Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
c803b24286b85e84999728e62074f29a.exe
Resource
win7-20231129-en
General
-
Target
c803b24286b85e84999728e62074f29a.exe
-
Size
832KB
-
MD5
c803b24286b85e84999728e62074f29a
-
SHA1
a535987863ef3ffc0bbc5bda52b531fb687f7af8
-
SHA256
caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
-
SHA512
8007add191fb1bf9b182f6a623b7c3677257d51fe1d133fce5cbb3aa61288dfedd5022b884b1d28fc6730a351da19d4a738edd69d0305739b1e9942da846ef62
-
SSDEEP
6144:CBIXwYejKKPcAHDMn4xJRBgiBoPysbZbz4DkyNnvBImJ0H9owHbAmw/J4ffMzYVA:PQjdM40btzONp5We5zDSHzBu6/cwbGj
Malware Config
Extracted
quasar
1.3.0.0
rat2000
noelsfreexd.ddns.net:80
noelsfreexd.ddns.net:443
QSR_MUTEX_pZaUbVWTnEK2l6CC6k
-
encryption_key
z8mQ697A1LH8Y5CjsRnd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
description flow ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation c803b24286b85e84999728e62074f29a.exe 25 ip-api.com Process not Found 202 ip-api.com Process not Found 222 ip-api.com Process not Found -
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x00090000000226e5-9.dat family_quasar behavioral2/memory/440-17-0x00000000008D0000-0x000000000092E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation c803b24286b85e84999728e62074f29a.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 440 cmd.exe 4312 Client.exe 1732 Client.exe 2016 Client.exe 1680 Client.exe 4272 Client.exe 4816 Client.exe 5044 Client.exe 1892 Client.exe 520 Client.exe 3588 Client.exe 5044 Client.exe 1680 Client.exe 2288 Client.exe 5020 Client.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com 202 ip-api.com 222 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe File created C:\Windows\SysWOW64\SubDir\Client.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
pid pid_target Process procid_target 3200 4312 WerFault.exe 96 4004 1732 WerFault.exe 118 5024 2016 WerFault.exe 127 4148 1680 WerFault.exe 138 1060 4272 WerFault.exe 147 3296 4816 WerFault.exe 156 4452 5044 WerFault.exe 166 4760 1892 WerFault.exe 175 2220 520 WerFault.exe 184 4272 3588 WerFault.exe 196 340 5044 WerFault.exe 205 2916 1680 WerFault.exe 214 4004 2288 WerFault.exe 223 4064 5020 WerFault.exe 234 -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1948 schtasks.exe 2344 schtasks.exe 3948 schtasks.exe 396 schtasks.exe 1184 schtasks.exe 780 schtasks.exe 780 schtasks.exe 1288 schtasks.exe 4264 schtasks.exe 4576 schtasks.exe 652 schtasks.exe 4736 schtasks.exe 4524 schtasks.exe 5076 schtasks.exe 4800 schtasks.exe -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 4064 PING.EXE 648 PING.EXE 2740 PING.EXE 4804 PING.EXE 1908 PING.EXE 3940 PING.EXE 3248 PING.EXE 4116 PING.EXE 780 PING.EXE 468 PING.EXE 2964 PING.EXE 3660 PING.EXE 1168 PING.EXE 1404 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3284 c803b24286b85e84999728e62074f29a.exe Token: SeDebugPrivilege 440 cmd.exe Token: SeDebugPrivilege 4312 Client.exe Token: SeDebugPrivilege 1732 Client.exe Token: SeDebugPrivilege 2016 Client.exe Token: SeDebugPrivilege 1680 Client.exe Token: SeDebugPrivilege 4272 Client.exe Token: SeDebugPrivilege 4816 Client.exe Token: SeDebugPrivilege 5044 Client.exe Token: SeDebugPrivilege 1892 Client.exe Token: SeDebugPrivilege 520 Client.exe Token: SeDebugPrivilege 3588 Client.exe Token: SeDebugPrivilege 5044 Client.exe Token: SeDebugPrivilege 1680 Client.exe Token: SeDebugPrivilege 2288 Client.exe Token: SeDebugPrivilege 5020 Client.