quasar | 72d2aedd7b7d74faee7b632bc3cbbd8c0c3be4f9ffb61601c7a779e5a7f1052e

Analysis

max time kernel
145s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

e55e15bea243fd9bba10a445fa3441ae
SHA1

4d2f04eb3cd2169652ae28ea02db2aaa8ee1123a
SHA256

72d2aedd7b7d74faee7b632bc3cbbd8c0c3be4f9ffb61601c7a779e5a7f1052e
SHA512

18ac9230fc33a8fa18e0270cf6ea6f68f034dfe15d97a6ac7fc59591f8c7ff05e2014d843ca8c8d0e20345219b491a862dd7900cdf44466cff4f4f862d69c6c2
SSDEEP

49152:yvOI22SsaNYfdPBldt698dBcjHqkFAfdRoGd7MTHHB72eh2NT:yvj22SsaNYfdPBldt6+dBcjHqFff

Score

10^/10

quasar solara spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Solara

DESKTOP-JVK5CI7:4782

Mutex

39c5c45c-62a0-4623-a904-5cbad2aa6b55

Attributes

encryption_key
41AD0502F025DD3F47720DC4BDEED540F3EAFD12
install_name
securekerneI.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-1-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\securekerneI.exe	family_quasar
behavioral1/memory/2492-7-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/2832-22-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/1796-33-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/1144-45-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/memory/1468-56-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/1936-69-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/1532-80-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar
behavioral1/memory/2916-134-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2492	securekerneI.exe
2832	securekerneI.exe
1796	securekerneI.exe
1144	securekerneI.exe
1468	securekerneI.exe
1936	securekerneI.exe
1532	securekerneI.exe
2528	securekerneI.exe
1476	securekerneI.exe
1568	securekerneI.exe
1652	securekerneI.exe
2916	securekerneI.exe

Drops file in System32 directory 2 IoCs

Processes:

Client-built.exe

description ioc process

File opened for modification C:\Windows\system32\SubDir\securekerneI.exe Client-built.exe
File created C:\Windows\system32\SubDir\securekerneI.exe Client-built.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1664 PING.EXE
2420 PING.EXE
2108 PING.EXE
2120 PING.EXE
1588 PING.EXE
2812 PING.EXE
1508 PING.EXE
1680 PING.EXE
1724 PING.EXE
1244 PING.EXE
816 PING.EXE
3012 PING.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\securekerneI.exe	Client-built.exe
File created	C:\Windows\system32\SubDir\securekerneI.exe	Client-built.exe

pid	process
1664	PING.EXE
2420	PING.EXE
2108	PING.EXE
2120	PING.EXE
1588	PING.EXE
2812	PING.EXE
1508	PING.EXE
1680	PING.EXE
1724	PING.EXE
1244	PING.EXE
816	PING.EXE
3012	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2552	schtasks.exe
3052	schtasks.exe
2860	schtasks.exe
1616	schtasks.exe
2208	schtasks.exe
1728	schtasks.exe
2872	schtasks.exe
404	schtasks.exe
2096	schtasks.exe
500	schtasks.exe
2456	schtasks.exe
2496	schtasks.exe
2880	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Client-built.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

description	pid	process
Token: SeDebugPrivilege	1904	Client-built.exe
Token: SeDebugPrivilege	2492	securekerneI.exe
Token: SeDebugPrivilege	2832	securekerneI.exe
Token: SeDebugPrivilege	1796	securekerneI.exe
Token: SeDebugPrivilege	1144	securekerneI.exe
Token: SeDebugPrivilege	1468	securekerneI.exe
Token: SeDebugPrivilege	1936	securekerneI.exe
Token: SeDebugPrivilege	1532	securekerneI.exe
Token: SeDebugPrivilege	2528	securekerneI.exe
Token: SeDebugPrivilege	1476	securekerneI.exe
Token: SeDebugPrivilege	1568	securekerneI.exe
Token: SeDebugPrivilege	1652	securekerneI.exe
Token: SeDebugPrivilege	2916	securekerneI.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2492	securekerneI.exe
2832	securekerneI.exe
1796	securekerneI.exe
1144	securekerneI.exe
1468	securekerneI.exe
1936	securekerneI.exe
1532	securekerneI.exe
2528	securekerneI.exe
1476	securekerneI.exe
1568	securekerneI.exe
1652	securekerneI.exe
2916	securekerneI.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2492	securekerneI.exe
2832	securekerneI.exe
1796	securekerneI.exe
1144	securekerneI.exe
1468	securekerneI.exe
1936	securekerneI.exe
1532	securekerneI.exe
2528	securekerneI.exe
1476	securekerneI.exe
1568	securekerneI.exe
1652	securekerneI.exe
2916	securekerneI.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

securekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exesecurekerneI.exe

pid	process
2492	securekerneI.exe
2832	securekerneI.exe
1796	securekerneI.exe
1144	securekerneI.exe
1468	securekerneI.exe
1936	securekerneI.exe
1532	securekerneI.exe
2528	securekerneI.exe
1476	securekerneI.exe
1568	securekerneI.exe
1652	securekerneI.exe
2916	securekerneI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exesecurekerneI.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 2456	1904	Client-built.exe	schtasks.exe
PID 1904 wrote to memory of 2456	1904	Client-built.exe	schtasks.exe
PID 1904 wrote to memory of 2456	1904	Client-built.exe	schtasks.exe
PID 1904 wrote to memory of 2492	1904	Client-built.exe	securekerneI.exe
PID 1904 wrote to memory of 2492	1904	Client-built.exe	securekerneI.exe
PID 1904 wrote to memory of 2492	1904	Client-built.exe	securekerneI.exe
PID 2492 wrote to memory of 2496	2492	securekerneI.exe	schtasks.exe
PID 2492 wrote to memory of 2496	2492	securekerneI.exe	schtasks.exe
PID 2492 wrote to memory of 2496	2492	securekerneI.exe	schtasks.exe
PID 2492 wrote to memory of 2500	2492	securekerneI.exe	cmd.exe
PID 2492 wrote to memory of 2500	2492	securekerneI.exe	cmd.exe
PID 2492 wrote to memory of 2500	2492	securekerneI.exe	cmd.exe
PID 2500 wrote to memory of 2272	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 2272	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 2272	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 2420	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2420	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2420	2500	cmd.exe	PING.EXE
PID 2500 wrote to memory of 2832	2500	cmd.exe	securekerneI.exe
PID 2500 wrote to memory of 2832	2500	cmd.exe	securekerneI.exe
PID 2500 wrote to memory of 2832	2500	cmd.exe	securekerneI.exe
PID 2832 wrote to memory of 1728	2832	securekerneI.exe	schtasks.exe
PID 2832 wrote to memory of 1728	2832	securekerneI.exe	schtasks.exe
PID 2832 wrote to memory of 1728	2832	securekerneI.exe	schtasks.exe
PID 2832 wrote to memory of 2660	2832	securekerneI.exe	cmd.exe
PID 2832 wrote to memory of 2660	2832	securekerneI.exe	cmd.exe
PID 2832 wrote to memory of 2660	2832	securekerneI.exe	cmd.exe
PID 2660 wrote to memory of 332	2660	cmd.exe	chcp.com
PID 2660 wrote to memory of 332	2660	cmd.exe	chcp.com
PID 2660 wrote to memory of 332	2660	cmd.exe	chcp.com
PID 2660 wrote to memory of 2108	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2108	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 2108	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 1796	2660	cmd.exe	securekerneI.exe
PID 2660 wrote to memory of 1796	2660	cmd.exe	securekerneI.exe
PID 2660 wrote to memory of 1796	2660	cmd.exe	securekerneI.exe
PID 1796 wrote to memory of 2096	1796	securekerneI.exe	schtasks.exe
PID 1796 wrote to memory of 2096	1796	securekerneI.exe	schtasks.exe
PID 1796 wrote to memory of 2096	1796	securekerneI.exe	schtasks.exe
PID 1796 wrote to memory of 1516	1796	securekerneI.exe	cmd.exe
PID 1796 wrote to memory of 1516	1796	securekerneI.exe	cmd.exe
PID 1796 wrote to memory of 1516	1796	securekerneI.exe	cmd.exe
PID 1516 wrote to memory of 1232	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 1232	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 1232	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 1244	1516	cmd.exe	PING.EXE
PID 1516 wrote to memory of 1244	1516	cmd.exe	PING.EXE
PID 1516 wrote to memory of 1244	1516	cmd.exe	PING.EXE
PID 1516 wrote to memory of 1144	1516	cmd.exe	securekerneI.exe
PID 1516 wrote to memory of 1144	1516	cmd.exe	securekerneI.exe
PID 1516 wrote to memory of 1144	1516	cmd.exe	securekerneI.exe
PID 1144 wrote to memory of 3052	1144	securekerneI.exe	schtasks.exe
PID 1144 wrote to memory of 3052	1144	securekerneI.exe	schtasks.exe
PID 1144 wrote to memory of 3052	1144	securekerneI.exe	schtasks.exe
PID 1144 wrote to memory of 2312	1144	securekerneI.exe	cmd.exe
PID 1144 wrote to memory of 2312	1144	securekerneI.exe	cmd.exe
PID 1144 wrote to memory of 2312	1144	securekerneI.exe	cmd.exe
PID 2312 wrote to memory of 768	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 768	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 768	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 816	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 816	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 816	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 1468	2312	cmd.exe	securekerneI.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kO5IObUoPaw0.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2420

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuZ8U4fo0lp8.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:332

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2108

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D8FrrYJe3P0d.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1232

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1244

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKjx2gFROtyE.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:768

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:816

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyvXLa5bVy15.bat" "
11⤵
PID:956

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1264

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3012

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\f11mG4vRLywm.bat" "
13⤵
PID:1668

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:892

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1588

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2v09rRvqSFpF.bat" "
15⤵
PID:2612

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2124

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2120

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pLluVBtS4Xhi.bat" "
17⤵
PID:2484

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1972

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2812

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BakSXLGPahf3.bat" "
19⤵
PID:2776

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:284

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1508

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vm4tEs9uW2bQ.bat" "
21⤵
PID:2284

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1252

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1680

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MZKZUPvjUHco.bat" "
23⤵
PID:3068

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1664

C:\Windows\system32\SubDir\securekerneI.exe
"C:\Windows\system32\SubDir\securekerneI.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\securekerneI.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:500

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\u1APd9wWEsrt.bat" "
25⤵
PID:3012

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2192

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1724

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2v09rRvqSFpF.bat
Filesize
202B

MD5
6d13c0778d8ad4d8f85f4dfe41427cf5

SHA1
20ac2130032d9f4cae046571c33e79f7c3aa9191

SHA256
3f6b7404fd2e09fc676ff20fb0ae800fec33677dc79393698724ee6dcfe93794

SHA512
764563c3274944d630c363df26e9d65a4cbebe3355e995317e23d577ba2c5102ba46dfe55f2afde19a3ed9b0623f35d657442d89e82871711e3dd32e3b8613a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BakSXLGPahf3.bat
Filesize
202B

MD5
8b1fdbc497c9f87749c99f85b2120283

SHA1
4e990dec409b8ef1c4d284931d123478c839b559

SHA256
020e061a56071c1b4c6759fd26b6192451a7a4ca4d55be3190418466cc67ee57

SHA512
a1597178a83a644fa5d6d10454ead918def41e2c29dd130f9cc2830fe73c40057f4ffa0776371defddbad615a53342631e5eebc9ba5e5a95782a2744285ed0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyvXLa5bVy15.bat
Filesize
202B

MD5
d535c0c6cc152d6b85cf17a9a10dd4d6

SHA1
1b672050c88638b5354d25b7ddbda432cee492ee

SHA256
39a49440884749dd47152005c20fec729fca92765a49750de05e8bd19c8a03e6

SHA512
e187d12c963904b3ce49335e5ec0aad75f5ad8b775b01bb71bbefbceda903572ee7aa910df99b9647717c2cf746876585fa671b1540f39713a222b87a2a50239

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8FrrYJe3P0d.bat
Filesize
202B

MD5
185c1557212b0ef611dc89549a8d34cf

SHA1
145804dc8e89ecd071fd3e0f874c0674f8828e22

SHA256
f754fc1d39dab41acce6128d38a26349f0f54122ed2e6cef7986b59bd00fc06e

SHA512
e861eb26901920883f03f6ff6968493bbfd8603fd7422f72156e841fff19996ec13cfe4971b8c636e98061b6936d85aa18222a78c43dd599408fdfef3f3b8cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuZ8U4fo0lp8.bat
Filesize
202B

MD5
c60c0829d816b8f62b8da0687e07c535

SHA1
afb521901937fff015d7e425fcec516d29356591

SHA256
27befe757667825719009b6853ea134e56da6c76ff27c15509c861c578c6619c

SHA512
c38ef807e7e2c35e596695e0918d89e016470a3b928cbd12b75ab3ee4b3bf0570473ed234e0e1fc34686fdd4f3ab8822934cfd9834e00a1153e48e8530d99ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZKZUPvjUHco.bat
Filesize
202B

MD5
95a8bcd5ca232cfb1418f0b6ec314e6d

SHA1
cad527cb699885b38c6cbff923107db2948eff76

SHA256
33ee2cbb3ea98aa52d8e17cb75866656e728d8186bbd3c56d53b83ff0f9c1b42

SHA512
07d4a2b7e0bdd721eef15dd1202a4b087563ab21f7dcf4762d5a5c00b4f2839c1d28cf8611cd701f2719764b902dc845869be29a14210a74529484f329991ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vm4tEs9uW2bQ.bat
Filesize
202B

MD5
df812315bd8f4f91f60073b70b632f6f

SHA1
9882b9689867281e4b611f4d67eed6f50f083cc2

SHA256
618117be13b31861caf630d9366af86877df7b4aec567647bb46eaeac4c9b3e3

SHA512
73b80cd028e792cd25e5b3e6bd73c41d4efa8f61e61ed2950e4e97c0fa53193af8758b5c9ac117aca91876eeec90b3b7e4da81fd4a5a6fe9839af1686d8999db

Download Submit
C:\Users\Admin\AppData\Local\Temp\f11mG4vRLywm.bat
Filesize
202B

MD5
822206478d89402fee183123a1cfd3bd

SHA1
f85ac9d5352d5c72dbe8764e217d908150768a3a

SHA256
0ee6df2c080ebf0ce2dbfc110817a10fd1ffdcf43ebf5c47da1416dedbf049c3

SHA512
8fcedfc228944fc4c2cd5960f393a0f35d62647138c134a0a90cbb684705f12c8d20ee8f5e2d6db744e08256064a28032743648e363a518b59bf25cdacdc0332

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKjx2gFROtyE.bat
Filesize
202B

MD5
32fbf898b361627886a80d412cd4d032

SHA1
7f7db0aa6a9829dc0c07cb5cf65e9bce8044bd46

SHA256
bc56bc01187e917996222272b8c210a7608e02d7eedd408247c2f020da84763e

SHA512
935d85e54911ff2afc5418ccd6766b2f4394cc58a6273d277109a4f31363a2c5126073bfb1ddcf753e1b0628f759ce5edd54a93dfee789fd34f93e545ce52066

Download Submit
C:\Users\Admin\AppData\Local\Temp\kO5IObUoPaw0.bat
Filesize
202B

MD5
4e0a7b31b50df65a1e4457a4e1f7f6d9

SHA1
b81792b971da8e1646c506d6077a10d29171dbbd

SHA256
ce469fef17f06066576257fe4b19cbc695598ea6254c149e93b9e449a7c364b3

SHA512
2f13e5766190210e5bc2cca6272940f519d971b1ac5fdcd51ca7371fa0c9c5a2b2e575ef931ff37656ca5f9263af6c0c6bdb7056a1e4e2f91edba645666bedc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLluVBtS4Xhi.bat
Filesize
202B

MD5
b3f4ab0c63444a0958b624523f5dd2ae

SHA1
93d0def70cb67e7427ed337f853fca9061d36d3f

SHA256
e9a3a1a07174485ef888c29ba743821c3b4d878df7d9d29a6cb5803e483ba026

SHA512
798ffba3d892fc70e2775086beb5a875ffed3e25de7568608eb842f09bdbc3f68e783fd39216e5202d28f10af90c9444e65da70f15ed9241d7492d0761a666b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1APd9wWEsrt.bat
Filesize
202B

MD5
8b94eeb873861aaebf951604ed78bd06

SHA1
a8d1f47f6d0dc00586da8596ad007fdffac89292

SHA256
e2187e86a64d063681640bc570140f1cf6ebffc356707825fd4110ed913185c7

SHA512
d5717ea3c1e79f0c0152fd86e9eb25445f30d60f8cbb3d0abf1dc02feb10abcd3ee8ee9ed9604723e39efe90f4d0c3a7b2a97a786ccb03c828855a4b669d249a

Download Submit
C:\Windows\System32\SubDir\securekerneI.exe
Filesize
3.1MB

MD5
e55e15bea243fd9bba10a445fa3441ae

SHA1
4d2f04eb3cd2169652ae28ea02db2aaa8ee1123a

SHA256
72d2aedd7b7d74faee7b632bc3cbbd8c0c3be4f9ffb61601c7a779e5a7f1052e

SHA512
18ac9230fc33a8fa18e0270cf6ea6f68f034dfe15d97a6ac7fc59591f8c7ff05e2014d843ca8c8d0e20345219b491a862dd7900cdf44466cff4f4f862d69c6c2

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-45-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/1468-56-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/1532-80-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/1796-33-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1904-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/1904-8-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1904-1-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/1936-69-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/2492-20-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-10-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-9-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-7-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/2832-22-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2916-134-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads