_quasar
behavioral1/memory/2060-123-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1140-134-0x0000000000F10000-0x0000000001234000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2100	securekerneI.exe
2524	securekerneI.exe
1672	securekerneI.exe
2188	securekerneI.exe
1552	securekerneI.exe
856	securekerneI.exe
2180	securekerneI.exe
2728	securekerneI.exe
2548	securekerneI.exe
1800	securekerneI.exe
2060	securekerneI.exe
1140	securekerneI.exe

Drops file in System32 directory 2 IoCs

Processes:

SolaraBootstrapper.exe

description ioc process

File opened for modification C:\Windows\system32\SubDir\securekerneI.exe SolaraBootstrapper.exe
File created C:\Windows\system32\SubDir\securekerneI.exe SolaraBootstrapper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2220 PING.EXE
2832 PING.EXE
1052 PING.EXE
2940 PING.EXE
1928 PING.EXE
1056 PING.EXE
2968 PING.EXE
768 PING.EXE
2708 PING.EXE
808 PING.EXE
2976 PING.EXE
1692 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\securekerneI.exe	SolaraBootstrapper.exe
File created	C:\Windows\system32\SubDir\securekerneI.exe	SolaraBootstrapper.exe

pid	process
2220	PING.EXE
2832	PING.EXE
1052	PING.EXE
2940	PING.EXE
1928	PING.EXE
1056	PING.EXE
2968	PING.EXE
768	PING.EXE
2708	PING.EXE
808	PING.EXE
2976	PING.EXE
1692	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1756	schtasks.exe
2276	schtasks.exe
1852	schtasks.exe
1952	schtasks.exe
1968	schtasks.exe
1100	schtasks.exe
2472	schtasks.exe
2020	schtasks.exe
2672	schtasks.exe
1984	schtasks.exe
1228	schtasks.exe
2600	schtasks.exe
2896	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

SolaraBootstrapper.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

description	pid	process
Token: SeDebugPrivilege	1116	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2100	securekerneI.exe
Token: SeDebugPrivilege	2524	securekerneI.exe
Token: SeDebugPrivilege	1672	securekerneI.exe
Token: SeDebugPrivilege	2188	securekerneI.exe
Token: SeDebugPrivilege	1552	securekerneI.exe
Token: SeDebugPrivilege	856	securekerneI.exe
Token: SeDebugPrivilege	2180	securekerneI.exe
Token: SeDebugPrivilege	2728	securekerneI.exe
Token: SeDebugPrivilege	2548	securekerneI.exe
Token: SeDebugPrivilege	1800	securekerneI.exe
Token: SeDebugPrivilege	2060	securekerneI.exe
Token: SeDebugPrivilege	1140	securekerneI.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2100	securekerneI.exe
2524	securekerneI.exe
1672	securekerneI.exe
2188	securekerneI.exe
1552	securekerneI.exe
856	securekerneI.exe
2180	securekerneI.exe
2728	securekerneI.exe
2548	securekerneI.exe
1800	securekerneI.exe
2060	securekerneI.exe
1140	securekerneI.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2100	securekerneI.exe
2524	securekerneI.exe
1672	securekerneI.exe
2188	securekerneI.exe
1552	securekerneI.exe
856	securekerneI.exe
2180	securekerneI.exe
2728	securekerneI.exe
2548	securekerneI.exe
1800	securekerneI.exe
2060	securekerneI.exe
1140	securekerneI.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2100	securekerneI.exe
2524	securekerneI.exe
1672	securekerneI.exe
2188	securekerneI.exe
1552	securekerneI.exe
856	securekerneI.exe
2180	securekerneI.exe
2728	securekerneI.exe
2548	securekerneI.exe
1800	securekerneI.exe
2060	securekerneI.exe
1140	securekerneI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraBootstrapper.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exe

description	pid	process	target process
PID 1116 wrote to memory of 2020	1116	SolaraBootstrapper.exe	schtasks.exe
PID 1116 wrote to memory of 2020	1116	SolaraBootstrapper.exe	schtasks.exe
PID 1116 wrote to memory of 2020	1116	SolaraBootstrapper.exe	schtasks.exe
PID 1116 wrote to memory of 2100	1116	SolaraBootstrapper.exe	securekerneI.exe
PID 1116 wrote to memory of 2100	1116	SolaraBootstrapper.exe	securekerneI.exe
PID 1116 wrote to memory of 2100	1116	SolaraBootstrapper.exe	securekerneI.exe
PID 2100 wrote to memory of 2672	2100	securekerneI.exe	schtasks.exe
PID 2100 wrote to memory of 2672	2100	securekerneI.exe	schtasks.exe
PID 2100 wrote to memory of 2672	2100	securekerneI.exe	schtasks.exe
PID 2100 wrote to memory of 1336	2100	securekerneI.exe	cmd.exe
PID 2100 wrote to memory of 1336	2100	securekerneI.exe	cmd.exe
PID 2100 wrote to memory of 1336	2100	securekerneI.exe	cmd.exe
PID 1336 wrote to memory of 2556	1336	cmd.exe	chcp.com
PID 1336 wrote to memory of 2556	1336	cmd.exe	chcp.com
PID 1336 wrote to memory of 2556	1336	cmd.exe	chcp.com
PID 1336 wrote to memory of 2220	1336	cmd.exe	PING.EXE
PID 1336 wrote to memory of 2220	1336	cmd.exe	PING.EXE
PID 1336 wrote to memory of 2220	1336	cmd.exe	PING.EXE
PID 1336 wrote to memory of 2524	1336	cmd.exe	securekerneI.exe
PID 1336 wrote to memory of 2524	1336	cmd.exe	securekerneI.exe
PID 1336 wrote to memory of 2524	1336	cmd.exe	securekerneI.exe
PID 2524 wrote to memory of 2600	2524	securekerneI.exe	schtasks.exe
PID 2524 wrote to memory of 2600	2524	securekerneI.exe	schtasks.exe
PID 2524 wrote to memory of 2600	2524	securekerneI.exe	schtasks.exe
PID 2524 wrote to memory of 1528	2524	securekerneI.exe	cmd.exe
PID 2524 wrote to memory of 1528	2524	securekerneI.exe	cmd.exe
PID 2524 wrote to memory of 1528	2524	securekerneI.exe	cmd.exe
PID 1528 wrote to memory of 2628	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 2628	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 2628	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 2832	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 2832	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 2832	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 1672	1528	cmd.exe	securekerneI.exe
PID 1528 wrote to memory of 1672	1528	cmd.exe	securekerneI.exe
PID 1528 wrote to memory of 1672	1528	cmd.exe	securekerneI.exe
PID 1672 wrote to memory of 1952	1672	securekerneI.exe	schtasks.exe
PID 1672 wrote to memory of 1952	1672	securekerneI.exe	schtasks.exe
PID 1672 wrote to memory of 1952	1672	securekerneI.exe	schtasks.exe
PID 1672 wrote to memory of 2432	1672	securekerneI.exe	cmd.exe
PID 1672 wrote to memory of 2432	1672	securekerneI.exe	cmd.exe
PID 1672 wrote to memory of 2432	1672	securekerneI.exe	cmd.exe
PID 2432 wrote to memory of 480	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 480	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 480	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 1056	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 1056	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 1056	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 2188	2432	cmd.exe	securekerneI.exe
PID 2432 wrote to memory of 2188	2432	cmd.exe	securekerneI.exe
PID 2432 wrote to memory of 2188	2432	cmd.exe	securekerneI.exe
PID 2188 wrote to memory of 1968	2188	securekerneI.exe	schtasks.exe
PID 2188 wrote to memory of 1968	2188	securekerneI.exe	schtasks.exe
PID 2188 wrote to memory of 1968	2188	securekerneI.exe	schtasks.exe
PID 2188 wrote to memory of 2508	2188	securekerneI.exe	cmd.exe
PID 2188 wrote to memory of 2508	2188	securekerneI.exe	cmd.exe
PID 2188 wrote to memory of 2508	2188	securekerneI.exe	cmd.exe
PID 2508 wrote to memory of 852	2508	cmd.exe	chcp.com
PID 2508 wrote to memory of 852	2508	cmd.exe	chcp.com
PID 2508 wrote to memory of 852	2508	cmd.exe	chcp.com
PID 2508 wrote to memory of 2968	2508	cmd.exe	PING.EXE
PID 2508 wrote to memory of 2968	2508	cmd.exe	PING.EXE
PID 2508 wrote to memory of 2968	2508	cmd.exe	PING.EXE
PID 2508 wrote to memory of 1552	2508	cmd.exe	securekerneI.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dil1xOw8RWzJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2556

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2220

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmbXWYSw9e4O.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2832

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuryW2JnVI3F.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:480

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1056

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JZ3yXrru8YAP.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:852

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2968

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XHwznC85ugwF.bat" "
11⤵
PID:1356

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1052

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gVsq2dqOZhLl.bat" "
13⤵
PID:2624

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:884

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:768

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cb9bU7lCxBOP.bat" "
15⤵
PID:2160

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2708

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkdj9GlRhCxi.bat" "
17⤵
PID:2944

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:3064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2940

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oX4rfkEq9COj.bat" "
19⤵
PID:1932

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1644

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:808

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HJCHSVFTkp68.bat" "
21⤵
PID:2912

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1976

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2976

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vxl8qrtqoOzJ.bat" "
23⤵
PID:1836

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2244

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1692

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMsdyejgfPSA.bat" "
25⤵
PID:2124

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1696

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1928

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AuryW2JnVI3F.bat
Filesize
202B

MD5
a3cf1241d291f6706536a867a6898cc3

SHA1
2ecb13f61a48a023c525d75dc46cb86e7b490865

SHA256
5a36fe0c4c33bee75869f235fc643c57d4163a782a5129e264f93fb8cc3d8090

SHA512
f9894ca42bc19418ae89d226b16f205228d301cb6f36453e02d28312ff8b434575b767775b1e1c11ce69df8505e55a201a737898831c9bc159c4cb0237edd1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dil1xOw8RWzJ.bat
Filesize
202B

MD5
5f33af02f7a77ca5941a6a03d1800e84

SHA1
111199fe4c785b3f6205eee8528981ea093016fc

SHA256
bd9f71f85d292b81753a9a6a5f99dd6fd3356c6cf783c3df9374d3b15918468c

SHA512
8669e3636d667c909f2ef9ad271708d8718a7bc32de1ce691de60c45b8b5a9cfeb1476834db7e191b9cd2827c20c481a1d5cf2b350a0811a4d69d4b3087737f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJCHSVFTkp68.bat
Filesize
202B

MD5
e892ceb224b021a9d265a2401ce4f29e

SHA1
39b5bceb7ba4de781fd67e19ef65327cc084548a

SHA256
23a529306c12ac3951fb198307df4e2f642dfccb921a2c7e41b0d82f1d305772

SHA512
f9792c8cbddbd0e5026f3334f44e24c75a9a7d4c0db4fa60bdc1538eeb0ad3e8212f1cb34a8dd265dd1c2c4e32c757a1b5be9dbac07d306a7a1ba6cb57e5b3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JZ3yXrru8YAP.bat
Filesize
202B

MD5
67030ded03dc63659c8755614f5c5a0c

SHA1
0cee8fe95d46d4f934f0465d113c756b90479959

SHA256
f1bd0e4c89a661e96e5b30ce09ab639fd22d1ae237f0f26668b3459ec5286a4b

SHA512
3d662793f61ebab19b03df83d8849e27ab3b46a80598e739515e647736fcdcec2a0275f4e3ba353a0b48a689ade831594c62dc0b935780fcd017c2b396f1363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vxl8qrtqoOzJ.bat
Filesize
202B

MD5
79fb899b21f762b141994cb1c6e618a5

SHA1
57c30561895bc6eea57063b96a4d5488b089f027

SHA256
9cf5235a4596fbdd5873abb423e25aff2729c4d79559b3584a3d8c1a706ecccb

SHA512
9fc3b9a87df9b23b23b5234e1d9b088a9bf811d30a4ad8c6c8ac4ebf42aa0b827d5b93ed4afd7500dc82e6d56c507c2a8a049ceda9d7eefd4959450fd1305a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XHwznC85ugwF.bat
Filesize
202B

MD5
1d3c80f3e5f26405e9f9b48d116b856c

SHA1
1d2037061470145cb9771c237494c94392b78257

SHA256
93155c7bbfec6ad3b817c5ee993a3b3f0d0a1c4ff826e06037387f07b96ece74

SHA512
eb4ddfb6292ce19703720ad8d69cf98970ecf76d082030159ce4bd7096001d2156f5f81c7eb95b10c0fcaf3fa05a390167bcbfd0267e1aca0fc3c183a1849158

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmbXWYSw9e4O.bat
Filesize
202B

MD5
a929c2a9d6fcd12d9668b882718f3643

SHA1
1058564935111b2a1e629ae4985bb3fa54f16b71

SHA256
a762b404f260f2d490d6e5f49f024af980caede9549c4484074b3e9549cffb6c

SHA512
b165591789982b170502bd1a8026996341744c5a38e6b21cd20e07e89875d17a461b1b40333a2c0b4c1ba77f151f5f89327f2efadcd35b1d67c197b781b223e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb9bU7lCxBOP.bat
Filesize
202B

MD5
4dacb0a7b20e26402736c3d2a5e66bfb

SHA1
ef27fce1c6dcb4630ef7bef0344defe3efef2bd8

SHA256
386787be710ecec39cd70145d3c08dd7caa349cd22cefd3c9d58b77921745f07

SHA512
c0187a1da48ff75832f1905fed9b4c8b0a15442c23b657b3129c16b1e5d69f3a6e2fb7ae8f99a0d66960250d8430637845ce4f72db5adfe586af37cf5f2c46f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gVsq2dqOZhLl.bat
Filesize
202B

MD5
1ccbc7b6b96ff46e3dd2dd70d5d40e8e

SHA1
85337c2e9451a0d53a92c5275f19df883c035fdd

SHA256
aec9e2c3920c4ca6a5f94244d1b73d762aa8fa80094dd20cb75bd48726df9f86

SHA512
8587692cd1123717b9515ca30612dc6ae352b0d347743d7d5837f38f56b9ac3c962170bd73b2f95bd64de26271336403949c7687a4cf3c0440006d4112bbf18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMsdyejgfPSA.bat
Filesize
202B

MD5
0ac96673852d7c5857e7744be740ccdf

SHA1
2649380adfa0346989020cf53c5d33d44ec9923c

SHA256
b4f23a05938f542b951f34b1edc6f9beb1f26b638c29b6c461a0506ecdef6e79

SHA512
e960fadc6721832dbb17d9fcad7edda57be4869f821cf1b2d3ae4fca909fd6b90b4d1ac7d5cd9631fc084dd8bff65cb21793ca380135c8ab26ca3403f36cc31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdj9GlRhCxi.bat
Filesize
202B

MD5
889d8668e9dd622f3f8702fa4cf3bd57

SHA1
b8ae5f4bbe0b63f882bde8d1ffe9bfc3e86794cd

SHA256
10054fd2d8cbe11a7c2afa66948483997e8374caea7f8bb36a00cfc35592dd31

SHA512
f37b7cbd4b0c4d62e0c8a5fdff1f8ec95ef3b7de6c919b31429d9afe869c28f244192db1dae9cd3d812f56e89f4954bc3256e0b416bb505f1e620f7f13a8dec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oX4rfkEq9COj.bat
Filesize
202B

MD5
7ad3e645ae39c67e4c6affda15076a69

SHA1
6bdbd412bcb8ef58c5a5561d893218da32ceaab2

SHA256
ea317407c27f9b1c32ad02bddff70a6f1e514bcb9fe88b520cb3f8136e74680c

SHA512
a1fc970debcecb074878dcd8e0a8f40c56c4acbcc58c6b872c6b1db4289881dc43b836c954e10dceac936f91748edf62c4fcaaed6e16f45fdcc42096193d4403

Download Submit
C:\Windows\System32\SubDir\securekerneI.exe
Filesize
3.1MB

MD5
d1fa508b46362032225fd17c5bb85859

SHA1
7690e280c35cb4bf9a71aaad70ff4885393e680a

SHA256
f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7

SHA512
d1613ea3284a8cf4032632a5594f4d995deb25473cf76c8efd763dbf8fbc8a7e9345d5d3c3aca179773a42a6cb1932c97e3633747ad4d197fc54646dfe9fc184

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/856-65-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/1116-1-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/1116-7-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1116-2-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1116-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

Filesize
4KB

Download
memory/1140-134-0x0000000000F10000-0x0000000001234000-memory.dmp

Filesize
3.1MB

Download
memory/1672-33-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/1800-110-0x0000000001230000-0x0000000001554000-memory.dmp

Filesize
3.1MB

Download
memory/2060-123-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/2100-8-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-9-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/2100-10-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-19-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-76-0x0000000000850000-0x0000000000B74000-memory.dmp

Filesize
3.1MB

Download
memory/2548-99-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/2728-87-0x00000000008C0000-0x0000000000BE4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads