quasar | f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

3.1MB
MD5

d1fa508b46362032225fd17c5bb85859
SHA1

7690e280c35cb4bf9a71aaad70ff4885393e680a
SHA256

f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7
SHA512

d1613ea3284a8cf4032632a5594f4d995deb25473cf76c8efd763dbf8fbc8a7e9345d5d3c3aca179773a42a6cb1932c97e3633747ad4d197fc54646dfe9fc184
SSDEEP

49152:TvHlL26AaNeWgPhlmVqvMQ7XSKWLRJ6EbR3LoGdiSTHHB72eh2NT:TvFL26AaNeWgPhlmVqkQ7XSKWLRJ6O

Score

10^/10

quasar solarabootstrapper spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SolaraBootstrapper

DESKTOP-JVK5CI7:4782

Mutex

39c5c45c-62a0-4623-a904-5cbad2aa6b55

Attributes

encryption_key
41AD0502F025DD3F47720DC4BDEED540F3EAFD12
install_name
securekerneI.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/1096-1-0x0000000000CB0000-0x0000000000FD4000-memory.dmp family_quasar
C:\Windows\System32\SubDir\securekerneI.exe family_quasar

resource	yara_rule
behavioral2/memory/1096-1-0x0000000000CB0000-0x0000000000FD4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\securekerneI.exe	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	securekerneI.exe

Executes dropped EXE 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
228	securekerneI.exe
4928	securekerneI.exe
4532	securekerneI.exe
4932	securekerneI.exe
2528	securekerneI.exe
4492	securekerneI.exe
4412	securekerneI.exe
1432	securekerneI.exe
4268	securekerneI.exe
5108	securekerneI.exe
1616	securekerneI.exe
940	securekerneI.exe

Drops file in System32 directory 2 IoCs

Processes:

SolaraBootstrapper.exe

description ioc process

File opened for modification C:\Windows\system32\SubDir\securekerneI.exe SolaraBootstrapper.exe
File created C:\Windows\system32\SubDir\securekerneI.exe SolaraBootstrapper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

540 PING.EXE
2040 PING.EXE
2332 PING.EXE
4112 PING.EXE
4556 PING.EXE
3940 PING.EXE
4128 PING.EXE
2384 PING.EXE
1220 PING.EXE
2104 PING.EXE
3908 PING.EXE
4764 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\securekerneI.exe	SolaraBootstrapper.exe
File created	C:\Windows\system32\SubDir\securekerneI.exe	SolaraBootstrapper.exe

pid	process
540	PING.EXE
2040	PING.EXE
2332	PING.EXE
4112	PING.EXE
4556	PING.EXE
3940	PING.EXE
4128	PING.EXE
2384	PING.EXE
1220	PING.EXE
2104	PING.EXE
3908	PING.EXE
4764	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
436	schtasks.exe
4860	schtasks.exe
1472	schtasks.exe
2904	schtasks.exe
4584	schtasks.exe
4212	schtasks.exe
3016	schtasks.exe
2820	schtasks.exe
3168	schtasks.exe
1148	schtasks.exe
4092	schtasks.exe
436	schtasks.exe
2096	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

SolaraBootstrapper.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

description	pid	process
Token: SeDebugPrivilege	1096	SolaraBootstrapper.exe
Token: SeDebugPrivilege	228	securekerneI.exe
Token: SeDebugPrivilege	4928	securekerneI.exe
Token: SeDebugPrivilege	4532	securekerneI.exe
Token: SeDebugPrivilege	4932	securekerneI.exe
Token: SeDebugPrivilege	2528	securekerneI.exe
Token: SeDebugPrivilege	4492	securekerneI.exe
Token: SeDebugPrivilege	4412	securekerneI.exe
Token: SeDebugPrivilege	1432	securekerneI.exe
Token: SeDebugPrivilege	4268	securekerneI.exe
Token: SeDebugPrivilege	5108	securekerneI.exe
Token: SeDebugPrivilege	1616	securekerneI.exe
Token: SeDebugPrivilege	940	securekerneI.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
228	securekerneI.exe
4928	securekerneI.exe
4532	securekerneI.exe
4932	securekerneI.exe
2528	securekerneI.exe
4492	securekerneI.exe
4412	securekerneI.exe
1432	securekerneI.exe
4268	securekerneI.exe
5108	securekerneI.exe
1616	securekerneI.exe
940	securekerneI.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
228	securekerneI.exe
4928	securekerneI.exe
4532	securekerneI.exe
4932	securekerneI.exe
2528	securekerneI.exe
4492	securekerneI.exe
4412	securekerneI.exe
1432	securekerneI.exe
4268	securekerneI.exe
5108	securekerneI.exe
1616	securekerneI.exe
940	securekerneI.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
228	securekerneI.exe
4928	securekerneI.exe
4532	securekerneI.exe
4932	securekerneI.exe
2528	securekerneI.exe
4492	securekerneI.exe
4412	securekerneI.exe
1432	securekerneI.exe
4268	securekerneI.exe
5108	securekerneI.exe
1616	securekerneI.exe
940	securekerneI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraBootstrapper.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 436	1096	SolaraBootstrapper.exe	schtasks.exe
PID 1096 wrote to memory of 436	1096	SolaraBootstrapper.exe	schtasks.exe
PID 1096 wrote to memory of 228	1096	SolaraBootstrapper.exe	securekerneI.exe
PID 1096 wrote to memory of 228	1096	SolaraBootstrapper.exe	securekerneI.exe
PID 228 wrote to memory of 4860	228	securekerneI.exe	schtasks.exe
PID 228 wrote to memory of 4860	228	securekerneI.exe	schtasks.exe
PID 228 wrote to memory of 2600	228	securekerneI.exe	cmd.exe
PID 228 wrote to memory of 2600	228	securekerneI.exe	cmd.exe
PID 2600 wrote to memory of 1704	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 1704	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 2332	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2332	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 4928	2600	cmd.exe	securekerneI.exe
PID 2600 wrote to memory of 4928	2600	cmd.exe	securekerneI.exe
PID 4928 wrote to memory of 4584	4928	securekerneI.exe	schtasks.exe
PID 4928 wrote to memory of 4584	4928	securekerneI.exe	schtasks.exe
PID 4928 wrote to memory of 2652	4928	securekerneI.exe	cmd.exe
PID 4928 wrote to memory of 2652	4928	securekerneI.exe	cmd.exe
PID 2652 wrote to memory of 5096	2652	cmd.exe	chcp.com
PID 2652 wrote to memory of 5096	2652	cmd.exe	chcp.com
PID 2652 wrote to memory of 2104	2652	cmd.exe	PING.EXE
PID 2652 wrote to memory of 2104	2652	cmd.exe	PING.EXE
PID 2652 wrote to memory of 4532	2652	cmd.exe	securekerneI.exe
PID 2652 wrote to memory of 4532	2652	cmd.exe	securekerneI.exe
PID 4532 wrote to memory of 2820	4532	securekerneI.exe	schtasks.exe
PID 4532 wrote to memory of 2820	4532	securekerneI.exe	schtasks.exe
PID 4532 wrote to memory of 1352	4532	securekerneI.exe	cmd.exe
PID 4532 wrote to memory of 1352	4532	securekerneI.exe	cmd.exe
PID 1352 wrote to memory of 4180	1352	cmd.exe	chcp.com
PID 1352 wrote to memory of 4180	1352	cmd.exe	chcp.com
PID 1352 wrote to memory of 3908	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 3908	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 4932	1352	cmd.exe	securekerneI.exe
PID 1352 wrote to memory of 4932	1352	cmd.exe	securekerneI.exe
PID 4932 wrote to memory of 4212	4932	securekerneI.exe	schtasks.exe
PID 4932 wrote to memory of 4212	4932	securekerneI.exe	schtasks.exe
PID 4932 wrote to memory of 4088	4932	securekerneI.exe	cmd.exe
PID 4932 wrote to memory of 4088	4932	securekerneI.exe	cmd.exe
PID 4088 wrote to memory of 220	4088	cmd.exe	chcp.com
PID 4088 wrote to memory of 220	4088	cmd.exe	chcp.com
PID 4088 wrote to memory of 4112	4088	cmd.exe	PING.EXE
PID 4088 wrote to memory of 4112	4088	cmd.exe	PING.EXE
PID 4088 wrote to memory of 2528	4088	cmd.exe	securekerneI.exe
PID 4088 wrote to memory of 2528	4088	cmd.exe	securekerneI.exe
PID 2528 wrote to memory of 3168	2528	securekerneI.exe	schtasks.exe
PID 2528 wrote to memory of 3168	2528	securekerneI.exe	schtasks.exe
PID 2528 wrote to memory of 4304	2528	securekerneI.exe	cmd.exe
PID 2528 wrote to memory of 4304	2528	securekerneI.exe	cmd.exe
PID 4304 wrote to memory of 1448	4304	cmd.exe	chcp.com
PID 4304 wrote to memory of 1448	4304	cmd.exe	chcp.com
PID 4304 wrote to memory of 4556	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 4556	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 4492	4304	cmd.exe	securekerneI.exe
PID 4304 wrote to memory of 4492	4304	cmd.exe	securekerneI.exe
PID 4492 wrote to memory of 436	4492	securekerneI.exe	schtasks.exe
PID 4492 wrote to memory of 436	4492	securekerneI.exe	schtasks.exe
PID 4492 wrote to memory of 2996	4492	securekerneI.exe	cmd.exe
PID 4492 wrote to memory of 2996	4492	securekerneI.exe	cmd.exe
PID 2996 wrote to memory of 1184	2996	cmd.exe	chcp.com
PID 2996 wrote to memory of 1184	2996	cmd.exe	chcp.com
PID 2996 wrote to memory of 3940	2996	cmd.exe	PING.EXE
PID 2996 wrote to memory of 3940	2996	cmd.exe	PING.EXE
PID 2996 wrote to memory of 4412	2996	cmd.exe	securekerneI.exe
PID 2996 wrote to memory of 4412	2996	cmd.exe	securekerneI.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Waw3pfy3tFd.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1704

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2332

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PG9IgYD4QQ9s.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:5096

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2104

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMBvqYuez1h2.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4180

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3908

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGNwc5KeliYN.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:220

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4112

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWCq6jPhM1gg.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1448

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4556

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3LdVB1FDaJXz.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1184

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3940

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bZbWU8Ts5fjP.bat" "
15⤵
PID:920

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2128

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4128

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmS0uPhuHCk1.bat" "
17⤵
PID:656

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:5028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4764

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6y6BGvOWKtq.bat" "
19⤵
PID:2820

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3384

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2384

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAYbPhUC2Ng8.bat" "
21⤵
PID:1320

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:4124

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:540

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jpYY8OZwsPN9.bat" "
23⤵
PID:60

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:1456

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2040

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T1MqUacXkSuJ.bat" "
25⤵
PID:4304

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:4660

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\securekerneI.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Waw3pfy3tFd.bat
Filesize
202B

MD5
69bfe93e100255050c57d748d753ee2f

SHA1
7277382886ad3d6a3fd2d5bb0dbb14865125842e

SHA256
6373d463001c5370a943aef0c9eab9cf0f613ca1f97098c7d44d98c312db66e5

SHA512
5f8cb6fc14b763ba75fe8fbf8a1080cd89a59fb67966a7ab13ad4bdb49bde6c120bec8313443a86a163da75dfe264793b7066efa5796b3a790c8d2bd4d97ecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LdVB1FDaJXz.bat
Filesize
202B

MD5
167ffe1ad7b3cbdb941ae4daefb69604

SHA1
6aab915c47db19c8a27b56ec95f4317e987666f6

SHA256
23da5d6e2a8fbe1fde1889847941b201eea9c6e1f765d913f20ce22ea6260220

SHA512
00b2d8812901c1407d13107390c7f7ca70b60c651d810b7d4f31265c769206a873e2a3d6ace0369889ca9b944c2a0776578df9f6993b52559335eb47433a6fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PG9IgYD4QQ9s.bat
Filesize
202B

MD5
822dd211906ea23228c4fa4bc97f87cf

SHA1
625d3e04e5904ca402c55e4c9fa4abc188780cac

SHA256
1fc7edad887a2fc770571a9be69f0131f90c3f1ed9f90b8f1ad28de31ed6fc2e

SHA512
ef7a1427601ee0adbaf8de8464e1723e068108b18342ae8a9a00752fd8518f01261fc7d281c7e9b03e3fb902ca5a324bcef566c0f5ac404c6e05969df2e6846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGNwc5KeliYN.bat
Filesize
202B

MD5
3b388223280a4d25ca40c6894c1708bb

SHA1
df19aee6dd6b1525277fb4289fd01c752338744f

SHA256
8cdf2098eabae6871d959b3c89b3ea53f02998deceb4765ff94c5e01646ee83d

SHA512
72fa13198609b3deadf44db0462de5ffaf1c08ba988c98033a28dbcded2fbb89af8793b66ddeb68ddcc150e39549c76170d063465fae0ff8706e14b79cf70a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWCq6jPhM1gg.bat
Filesize
202B

MD5
ce59d3fd84ae957428324f09fd85e493

SHA1
51e2418c6fd11c03958dfa0ec392c9ccdb364dea

SHA256
299863723bcb88db204822a3decec4404955753121e2115d747634057f0a052d

SHA512
658184cfa1bf4c8c0eb937abf7b5c38af157760cea952c59c3c27648483b336cadcd2a95b5cbd116967d02a11dc3ee00d9c08cb71cf0f998846bcb2c0f547a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\T1MqUacXkSuJ.bat
Filesize
202B

MD5
43bf2ee2bebf92487fdf2686147ed57f

SHA1
e17f77aec6798334062c11da2e11c86383812112

SHA256
b864abc662125b7a21e4c27add3d3dbc227d5a9d1e58c78b7dda202e13a2675a

SHA512
09310d4f57e19662a19bfffc4c380c21bb1e88e6554351f289e4339f40dcec9d06d0b8ded8edaa8fba212c99ffef02953d32ec126fc9b82dc7403eb4f89c04ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAYbPhUC2Ng8.bat
Filesize
202B

MD5
8afee2586ed2fa3e926f740883d147de

SHA1
52c445b7fce8be44701980fce8753cabe36a7562

SHA256
e0a487d7fd25505dd09d908703fa3e3e44053ba75eb183213ade636fed9040a2

SHA512
a3926149e91d87762761b9d5e27f2766573c45bf39acc39d269af651da3612b469ce3a573d36679a5175ab5f671ece272dd9428f8cc742c6fb5815a7c440889a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmS0uPhuHCk1.bat
Filesize
202B

MD5
8366eb094d71a90edbba56e23d4657bd

SHA1
e77c3f377a63e7f53b9e7ff9175f11805806b9f2

SHA256
d8f3e36d3657469424f59966ff5f46fd1f4909a5277b7c420beb22d877b18884

SHA512
2f3fcf9fa6ece3315220108f1b1d49af190951d84cc4fd255033baa35c9a8c1643db427f9a42957ca473259a84c03da69cda8eba0914055982aadaefeff28f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\bZbWU8Ts5fjP.bat
Filesize
202B

MD5
31a4c8b8cf53bf8c244721b41434870d

SHA1
a6c51a2be0ce75b7490153d274e95ec6e48837d0

SHA256
f0e64e720c03cf11b409c486d86b900b6ea3523c4ad48d9e78c04c35cc03406c

SHA512
2d5587927aea2eb24bccc5f7e4c3a88b92caff8048ab8cdaf259b98cd33233f5f7a7c468f498b6519877f17056401bf222079a2484247539c59f76c1c8b30edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpYY8OZwsPN9.bat
Filesize
202B

MD5
7b6598229ddcfeef509ed231ee56dd56

SHA1
25654674544a30f93a2345d5dc81db76f98f861c

SHA256
a0a9abb21bdb7b317405e91ef1bc75788e1e391d3a92f6a0fd130dd0d6503046

SHA512
d223fa192bccf1e8c9b4fa147d2cf5813e1bbab45d788e5063b496fb518e778418bd0977f82f6f8cd386415d2ae7afe6ba5139b096ec4b45b94a9c495ce9b7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMBvqYuez1h2.bat
Filesize
202B

MD5
87a2f4321366e04c1372468869068122

SHA1
9861613acbc16f8d82fbcf68bf5434def4a26878

SHA256
430ccb55f0b4048551abea7b3680d1ea8869603e37fb59d509a405b0a1616375

SHA512
c93212debc0946188fae54d4fe4e26f883adaf3df52d6419ec8cf62faa29d893a030ae2f5cc016708e2f99639181bb7ff3e78c99763d472c7ba95d2885acbf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6y6BGvOWKtq.bat
Filesize
202B

MD5
3fc9a6958839928dfb9b12af8655a038

SHA1
ee9beff1cc80f4dd9971615d3d846fbf57957624

SHA256
62d636357ace75ef31c98ce56c72abee729ba0aae43030994dc616629422d6a6

SHA512
c347182fe937b29bd243a8b4278279e7f034e4ba90d4ec3a199379ae252bc60f5eb6930ada051879a554fb9e7366dd5dd4ce4c24c78bfd88f1fa37dfd2fe470a

Download Submit
C:\Windows\System32\SubDir\securekerneI.exe
Filesize
3.1MB

MD5
d1fa508b46362032225fd17c5bb85859

SHA1
7690e280c35cb4bf9a71aaad70ff4885393e680a

SHA256
f422a9717bc7a77fe867c28c7841e46f20d55157338f4faa5e5f56c8e07b22e7

SHA512
d1613ea3284a8cf4032632a5594f4d995deb25473cf76c8efd763dbf8fbc8a7e9345d5d3c3aca179773a42a6cb1932c97e3633747ad4d197fc54646dfe9fc184

Download Submit
memory/228-9-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Filesize
10.8MB

Download
memory/228-10-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Filesize
10.8MB

Download
memory/228-17-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Filesize
10.8MB

Download
memory/228-12-0x000000001CED0000-0x000000001CF82000-memory.dmp

Filesize
712KB

Download
memory/228-11-0x000000001CDC0000-0x000000001CE10000-memory.dmp

Filesize
320KB

Download
memory/1096-8-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Filesize
10.8MB

Download
memory/1096-1-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

Filesize
3.1MB

Download
memory/1096-0-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp

Filesize
8KB

Download
memory/1096-2-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Filesize
10.8MB

Download