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4312 Client.exe 1732 Client.exe 2016 Client.exe 1680 Client.exe 4272 Client.exe 4816 Client.exe 5044 Client.exe 1892 Client.exe 520 Client.exe 3588 Client.exe 5044 Client.exe 1680 Client.exe 2288 Client.exe 5020 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3284 wrote to memory of 440 3284 c803b24286b85e84999728e62074f29a.exe 91 PID 3284 wrote to memory of 440 3284 c803b24286b85e84999728e62074f29a.exe 91 PID 3284 wrote to memory of 440 3284 c803b24286b85e84999728e62074f29a.exe 91 PID 440 wrote to memory of 1948 440 cmd.exe 94 PID 440 wrote to memory of 1948 440 cmd.exe 94 PID 440 wrote to memory of 1948 440 cmd.exe 94 PID 440 wrote to memory of 4312 440 cmd.exe 96 PID 440 wrote to memory of 4312 440 cmd.exe 96 PID 440 wrote to memory of 4312 440 cmd.exe 96 PID 4312 wrote to memory of 652 4312 Client.exe 98 PID 4312 wrote to memory of 652 4312 Client.exe 98 PID 4312 wrote to memory of 652 4312 Client.exe 98 PID 4312 wrote to memory of 1892 4312 Client.exe 102 PID 4312 wrote to memory of 1892 4312 Client.exe 102 PID 4312 wrote to memory of 1892 4312 Client.exe 102 PID 1892 wrote to memory of 1684 1892 cmd.exe 106 PID 1892 wrote to memory of 1684 1892 cmd.exe 106 PID 1892 wrote to memory of 1684 1892 cmd.exe 106 PID 1892 wrote to memory of 3248 1892 cmd.exe 107 PID 1892 wrote to memory of 3248 1892 cmd.exe 107 PID 1892 wrote to memory of 3248 1892 cmd.exe 107 PID 1892 wrote to memory of 1732 1892 cmd.exe 118 PID 1892 wrote to memory of 1732 1892 cmd.exe 118 PID 1892 wrote to memory of 1732 1892 cmd.exe 118 PID 1732 wrote to memory of 4736 1732 Client.exe 119 PID 1732 wrote to memory of 4736 1732 Client.exe 119 PID 1732 wrote to memory of 4736 1732 Client.exe 119 PID 1732 wrote to memory of 3528 1732 Client.exe 121 PID 1732 wrote to memory of 3528 1732 Client.exe 121 PID 1732 wrote to memory of 3528 1732 Client.exe 121 PID 3528 wrote to memory of 5116 3528 cmd.exe 125 PID 3528 wrote to memory of 5116 3528 cmd.exe 125 PID 3528 wrote to memory of 5116 3528 cmd.exe 125 PID 3528 wrote to memory of 3940 3528 cmd.exe 126 PID 3528 wrote to memory of 3940 3528 cmd.exe 126 PID 3528 wrote to memory of 3940 3528 cmd.exe 126 PID 3528 wrote to memory of 2016 3528 cmd.exe 127 PID 3528 wrote to memory of 2016 3528 cmd.exe 127 PID 3528 wrote to memory of 2016 3528 cmd.exe 127 PID 2016 wrote to memory of 2344 2016 Client.exe 128 PID 2016 wrote to memory of 2344 2016 Client.exe 128 PID 2016 wrote to memory of 2344 2016 Client.exe 128 PID 2016 wrote to memory of 4856 2016 Client.exe 130 PID 2016 wrote to memory of 4856 2016 Client.exe 130 PID 2016 wrote to memory of 4856 2016 Client.exe 130 PID 4856 wrote to memory of 520 4856 cmd.exe 134 PID 4856 wrote to memory of 520 4856 cmd.exe 134 PID 4856 wrote to memory of 520 4856 cmd.exe 134 PID 4856 wrote to memory of 4064 4856 cmd.exe 135 PID 4856 wrote to memory of 4064 4856 cmd.exe 135 PID 4856 wrote to memory of 4064 4856 cmd.exe 135 PID 4856 wrote to memory of 1680 4856 cmd.exe 138 PID 4856 wrote to memory of 1680 4856 cmd.exe 138 PID 4856 wrote to memory of 1680 4856 cmd.exe 138 PID 1680 wrote to memory of 1184 1680 Client.exe 139 PID 1680 wrote to memory of 1184 1680 Client.exe 139 PID 1680 wrote to memory of 1184 1680 Client.exe 139 PID 1680 wrote to memory of 3368 1680 Client.exe 141 PID 1680 wrote to memory of 3368 1680 Client.exe 141 PID 1680 wrote to memory of 3368 1680 Client.exe 141 PID 3368 wrote to memory of 1908 3368 cmd.exe 144 PID 3368 wrote to memory of 1908 3368 cmd.exe 144 PID 3368 wrote to memory of 1908 3368 cmd.exe 144 PID 3368 wrote to memory of 2964 3368 cmd.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"1⤵
- Quasar RAT
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1948
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BO3QOwEY1Tdr.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1684
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:3248
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:4736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1j2WY0OPXMd.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:5116
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:3940
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:2344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mo6YuOtZOn7.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵PID:520
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:4064
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7XmnF6OvqVlt.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵PID:1908
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4272 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9v0GYHlXtlJP.bat" "12⤵PID:4572
-
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵PID:2584
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:648
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:3948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y4eQEqKlVbcz.bat" "14⤵PID:4272
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵PID:2320
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:3660
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lh8l9DHvPT3e.bat" "16⤵PID:3064
-
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵PID:404
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:2740
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8mmp3VpWbtp.bat" "18⤵PID:5064
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵PID:4400
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:4804
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:520 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUOe5HAnpuHc.bat" "20⤵PID:1836
-
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵PID:3052
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:4116
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3588 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:4800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\orzVLWpm8EfO.bat" "22⤵PID:2296
-
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵PID:2036
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:1908
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Creates scheduled task(s)
PID:780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7ukbfbCb6Dy.bat" "24⤵PID:2980
-
C:\Windows\SysWOW64\chcp.comchcp 6500125⤵PID:3064
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:1168
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Creates scheduled task(s)
PID:1288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9uoYQl81HlLN.bat" "26⤵PID:2680
-
C:\Windows\SysWOW64\chcp.comchcp 6500127⤵PID:4800
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:1404
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Creates scheduled task(s)
PID:4264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGPPfznza4jA.bat" "28⤵PID:648
-
C:\Windows\SysWOW64\chcp.comchcp 6500129⤵PID:3208
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:780
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Creates scheduled task(s)
PID:4576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6JNxMTTgMTDX.bat" "30⤵PID:2052
-
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵PID:2580
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:468
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 219630⤵
- Program crash
PID:4064
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 167628⤵
- Program crash
PID:4004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 222426⤵
- Program crash
PID:2916
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 218824⤵
- Program crash
PID:340
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 222022⤵
- Program crash
PID:4272
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 219620⤵
- Program crash
PID:2220
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 221218⤵
- Program crash
PID:4760
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 222416⤵
- Program crash
PID:4452
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 219214⤵
- Program crash
PID:3296
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 221212⤵
- Program crash
PID:1060
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 220810⤵
- Program crash
PID:4148
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 21968⤵
- Program crash
PID:5024
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 16726⤵
- Program crash
PID:4004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 22364⤵
- Program crash
PID:3200
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4312 -ip 43121⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1732 -ip 17321⤵PID:1932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2016 -ip 20161⤵PID:1876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1680 -ip 16801⤵PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4272 -ip 42721⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4816 -ip 48161⤵PID:3064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 50441⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1892 -ip 18921⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 520 -ip 5201⤵PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3588 -ip 35881⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5044 -ip 50441⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1680 -ip 16801⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2288 -ip 22881⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 50201⤵PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5eb0d519029f0a22900941ca65db7613f
SHA128fbb4c82c534e34b65985fd8582e2e3021b187f
SHA256a60c6b872927bd3080a8a2068080b788db48dd4df820017c6880f51dac2a55d7
SHA512e6a3e838aaeec507b77eaaf654992ab7cd038d7afabf8b2aa5be294899339e16ba0187bba73ae9f7fb299906901d481c688f971064e5a39eb8e27dea52f9265d
-
Filesize
196B
MD5b86021ea0005f07f748b5e7dad77c301
SHA1ac801e2f2203e68d2b1d3c124e1098f808a52e7d
SHA256e7560e172c975af95740964241e4dee885a20630eda9369936b50298d64c0412
SHA512b4f85bbcf640108ad9b91dfa0eb032c66c48e6ea408977f2b3f25aa565dbe70ed107ca3ebfe6d5bbad44fa396facf68f53bc25f81c1235933f0ab2453601d704
-
Filesize
196B
MD5394c35100161e2842e2dce3e1bbc723e
SHA1ef635449201674e9929540e176c079383ddca0ee
SHA256b304ff33d556bb3df250f27f5a67cb44e338da884551d7533d360d9a6c9bd318
SHA5120911910c7cedca0d8c5b8f3f5ba179c3124ab130db4b683b5d682f69202341cfdaa4158d419429116806471b1234c4518639ed5c30ad500085e314cf99829383
-
Filesize
196B
MD5d956c978524576935fec9db6a9883a3d
SHA133844f97375bf34cd335666372a561e95c4682b0
SHA2567286bdf3a2d143dd63b9f3448b78227b67843006a2c8ee36e3022468bd6b6787
SHA512fbb1d93af15db708ad3843d74ffc18bf84e42f5a4672da2582f986ac53d942ed5908b999aaa783c55f42771474e281e9f649b7ad035cbb35501ba77100f03b96
-
Filesize
196B
MD59dd03fdc4e4dc4b79050b7e943389e66
SHA1a5a456f70afd0b26595d52edaee592f3071c1659
SHA25684c2e1cd73bb59aafa990ae235ee70b58af94759d3d5425d24f75e1e0b5af148
SHA51257016d2d6c13e5fdc4582100a307b49bfb5b5255deae3ce17948aed25ef9d386f2854bdf963b532a1b13cc4dacefe098093c455fabcdcba310e012c3a89b8050
-
Filesize
196B
MD509f3ad358be15aecc10cb6ad4926aec3
SHA1f67a7929c38db423960fcc490a21d7f9d737d62f
SHA256b692c317639395de38b7f1acb3fc7e77a3d39639aba9ccdf9d418f9bacb4b57d
SHA512d67d711c817d34a2649e8c3b303be8fa6d510945a0e7cea67ba5037c8bf00851f8b39903f9b389d3e5c4ebae2723f98a54ca4ccc940238383ca73d76d7ff2016
-
Filesize
196B
MD5c17f67983a58217a6177badd13c1ee68
SHA1a66c934854ccbf24ba9d3b7402da0497ed68ba2c
SHA25674ea1ba054330fb0f313c15b8c417d654ea67039ca82bb0d184cd4e1aa0bf83d
SHA5123d64541f21bfccea4888fa56837111baee2520a4e5f1278fb12f0d24e5c308e54cfe62d399e54c8f97a066bb877fae6c3be187d4d3e4944e680bd0eadde69b78
-
Filesize
196B
MD5a1297a264f771ded058a0af3baef53c1
SHA1c8aa7f400301a07a478631e7544ba53817bbaba2
SHA25627021a490ae6afa1faa45de11e566bc123523ae60e203fb4f3f697d47055db6c
SHA512dc919d3c2759e61127f32333c38914b492fc40cb962378bf700502bca43a73641193e793664d0b1d1a0ae2c6452e4a538f6faf47ccd3fb069c492d684a6be850
-
Filesize
196B
MD54ea282cf2ec41e7cb451823dd803e1da
SHA1e662b2f310eda1008b9838750567899c74d809d1
SHA25677f2b8fb5f7bcfd704fc791627f456b8e59084ecec8bf1300f81892f0dc33812
SHA5121353ada62522f55573b8b4ff4c01113fe80174dc48c98f094e9cc92bff972b20d8cf9ccf754604a8b82010167788fd30c702a33c27a9f468e0a5d223f836efea
-
Filesize
349KB
MD5efb08c8abd228dc2c608b4b2ae81f8e5
SHA14c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962
-
Filesize
196B
MD5376c01a4aa847027fae767fb04cfcd99
SHA107c06f9ad00e74e8740a49e9b442fc8ed8adfa61
SHA2564b48ab5d0f76af4acefcfa7b8d82925577a48a02144c05f5ccf091beaf8f5391
SHA512c53505489d22743598947a8e04fdfd81111abcbcd56f84dab6e72407f629b219c8465ed0ff59484b714789a5455349d93727b927e3308aa3f16b1838f9a3c84d
-
Filesize
196B
MD50b43e08466e44c6e184106d6f4e990bf
SHA1d46cb5ec27e6a1f6e10e67622ff4fded246447bb
SHA25609c08fd318dda4b45aefb2348b39761c044754e06aabc1021b2ed7729aec09ca
SHA5126e8b669946f36885dfd8a995713072a3e684f888a8d6862337f58b8c6b0d86f8cb52c029eed3e392679bc9e19c5f9b0125b4047620e2a27454ac7fa464bb2af6
-
Filesize
196B
MD56f7f96a99761e65c422b19a82c395295
SHA19dd2a7fc8d2ad92294fdd40eda1ddd2630c179b1
SHA25601f96b5b0af34a2fc11edd3954d77af94cd4bb707b6350771a3fef0356aee0c5
SHA5123b04ed35ba45a41a8001711a13459fa87a2dae23ef8fd61a89ba9db7f35c935e7f3cdce62b6e2c5418bb868eed42f3ad2041053d2f0a1811643f2e5a43097fcf
-
Filesize
196B
MD55904b2de5264de4a2a59ee5909056c6f
SHA13451f8c6f10b4e7b2c65d7bab4b41d2e54762707
SHA25643f4b02c693b4935730e4fba5f19f3a413d37ff8e13420e548f4ad2b47b30682
SHA51240bd1210a391d376a94a8bbf3418f01001bd086a091c5f0789ec45e146c0d79bacc766ae35d785fa29700a948e87fd30d8ef36725742042af8f6fc05f760766c
-
Filesize
196B
MD57a5e779fc8dab8b142f1cf3b72bb671c
SHA1d395da5f0d3c631ec2b99b7ff3df453cbc8c5c37
SHA2568cbc6bd60ef24c5e4d0d8683451ebbc8fb77761eed51e9d4ef7a873cd1be9f47
SHA51215a6ba05c50df19729e735d45311580e0ea56fed524ea7e056fdcffbe10f4a184ca26cb920337bfe2e75f605c724c8a9d38598b4d2d19ed35f4d2cbc6db0f0c7
-
Filesize
224B
MD521c3825698b2a0e93733db03549a8cc7
SHA1e0aee1f7c9ea5e0a0dc4b6f606eafbc1b518496f
SHA2566942c6331d135c9d905b7e779a468d42a078a92c0370539ee82f7381cfd1f49e
SHA512cff02f25f08e9c10acb88c4685265d419ec5d1c90799757044a3b7b0600ee97b2cd9097346c539da1a52f07f9869702d8437862157477f87b6610d50b6c20406
-
Filesize
224B
MD5ef9c0863a4e3b87629c41501c7539f16
SHA1252e52d930252bc34afc9ad1cb565af7e0d43fa5
SHA256e70f82840c2a022ae330a4a6234b5431b156d6a74f4b004ddb759c8942f55bfb
SHA512a6be537642c4c70b4996ca8b057588f8025bbdcbd0779fcad6a83c69f67dcd0d0fc8475801663836e051d15c83d4c676e62ae6b4017aa36818fe2f14e2f0d608
-
Filesize
224B
MD5c42c8e4fe8d8cdd903d45a48f2163405
SHA1b37fb126cf2ef1da426ec7424ed536ada653b234
SHA2565b9fe0e9b6a3518351455289c7811d586b3ad6a683e860f4b5bf0696bdc26a6c
SHA5126003ee64e4b932921ac543f14b90a4445cd90831d6a8a4d739ca58b50b9a18b713ad10fa0e05ad4d7c129bef2f010052102faa9527e82eb8e7070a2f831e133e
-
Filesize
224B
MD531d60b1910db435a7fbcb1e3ef6cb453
SHA1c2676b62cad327843b59eecf921fc30478a4483a
SHA256b78ef2e51afc760a93b9bb294e4d64d07be59a8958ef6df67801849c42bb9c2e
SHA51237d67aaa248b180159a34eede0b3b8c130a35368e412ec29262e81b0d0e3dd95c00885fcb3a5c1f7a177ccf7f9150e62ada37bbf8aba15dc1bc235324c8b5c9c
-
Filesize
224B
MD5cc143f22f58b4c0068d7a7e1122a4651
SHA1defbeb52998172cccca5628841328e7c3387bf39
SHA2566c70ae7acf6349b092a595cd5beefea6750fc0f604adfbcf7c7f5e9902e59016
SHA51241af78cbcd4379068197f6317daa811c539184db62181b053374315beac589f7b555d33efd7d436623364d232f05117a9dc28adbd628305b92d23ed81eaf2488
-
Filesize
224B
MD5c1d2dea6e5ab0986c734a321ceafe94e
SHA129c38b6d36bde1cb358e89d7076c0097500e2801
SHA256804b704e2880d045f5eb34a07b475662320f0a52883283f99cc67fde9776bbce
SHA512e9d3b5203d7de43ab6221f3b470d137b6f0f7a1903e6f82cde1d5c7432c780c0aa7c05b12a218e0f5093c6addd251d4f818fa8dff772300a9f1960922a85117d
-
Filesize
224B
MD585bfc09fceaed5278b98b1fc14929439
SHA12ffac194c23aa990fe5e66ad1ec0ec158de97419
SHA256475c59071d022def3a5e560ec87e266a7c9797c4afbcb7bfe27dc4404691ac18
SHA512bf3ea5bf7ab2ad28702eceec5069e0f3a5056f226ff2bcf1c4c8481bb585501e55569916f4719f2cc279fec7af89502ef7d30815f54aa0e121575b42894c7288
-
Filesize
224B
MD5b388e89afc1667334324015d29c3e4c1
SHA19661e8321cdb7871c60fb46cf256d78fcea45519
SHA2566a8d90f8c026239b3747b8da0d54e0c9579a0602239faa67f2231c88e9a66efd
SHA512bd5ee2fa993a93b440323fc313a4d9e5f4dc109005da66694e54ff441eadfb20c35448894e7027cb9b6ac99b67dc619792dad3aae2571568fc32949f61c90534
-
Filesize
224B
MD590280c4ba2ea450c19659c527add56a1
SHA12dfb7fb3b8088403b25525def991db6621da1d4c
SHA256425681ae2882a23b1b8b791e9e1b68dfafdb84eeabd61c97911b2ae9c2bcf056
SHA5121c6d8e739cec92b56da89a5e0e3f510e919a91cc85876f25428349f2f2c177cde33b2a7b787aeab4c8e93efcdfd977d160f7f378286d344c8a6ddbc7be32743c
-
Filesize
224B
MD56deb300b9dcfa517e20e71f0ba37ade4
SHA1c45b6d45cc51c0363b53431b8127ab2282fcee56
SHA2560c16d0811bcf02dbf7f0a7fdc042cef1377251615e7c940febb61b8c86fe139b
SHA512e5bc8763c557c2f1a0f215891565800d0d65def4a768ce93cd74ba1a5d72fed0ae911fa13e2950a7b525445d1b7a1b9543abf4ed62a7bbc1a2d7166b47f28023
-
Filesize
224B
MD500e2485cb482b3eba2c283ffc1e654d6
SHA1f354529b8a3abc61a336bdd6d0f7d429213c5a14
SHA256dd0555e90654f9bf3941206d0c215ac2bc9001d353624e38180fd60bdf11af2b
SHA512799fd3867cfc4815c2b0a5848a2965d1811bfc11fb20172dcd88664a7329ac51f86930fb495ec40eeaeb85dd73f39b4433e7dc91a99ac169e360ce78b591b3d7
-
Filesize
224B
MD541a37f1913cd8ddd159860114bb45fd9
SHA1b329f9e3be44306fdeb02aad92d0c900cc112107
SHA2566801bdef73e502cb20ba99c962bbb99c8a5a20c5cbdb50f3bf3f9b4f0ceebaff
SHA5129384ccc4eb40f2e1dc406dda56d358528b7343f7377c0009ddd2725d46a967ebc69f0ae16fb5fa6658ba5c1f87f2748024bb7e26975f6cc0dbf87f830dee9401
-
Filesize
224B
MD5736a18916f58f0089dc81bb42283967b
SHA184a440887d3f9636292598174b3f1e6d93c630fd
SHA256e6aef4e76fb0562fbd0289f925311a6860f633d40478b12b12d3b6ef608dd3bc
SHA5123697be7b21c30be5fb32ad3201d07a2e3aa99f7258a5d6f97c0467a22c45500338b59b3da374b45839333710db4cc3fb7a4b4570fbbfa7821be61f283e2dda1f