quasar | 29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56

Analysis

max time kernel
147s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Byfron.exe
Size

3.1MB
MD5

cb12954abfb20424cfc22e1c189ddfa9
SHA1

dc8cb9d361cebb1a4ca13ce904cdd7136c9255c2
SHA256

29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56
SHA512

54dafd06e682eef74fd9d1377917429b1b304bb0be185f32406dbdea56d6afd8047a213f3e40191a817931077ee448993d9adc6228a1ab042fee52b9ebac611f
SSDEEP

49152:kv8Y52fyaSZOrPWluWBuGG5g5hVtmfmzK0oGdT3THHB72eh2NT:kvF52fyaSZOrPWluWBDG5g5hVtmm

Score

10^/10

quasar ohio spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ohio

idk:4782

Mutex

5c7d6a36-dffc-4ec3-8525-ba9161772945

Attributes

encryption_key
7930C3883BFB3E417BEC9036B64E581CD2465EFE
install_name
Byfron.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Balls
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4816-1-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	family_quasar

Executes dropped EXE 13 IoCs

Processes:

Byfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exe

pid	process
3648	Byfron.exe
4548	Byfron.exe
4288	Byfron.exe
3148	Byfron.exe
1792	Byfron.exe
4300	Byfron.exe
2056	Byfron.exe
720	Byfron.exe
2500	Byfron.exe
4324	Byfron.exe
1900	Byfron.exe
4756	Byfron.exe
820	Byfron.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4444	schtasks.exe
2008	schtasks.exe
3716	schtasks.exe
1476	schtasks.exe
3016	schtasks.exe
3592	schtasks.exe
216	schtasks.exe
2252	schtasks.exe
1352	schtasks.exe
2748	schtasks.exe
1956	schtasks.exe
2096	schtasks.exe
312	schtasks.exe
5092	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1272	PING.EXE
2632	PING.EXE
3364	PING.EXE
4848	PING.EXE
4856	PING.EXE
1528	PING.EXE
3928	PING.EXE
4760	PING.EXE
3636	PING.EXE
1312	PING.EXE
2204	PING.EXE
1540	PING.EXE
4340	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Byfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exe

description	pid	process
Token: SeDebugPrivilege	4816	Byfron.exe
Token: SeDebugPrivilege	3648	Byfron.exe
Token: SeDebugPrivilege	4548	Byfron.exe
Token: SeDebugPrivilege	4288	Byfron.exe
Token: SeDebugPrivilege	3148	Byfron.exe
Token: SeDebugPrivilege	1792	Byfron.exe
Token: SeDebugPrivilege	4300	Byfron.exe
Token: SeDebugPrivilege	2056	Byfron.exe
Token: SeDebugPrivilege	720	Byfron.exe
Token: SeDebugPrivilege	2500	Byfron.exe
Token: SeDebugPrivilege	4324	Byfron.exe
Token: SeDebugPrivilege	1900	Byfron.exe
Token: SeDebugPrivilege	4756	Byfron.exe
Token: SeDebugPrivilege	820	Byfron.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Byfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exeByfron.exe

pid	process
3648	Byfron.exe
4548	Byfron.exe
4288	Byfron.exe
3148	Byfron.exe
1792	Byfron.exe
4300	Byfron.exe
2056	Byfron.exe
720	Byfron.exe
2500	Byfron.exe
4324	Byfron.exe
1900	Byfron.exe
4756	Byfron.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Byfron.exeByfron.execmd.exeByfron.execmd.exeByfron.execmd.exeByfron.execmd.exeByfron.execmd.exeByfron.execmd.exe

description	pid	process	target process
PID 4816 wrote to memory of 2748	4816	Byfron.exe	schtasks.exe
PID 4816 wrote to memory of 2748	4816	Byfron.exe	schtasks.exe
PID 4816 wrote to memory of 3648	4816	Byfron.exe	Byfron.exe
PID 4816 wrote to memory of 3648	4816	Byfron.exe	Byfron.exe
PID 3648 wrote to memory of 216	3648	Byfron.exe	schtasks.exe
PID 3648 wrote to memory of 216	3648	Byfron.exe	schtasks.exe
PID 3648 wrote to memory of 4488	3648	Byfron.exe	cmd.exe
PID 3648 wrote to memory of 4488	3648	Byfron.exe	cmd.exe
PID 4488 wrote to memory of 4512	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 4512	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 3636	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 3636	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4548	4488	cmd.exe	Byfron.exe
PID 4488 wrote to memory of 4548	4488	cmd.exe	Byfron.exe
PID 4548 wrote to memory of 1956	4548	Byfron.exe	schtasks.exe
PID 4548 wrote to memory of 1956	4548	Byfron.exe	schtasks.exe
PID 4548 wrote to memory of 4612	4548	Byfron.exe	cmd.exe
PID 4548 wrote to memory of 4612	4548	Byfron.exe	cmd.exe
PID 4612 wrote to memory of 2952	4612	cmd.exe	chcp.com
PID 4612 wrote to memory of 2952	4612	cmd.exe	chcp.com
PID 4612 wrote to memory of 1540	4612	cmd.exe	PING.EXE
PID 4612 wrote to memory of 1540	4612	cmd.exe	PING.EXE
PID 4612 wrote to memory of 4288	4612	cmd.exe	Byfron.exe
PID 4612 wrote to memory of 4288	4612	cmd.exe	Byfron.exe
PID 4288 wrote to memory of 2096	4288	Byfron.exe	schtasks.exe
PID 4288 wrote to memory of 2096	4288	Byfron.exe	schtasks.exe
PID 4288 wrote to memory of 4748	4288	Byfron.exe	cmd.exe
PID 4288 wrote to memory of 4748	4288	Byfron.exe	cmd.exe
PID 4748 wrote to memory of 1328	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 1328	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 1312	4748	cmd.exe	PING.EXE
PID 4748 wrote to memory of 1312	4748	cmd.exe	PING.EXE
PID 4748 wrote to memory of 3148	4748	cmd.exe	Byfron.exe
PID 4748 wrote to memory of 3148	4748	cmd.exe	Byfron.exe
PID 3148 wrote to memory of 4444	3148	Byfron.exe	schtasks.exe
PID 3148 wrote to memory of 4444	3148	Byfron.exe	schtasks.exe
PID 3148 wrote to memory of 2060	3148	Byfron.exe	cmd.exe
PID 3148 wrote to memory of 2060	3148	Byfron.exe	cmd.exe
PID 2060 wrote to memory of 4580	2060	cmd.exe	chcp.com
PID 2060 wrote to memory of 4580	2060	cmd.exe	chcp.com
PID 2060 wrote to memory of 1272	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 1272	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 1792	2060	cmd.exe	Byfron.exe
PID 2060 wrote to memory of 1792	2060	cmd.exe	Byfron.exe
PID 1792 wrote to memory of 2252	1792	Byfron.exe	schtasks.exe
PID 1792 wrote to memory of 2252	1792	Byfron.exe	schtasks.exe
PID 1792 wrote to memory of 4476	1792	Byfron.exe	cmd.exe
PID 1792 wrote to memory of 4476	1792	Byfron.exe	cmd.exe
PID 4476 wrote to memory of 64	4476	cmd.exe	chcp.com
PID 4476 wrote to memory of 64	4476	cmd.exe	chcp.com
PID 4476 wrote to memory of 2204	4476	cmd.exe	PING.EXE
PID 4476 wrote to memory of 2204	4476	cmd.exe	PING.EXE
PID 4476 wrote to memory of 4300	4476	cmd.exe	Byfron.exe
PID 4476 wrote to memory of 4300	4476	cmd.exe	Byfron.exe
PID 4300 wrote to memory of 1476	4300	Byfron.exe	schtasks.exe
PID 4300 wrote to memory of 1476	4300	Byfron.exe	schtasks.exe
PID 4300 wrote to memory of 3476	4300	Byfron.exe	cmd.exe
PID 4300 wrote to memory of 3476	4300	Byfron.exe	cmd.exe
PID 3476 wrote to memory of 404	3476	cmd.exe	chcp.com
PID 3476 wrote to memory of 404	3476	cmd.exe	chcp.com
PID 3476 wrote to memory of 4856	3476	cmd.exe	PING.EXE
PID 3476 wrote to memory of 4856	3476	cmd.exe	PING.EXE
PID 3476 wrote to memory of 2056	3476	cmd.exe	Byfron.exe
PID 3476 wrote to memory of 2056	3476	cmd.exe	Byfron.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Byfron.exe
"C:\Users\Admin\AppData\Local\Temp\Byfron.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2748

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL60oPaY9TH0.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4512

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3636

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZnENHZOweSx.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1540

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwVP5LC1p4x.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1312

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mr2r4gC2PV56.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1272

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEVaEL12xU9e.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:64

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2204

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\otcjA491IT6Q.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4856

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyMbeM5scY35.bat" "
15⤵
PID:2764

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2420

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3364

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J9Tu0eGCazMb.bat" "
17⤵
PID:2800

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4100

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2632

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKDsBrS147pv.bat" "
19⤵
PID:4280

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1528

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bJ5B3o0Sl4WE.bat" "
21⤵
PID:1460

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:888

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5UyYUvTcmfnR.bat" "
23⤵
PID:4288

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:1312

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3928

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZEEx7dcoxLc.bat" "
25⤵
PID:1872

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2412

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4760

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2sf0w0l7WzLG.bat" "
27⤵
PID:1480

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:5024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Byfron.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sf0w0l7WzLG.bat
Filesize
207B

MD5
92709e37181ae5752172194d73d4100c

SHA1
20d5b14cd2d92890f71aa25035f6dd1367d52d51

SHA256
7956e74180106aa1d86a58d5bbde26b01dd7101d4bb35208eb46a8b5350723ac

SHA512
de033e69602511690442eb6f32a64ea61d6af59d285345b749d9d894ceead9239c07df6c2c26ecfff4b6dd01c87868a71a983f984c07c1c615e66eb07f55bc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\5UyYUvTcmfnR.bat
Filesize
207B

MD5
e79a2a4eb425d4501020241f40e73105

SHA1
93a026c571bb8dce55b3981953a0f86c89a41ec9

SHA256
b21b5ad5adfadd345a3c90be8a4dc4680d948ab378438280f863eebacda8b6a9

SHA512
adf8579ae5b65f2be0f75e299deb6cba203024cd20afd8860d33e8333097e66138c681fc43b279919413a26d27f70cc96c802deeba027e2861b857c3da1d9f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKDsBrS147pv.bat
Filesize
207B

MD5
37a9dff8f58d407957c44ce7adb40fcf

SHA1
87d0b60ef9fda397a87c7efb3e120602b7e4bcc9

SHA256
3959de9e5e992b18c2e4736df7d3ce6e15200d3af86003c3122d93101ee769bf

SHA512
38f4ffcb5d80c221ec72ff4a2787155b53548b338df0b110f438d8da37f072ea1b1a76fe7dd2b55b9e8c486f65b6a32c0185d0db9de85dbb476f7c8e5375659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9Tu0eGCazMb.bat
Filesize
207B

MD5
ed6ceaa216764a373ac62848d736efe0

SHA1
999733b1db6f1d31cc44d1d47e2afb521427f0c3

SHA256
0927d3ed02f35dcaa2b58b060b8ca2be9562f75d469188be1df6d1ce584ccc6d

SHA512
aa95a36bb773e48a59f67cfc9bf0d548b994f7fef4df02c1ce1305d523d70849cbe381f9c0537efff444710ccf1ef84a77db23099d59ed4951c1225ad6430c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mr2r4gC2PV56.bat
Filesize
207B

MD5
daeaa556994968f6f18a711d073a84c2

SHA1
383ad1d67e8c3c929ffd99b2a30aedf3c31e5e83

SHA256
1b9f50dfb9c6d1746d4dd0f1976eee6969e01ff864d9f7a301f419ae9a6cba69

SHA512
a53004469e70eb200dd2758df467093ea28f3c622d11f5e6519bfdaf229ca6cd272bb2616a5e3550333e57c28e21d9799e49d65e622a265e0ecd941c6ea84fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUwVP5LC1p4x.bat
Filesize
207B

MD5
ad0f93d8b7661d83de6005e6725010cb

SHA1
4828b00f4f5485cf78836f9de9dd62e0e698094d

SHA256
51d4ff2d8df24795360715a989fd1cfc320f863312b3138755a6cb4df6fc3db1

SHA512
08caa26d634dc2c85b45942af38545d044afdd013ffd312eb6161ed98571b98b96248e154b3048188106be68a0ad25a9d9e7a3ebd929773f725606760b011b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QL60oPaY9TH0.bat
Filesize
207B

MD5
694b0edf8a6f18cc334778791f1c9a87

SHA1
50ebe2159e558b25c7478d06be960cc796f4a547

SHA256
a771d16b5940bbea11d008e188482ce3285a8fdef4a6ec3f2b55e142d5d3e63f

SHA512
86b78e61a70b0ac1de47171e245b7f0431805b90450affa0e4a8b32959b6b75a42e4474fb88740be44b487696a4e17a52efd56404b3582c28df14ea463e37808

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZnENHZOweSx.bat
Filesize
207B

MD5
3489eb1cb254d735204b46294776ea34

SHA1
62302fa9b1f1ab04495fd9d6d1d7668d1ca368a0

SHA256
ab8ad1d67ca3e0e8bb96d602c92e6949f86ad445032b5aff78e0fb71c7a3e500

SHA512
0e48e9f2f21625172d6f315753587d7468df3df7be8a248315024192f5be2022571027184196dcb5071d8ad73c31601998104ee2024fd9550cb289875a074fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEVaEL12xU9e.bat
Filesize
207B

MD5
87683d04af6cff5c96836bd4a0257218

SHA1
10ac12074b26b281f96ec736568c0816f1960657

SHA256
9cf35c6c0ee5f0dae975eeef76ee2b52d037528636c608983c51b0456de3faae

SHA512
cf7592dcd3f4ff9298830bc2babaa33da6eb5e79d5b59303adea5d1898d2d0bbb51671a6ba315016074340302640580458aee413048f897710bee068e1c0f0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJ5B3o0Sl4WE.bat
Filesize
207B

MD5
612fdec1cdd4b95472680830db8be4f5

SHA1
6fa24972ca064c01d83d95f19b208981af94a46c

SHA256
df4600c9e7f749c46b0313268eab925bd91435696ce0ae78fa89fa167b2b8d46

SHA512
264293c78ca61759c022cb30bdc718f7c68aec0a431bfb6dfa0047b671bf13a058e15adce227a55c945ad19bf1d9a70dd886f16f2ac6da29060df13c8033c1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyMbeM5scY35.bat
Filesize
207B

MD5
d15a30b5311747917648511a22ca57ed

SHA1
7cebe7d85d60932bf8c5fbf9c6b62bdd61447ed0

SHA256
419b7bf1d5ca8c0ea75831a0d233c91e6b9677b68fcb6213b257e213d38bebb1

SHA512
c88783f65dfe604d1b73fe4adc6a20c2d6ab333a348cb1c594fd22bb88310d19527e98b4c695b1e85791f161731efbf1808db3de0d0a4ddba9056dfa879b5963

Download Submit
C:\Users\Admin\AppData\Local\Temp\otcjA491IT6Q.bat
Filesize
207B

MD5
72eafa5dca73de58363e45ebcb7d6149

SHA1
137d7ec1e08bfbaeb1fc535a5c3aa597e9cfca15

SHA256
f52f67720070241dbb2e7fcca85ca8ffcdec3edacd5615fcc7caa87ecc5dcbb6

SHA512
e8778aade22667e95aab7a803f318ed5bf2ebc2c9821caf5a9d55e4e18f716ff0c41e0017e0f519fe96bf6adf329bb4f1fbb18946f9f88c4dce4f5bf55e40034

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZEEx7dcoxLc.bat
Filesize
207B

MD5
0e57ed661b8a55e24607e3c900884a4b

SHA1
c0dbc7560c6049829e47ca27d5525399eafc9d98

SHA256
fc94f6b3df351b8b072e191c39d837d7a3fcf6f47aa4ad9c20a7a828d0139781

SHA512
9b4746bfd3288e19b87dad6201a1ca6609dd0abc56021c860b0f09e09aa3332a82568ef4a8cc85f43a8f5fd7034285079559b5843e3b8cb3ca7f221f43270d22

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
Filesize
3.1MB

MD5
cb12954abfb20424cfc22e1c189ddfa9

SHA1
dc8cb9d361cebb1a4ca13ce904cdd7136c9255c2

SHA256
29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56

SHA512
54dafd06e682eef74fd9d1377917429b1b304bb0be185f32406dbdea56d6afd8047a213f3e40191a817931077ee448993d9adc6228a1ab042fee52b9ebac611f

Download Submit
memory/3648-18-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3648-12-0x000000001C210000-0x000000001C260000-memory.dmp

Filesize
320KB

Download
memory/3648-13-0x000000001C320000-0x000000001C3D2000-memory.dmp

Filesize
712KB

Download
memory/3648-11-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3648-10-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-24-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-0-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp

Filesize
4KB

Download
memory/4816-2-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download