quasar | 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/10/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

cd8d41167dc2fae9b0ae6a8648d5070f
SHA1

97a475e752d8bbd6a66bb2231b5ab830f86fdc06
SHA256

9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
SHA512

d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b
SSDEEP

49152:Pvht62XlaSFNWPjljiFa2RoUYI3xOEMkZk/JxuoGdrPTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYI3xM0

Score

10^/10

quasar office04 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.28:4782

Mutex

03ef2b9a-5389-4312-b3d3-9b6f68cc5386

Attributes

encryption_key
F8A900CD75D848E74023B3A66FA8AA5469C97692
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
.
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2096-1-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016cf6-5.dat	family_quasar
behavioral1/memory/2240-9-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/2140-43-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
behavioral1/memory/2200-54-0x0000000001070000-0x0000000001394000-memory.dmp	family_quasar
behavioral1/memory/1688-75-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/2412-87-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/2096-98-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/624-109-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/memory/3028-130-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2240	Client.exe
2628	Client.exe
1924	Client.exe
2140	Client.exe
2200	Client.exe
1708	Client.exe
1688	Client.exe
2412	Client.exe
2096	Client.exe
624	Client.exe
1916	Client.exe
3028	Client.exe
2336	Client.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client-built.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2648	PING.EXE
696	PING.EXE
2548	PING.EXE
1616	PING.EXE
1580	PING.EXE
2052	PING.EXE
2840	PING.EXE
2144	PING.EXE
1656	PING.EXE
2928	PING.EXE
3064	PING.EXE
2056	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE
2052	PING.EXE
2840	PING.EXE
2056	PING.EXE
1616	PING.EXE
1580	PING.EXE
2144	PING.EXE
696	PING.EXE
1656	PING.EXE
2548	PING.EXE
2928	PING.EXE
3064	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1512	schtasks.exe
972	schtasks.exe
3056	schtasks.exe
2728	schtasks.exe
2856	schtasks.exe
2692	schtasks.exe
2836	schtasks.exe
2108	schtasks.exe
2240	schtasks.exe
236	schtasks.exe
2080	schtasks.exe
1584	schtasks.exe
2804	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	Client-built.exe
Token: SeDebugPrivilege	2240	Client.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	1924	Client.exe
Token: SeDebugPrivilege	2140	Client.exe
Token: SeDebugPrivilege	2200	Client.exe
Token: SeDebugPrivilege	1708	Client.exe
Token: SeDebugPrivilege	1688	Client.exe
Token: SeDebugPrivilege	2412	Client.exe
Token: SeDebugPrivilege	2096	Client.exe
Token: SeDebugPrivilege	624	Client.exe
Token: SeDebugPrivilege	1916	Client.exe
Token: SeDebugPrivilege	3028	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2240	Client.exe
2628	Client.exe
1924	Client.exe
2140	Client.exe
2200	Client.exe
1708	Client.exe
1688	Client.exe
2412	Client.exe
2096	Client.exe
624	Client.exe
1916	Client.exe
3028	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2080	2096	Client-built.exe	30
PID 2096 wrote to memory of 2080	2096	Client-built.exe	30
PID 2096 wrote to memory of 2080	2096	Client-built.exe	30
PID 2096 wrote to memory of 2240	2096	Client-built.exe	32
PID 2096 wrote to memory of 2240	2096	Client-built.exe	32
PID 2096 wrote to memory of 2240	2096	Client-built.exe	32
PID 2240 wrote to memory of 2856	2240	Client.exe	33
PID 2240 wrote to memory of 2856	2240	Client.exe	33
PID 2240 wrote to memory of 2856	2240	Client.exe	33
PID 2240 wrote to memory of 2512	2240	Client.exe	35
PID 2240 wrote to memory of 2512	2240	Client.exe	35
PID 2240 wrote to memory of 2512	2240	Client.exe	35
PID 2512 wrote to memory of 2944	2512	cmd.exe	37
PID 2512 wrote to memory of 2944	2512	cmd.exe	37
PID 2512 wrote to memory of 2944	2512	cmd.exe	37
PID 2512 wrote to memory of 2648	2512	cmd.exe	38
PID 2512 wrote to memory of 2648	2512	cmd.exe	38
PID 2512 wrote to memory of 2648	2512	cmd.exe	38
PID 2512 wrote to memory of 2628	2512	cmd.exe	40
PID 2512 wrote to memory of 2628	2512	cmd.exe	40
PID 2512 wrote to memory of 2628	2512	cmd.exe	40
PID 2628 wrote to memory of 2692	2628	Client.exe	41
PID 2628 wrote to memory of 2692	2628	Client.exe	41
PID 2628 wrote to memory of 2692	2628	Client.exe	41
PID 2628 wrote to memory of 1768	2628	Client.exe	43
PID 2628 wrote to memory of 1768	2628	Client.exe	43
PID 2628 wrote to memory of 1768	2628	Client.exe	43
PID 1768 wrote to memory of 1412	1768	cmd.exe	45
PID 1768 wrote to memory of 1412	1768	cmd.exe	45
PID 1768 wrote to memory of 1412	1768	cmd.exe	45
PID 1768 wrote to memory of 2052	1768	cmd.exe	46
PID 1768 wrote to memory of 2052	1768	cmd.exe	46
PID 1768 wrote to memory of 2052	1768	cmd.exe	46
PID 1768 wrote to memory of 1924	1768	cmd.exe	47
PID 1768 wrote to memory of 1924	1768	cmd.exe	47
PID 1768 wrote to memory of 1924	1768	cmd.exe	47
PID 1924 wrote to memory of 2836	1924	Client.exe	48
PID 1924 wrote to memory of 2836	1924	Client.exe	48
PID 1924 wrote to memory of 2836	1924	Client.exe	48
PID 1924 wrote to memory of 1676	1924	Client.exe	50
PID 1924 wrote to memory of 1676	1924	Client.exe	50
PID 1924 wrote to memory of 1676	1924	Client.exe	50
PID 1676 wrote to memory of 1504	1676	cmd.exe	52
PID 1676 wrote to memory of 1504	1676	cmd.exe	52
PID 1676 wrote to memory of 1504	1676	cmd.exe	52
PID 1676 wrote to memory of 2840	1676	cmd.exe	53
PID 1676 wrote to memory of 2840	1676	cmd.exe	53
PID 1676 wrote to memory of 2840	1676	cmd.exe	53
PID 1676 wrote to memory of 2140	1676	cmd.exe	54
PID 1676 wrote to memory of 2140	1676	cmd.exe	54
PID 1676 wrote to memory of 2140	1676	cmd.exe	54
PID 2140 wrote to memory of 1584	2140	Client.exe	55
PID 2140 wrote to memory of 1584	2140	Client.exe	55
PID 2140 wrote to memory of 1584	2140	Client.exe	55
PID 2140 wrote to memory of 2940	2140	Client.exe	57
PID 2140 wrote to memory of 2940	2140	Client.exe	57
PID 2140 wrote to memory of 2940	2140	Client.exe	57
PID 2940 wrote to memory of 1956	2940	cmd.exe	59
PID 2940 wrote to memory of 1956	2940	cmd.exe	59
PID 2940 wrote to memory of 1956	2940	cmd.exe	59
PID 2940 wrote to memory of 2144	2940	cmd.exe	60
PID 2940 wrote to memory of 2144	2940	cmd.exe	60
PID 2940 wrote to memory of 2144	2940	cmd.exe	60
PID 2940 wrote to memory of 2200	2940	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2080
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2856
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2944
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2648
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1412
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat" "
        11⤵
        
        PID:1096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat" "
        13⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat" "
        15⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat" "
        17⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat" "
        19⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat" "
        21⤵
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat" "
        23⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat" "
        25⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat

Filesize
207B

MD5
cdd6f97289ed5fc3e4b15f04d718ba0f

SHA1
db211b15ecb3bd298bf20384c30c8c755632c641

SHA256
51ce08d888f13bca79d11fa0b69c3b2eb8f37de3a9699fab776f2a4bc8ccdc8b

SHA512
956a5ab1165f17edafafdc0947077bf1221c69c2d43f82c3bfedc5feae9d285dd9c2cbdd6f95a627b865ff2e5579a977a7aabfe76daba4c5bd2e1db0a58a2dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat

Filesize
207B

MD5
99051766eb0ca07a9f882e9edb4f84af

SHA1
7d3d54ba8ceb1faef504a77dffaa2e4b9475534e

SHA256
c1d142ec0ed8d7816ff3bfd1bb8e121073ad78a57e71b9f6aeb46fbba3081f10

SHA512
fce937c6cc4a663624455c274e152872bff32c0d488620c3f1609088351c90a4e44658be62d49955ac37804cfad78baad361f06f6c78973215bfb8c9fff035fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat

Filesize
207B

MD5
da473db3acf0ac71bc153779117495da

SHA1
a54152d387e95de5886c54a8fba9950ada5d8977

SHA256
f3478431e4e093f866ffc77f20408eaf976befcf29548019114639e8e4db4b3f

SHA512
6ddf5632b62264d2f18beb60cb7e4dc3890d9ed783ba89ef656bebc944f95a809e392ab0eb5da411b491f1e30cbe336b36e0e58d22efc4aff7cf70fd000b23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat

Filesize
207B

MD5
ef27b839d375dd10c65839b3ee64c7d3

SHA1
a262d66f648f716e73ac972d63e2e08d37b9ac72

SHA256
23ec9d9b8c77b322cce98bb177b27d48e5495a7b40cb6e171c1eb194bd0e2aad

SHA512
f6e1714c7f9561625e2ee0c818aaa93842f234ebf4f318f525a59abd1160425901e1e3e73414adde49f96c9693cad2db6d24792b11ab697d4e7cca8706c04635

Download Submit
C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat

Filesize
207B

MD5
96190234e8c34feea8af2e52c6c816b5

SHA1
ad672dbbc70dd3ba5525a05a9c4af504e26606ce

SHA256
fadfdecefade7154a7a9391f365fb887123e48a7796379b1c4a3bd958f0ea8b4

SHA512
800110acaf7faea29c4345a1a093ec53fae04f00e1d1c5ad00fee5cb8b41f84fa0a0753f54369af6a8d965191c5f957b57c1c4e4fc015045873de7f28749e731

Download Submit
C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat

Filesize
207B

MD5
570880823c49532b8adfe33960b217ff

SHA1
bfb8909ac6b25ffc87e623c101cbdba045166051

SHA256
a3f415d96c9e75b586d38b0b5821ffa4d84cf1dbfbec188443cb3ed25cba6f41

SHA512
0512b9d7964bab8004b46e9ff69d031fc2512a24473324016b1a682bc866661740327ed9aab54ede1ec0dda30e6fef866f2a1adcc73960fc74fa381ebaabf637

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat

Filesize
207B

MD5
d83a83322b4bf7616d4317de544c43d5

SHA1
1864aba9a437719196fe3fc9621eb4d539cbba06

SHA256
950eb2f30ecb63970e602c57264bf6196c066239a558d1d5e5ce951c03c68aa6

SHA512
1606533dc117f00458905ff70f6b670912897b8e5441ff996366d9dca351c2b9e37586e98d7b1bd803aa99f11b7bec3676cb46109626f084d0a43ad9e1bdfeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat

Filesize
207B

MD5
99b60b6eaf5647ec76ce358eb4908ebe

SHA1
06d6a8f43e822f38477a0f2d2f0bccc4b9b370c9

SHA256
a4dc397ca0c6b4029b5d772be3fe46d34a6497129da0d456aaf5f4047716a9fa

SHA512
aac689932ede21770540763de462c42a0bb452861870e6a172a3c88d12c01a2ad583fdb380d39db44d8d6ad0ce196e5fb305561e6546c70a088c68d625467d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat

Filesize
207B

MD5
9449a4e86cc0f1b7e0aa1d7642358825

SHA1
462083263e4368054e829cbc0d85f5ffe097c0a2

SHA256
6f32a3f4d2fe0283aa5f62173e8c59a8a75e1037389150bab8c026006fc73f74

SHA512
9b9da4d36a781295c8509662567f20168a22521fe343b699bad2db31e975f81eaade54e119b58de9434116bbb9f510fccd4cba98483fb671c8e8168c72b997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat

Filesize
207B

MD5
cbfe23c09a3e1edc69383d99cd403cd6

SHA1
d299be4af93d10d748b8692011d195e1f02fe41f

SHA256
7fd73af4f5506fcf61308f2158b3a5c4c07ae524713d930b5ea196460337c008

SHA512
a04d33c428c96d1216a055dfc5bd83852fcc79ed2e64af1318363043483fd5b96b44df120d6797ba076fe7bc0801c7cc3fa712759026187fc671b8deb836c0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat

Filesize
207B

MD5
07081468c0d2c9f92a6d34d3791738aa

SHA1
61cbbf706214da0bd74dd005135edaff1e74634d

SHA256
d21910c77fe0a49b09003bd137d3b799ce7e2cc78ba0ec4ed1b4c389bcdaa72d

SHA512
7ca9ab9c120fbe91d2a38da31f9f7ac4392595e73e95cca6a40f21bdaedde328864b52327addcfe1e188a427562a4965f7cd55f72f4a55aebd29d80b04399df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat

Filesize
207B

MD5
ed062ff4525d9190a15a63c1fff7a0b9

SHA1
919e2bc66a4864282eb7f5a25a5b25c2e00881c6

SHA256
07f68f164e9a97c967d19df09f8c1328f393a50229a45b34550d34f1d9ec62ba

SHA512
f6ae648ddc41b74860e4dcfe42893ae7c2b809f4efd21cb17a91668f36bff620d32b750d12a0f0541301f104c67da97209dd927a69216e26b4a00169a6ca064c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
423KB

MD5
0a7cba9342d7bcdbd9eb985a1907b5cd

SHA1
a28214f8b9e7a78994d02908f4c956ed8c5ac01b

SHA256
48d9916bda8338bfefc64bd0296b4dd4be00ae0690cb03931ba27640d0388898

SHA512
41459191eb81db3ab5911089eda144c7dcbbcc85eec57ae4323295cfaf837d231449825f23456022f33f7049d18ab2db25648b26ea5e4da1c9b812c3c85c7006

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
cd8d41167dc2fae9b0ae6a8648d5070f

SHA1
97a475e752d8bbd6a66bb2231b5ab830f86fdc06

SHA256
9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220

SHA512
d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b

Download Submit
memory/624-109-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/1688-75-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2096-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/2096-2-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-7-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-98-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2140-43-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2200-54-0x0000000001070000-0x0000000001394000-memory.dmp

Filesize
3.1MB

Download
memory/2240-20-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-8-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-9-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/2240-10-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-87-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/3028-130-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads