quasar | 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

cd8d41167dc2fae9b0ae6a8648d5070f
SHA1

97a475e752d8bbd6a66bb2231b5ab830f86fdc06
SHA256

9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
SHA512

d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b
SSDEEP

49152:Pvht62XlaSFNWPjljiFa2RoUYI3xOEMkZk/JxuoGdrPTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYI3xM0

Score

10^/10

quasar office04 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.28:4782

Mutex

03ef2b9a-5389-4312-b3d3-9b6f68cc5386

Attributes

encryption_key
F8A900CD75D848E74023B3A66FA8AA5469C97692
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
.
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1052-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b57-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
1860	Client.exe
4440	Client.exe
1796	Client.exe
4208	Client.exe
4948	Client.exe
2088	Client.exe
4900	Client.exe
3352	Client.exe
3736	Client.exe
2156	Client.exe
876	Client.exe
4832	Client.exe
4488	Client.exe
3952	Client.exe
3200	Client.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient-built.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client-built.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
5100	PING.EXE
3004	PING.EXE
4916	PING.EXE
1812	PING.EXE
2260	PING.EXE
3996	PING.EXE
3292	PING.EXE
1712	PING.EXE
2028	PING.EXE
1708	PING.EXE
1160	PING.EXE
2668	PING.EXE
540	PING.EXE
2912	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
5100	PING.EXE
540	PING.EXE
1812	PING.EXE
3292	PING.EXE
4916	PING.EXE
1708	PING.EXE
1160	PING.EXE
2260	PING.EXE
3004	PING.EXE
2028	PING.EXE
2912	PING.EXE
3996	PING.EXE
1712	PING.EXE
2668	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3300	schtasks.exe
4852	schtasks.exe
1104	schtasks.exe
2708	schtasks.exe
2564	schtasks.exe
2232	schtasks.exe
4420	schtasks.exe
4852	schtasks.exe
1468	schtasks.exe
3132	schtasks.exe
2532	schtasks.exe
2340	schtasks.exe
3184	schtasks.exe
1904	schtasks.exe
4504	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	1052	Client-built.exe
Token: SeDebugPrivilege	1860	Client.exe
Token: SeDebugPrivilege	4440	Client.exe
Token: SeDebugPrivilege	1796	Client.exe
Token: SeDebugPrivilege	4208	Client.exe
Token: SeDebugPrivilege	4948	Client.exe
Token: SeDebugPrivilege	2088	Client.exe
Token: SeDebugPrivilege	4900	Client.exe
Token: SeDebugPrivilege	3352	Client.exe
Token: SeDebugPrivilege	3736	Client.exe
Token: SeDebugPrivilege	2156	Client.exe
Token: SeDebugPrivilege	876	Client.exe
Token: SeDebugPrivilege	4832	Client.exe
Token: SeDebugPrivilege	4488	Client.exe
Token: SeDebugPrivilege	3952	Client.exe
Token: SeDebugPrivilege	3200	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 3184	1052	Client-built.exe	86
PID 1052 wrote to memory of 3184	1052	Client-built.exe	86
PID 1052 wrote to memory of 1860	1052	Client-built.exe	89
PID 1052 wrote to memory of 1860	1052	Client-built.exe	89
PID 1860 wrote to memory of 1904	1860	Client.exe	90
PID 1860 wrote to memory of 1904	1860	Client.exe	90
PID 1860 wrote to memory of 232	1860	Client.exe	92
PID 1860 wrote to memory of 232	1860	Client.exe	92
PID 232 wrote to memory of 1512	232	cmd.exe	94
PID 232 wrote to memory of 1512	232	cmd.exe	94
PID 232 wrote to memory of 5100	232	cmd.exe	95
PID 232 wrote to memory of 5100	232	cmd.exe	95
PID 232 wrote to memory of 4440	232	cmd.exe	101
PID 232 wrote to memory of 4440	232	cmd.exe	101
PID 4440 wrote to memory of 2232	4440	Client.exe	102
PID 4440 wrote to memory of 2232	4440	Client.exe	102
PID 4440 wrote to memory of 388	4440	Client.exe	104
PID 4440 wrote to memory of 388	4440	Client.exe	104
PID 388 wrote to memory of 536	388	cmd.exe	106
PID 388 wrote to memory of 536	388	cmd.exe	106
PID 388 wrote to memory of 540	388	cmd.exe	107
PID 388 wrote to memory of 540	388	cmd.exe	107
PID 388 wrote to memory of 1796	388	cmd.exe	110
PID 388 wrote to memory of 1796	388	cmd.exe	110
PID 1796 wrote to memory of 4420	1796	Client.exe	111
PID 1796 wrote to memory of 4420	1796	Client.exe	111
PID 1796 wrote to memory of 4212	1796	Client.exe	113
PID 1796 wrote to memory of 4212	1796	Client.exe	113
PID 4212 wrote to memory of 3732	4212	cmd.exe	115
PID 4212 wrote to memory of 3732	4212	cmd.exe	115
PID 4212 wrote to memory of 3996	4212	cmd.exe	116
PID 4212 wrote to memory of 3996	4212	cmd.exe	116
PID 4212 wrote to memory of 4208	4212	cmd.exe	118
PID 4212 wrote to memory of 4208	4212	cmd.exe	118
PID 4208 wrote to memory of 4852	4208	Client.exe	120
PID 4208 wrote to memory of 4852	4208	Client.exe	120
PID 4208 wrote to memory of 1512	4208	Client.exe	122
PID 4208 wrote to memory of 1512	4208	Client.exe	122
PID 1512 wrote to memory of 3308	1512	cmd.exe	124
PID 1512 wrote to memory of 3308	1512	cmd.exe	124
PID 1512 wrote to memory of 1812	1512	cmd.exe	125
PID 1512 wrote to memory of 1812	1512	cmd.exe	125
PID 1512 wrote to memory of 4948	1512	cmd.exe	127
PID 1512 wrote to memory of 4948	1512	cmd.exe	127
PID 4948 wrote to memory of 1104	4948	Client.exe	128
PID 4948 wrote to memory of 1104	4948	Client.exe	128
PID 4948 wrote to memory of 60	4948	Client.exe	130
PID 4948 wrote to memory of 60	4948	Client.exe	130
PID 60 wrote to memory of 232	60	cmd.exe	132
PID 60 wrote to memory of 232	60	cmd.exe	132
PID 60 wrote to memory of 3292	60	cmd.exe	133
PID 60 wrote to memory of 3292	60	cmd.exe	133
PID 60 wrote to memory of 2088	60	cmd.exe	134
PID 60 wrote to memory of 2088	60	cmd.exe	134
PID 2088 wrote to memory of 1468	2088	Client.exe	135
PID 2088 wrote to memory of 1468	2088	Client.exe	135
PID 2088 wrote to memory of 3288	2088	Client.exe	137
PID 2088 wrote to memory of 3288	2088	Client.exe	137
PID 3288 wrote to memory of 2960	3288	cmd.exe	139
PID 3288 wrote to memory of 2960	3288	cmd.exe	139
PID 3288 wrote to memory of 2260	3288	cmd.exe	140
PID 3288 wrote to memory of 2260	3288	cmd.exe	140
PID 3288 wrote to memory of 4900	3288	cmd.exe	141
PID 3288 wrote to memory of 4900	3288	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3184
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1512
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5100
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:536
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:540
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat" "
        15⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat" "
        17⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat" "
        19⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat" "
        21⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat" "
        23⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat" "
        25⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat" "
        27⤵
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat" "
        29⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat

Filesize
207B

MD5
c0f111949ecc62bf455634760b9c4c95

SHA1
7d976d3b5282d99960e6d8f6a082e6a1d05295fb

SHA256
426a10c87b730cb78642d23fcd5a32ee1d9ff695ae90a5d02bc18c0a34c7645a

SHA512
eb0db23c5b0f033862e5514fb786b33e2ada35f4c618fa21f36bcf475db65bff3509a7cc7155d8d440e4e737a5f0d5743a76385d3d1052460f4ee330aa313861

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat

Filesize
207B

MD5
1a3c7edaa4976cfd20c270a6272e83e2

SHA1
188f7253b4d93a6cacce15c10b3ef461369ef068

SHA256
830233d65b78edef92aadd4cf096fd5d21e6184c6fcf23f1956e72be545248d4

SHA512
ce6b45066f102eba6afac5cab5ddae63ea3d59078ecf0e557e1b6e55beac89ea5abb7c78db641125c082653108bd147f3f41cac462437a2a177c846223575ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat

Filesize
207B

MD5
581ad13978c4f2d063d8b575e254a151

SHA1
b04db8b3f9afed2461734c8ddaebcc0f24b1dfa3

SHA256
bdb2a72bcd7028a7095e735fbdbcb476aad4e1396530ff39d7bd6c08df011806

SHA512
605a9203fd9790a219ca7e5dbac32cf222bf37041cb13d144ef683ffbabda56a76d009784cb1478ea428d7cf8036aedd7d082f8b90b3e68c935784887d5629c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat

Filesize
207B

MD5
3732a1e779536acf4796c37024759fe9

SHA1
75836b87a801344efe96ff384ec29b9004a43037

SHA256
61482c4bf405afe58661e50a556f9bd8c8eb90133d0c8807780486626a2303d0

SHA512
fb5770b4422c5219998581b59f75abdf23f57c39c0750d24fd32bf20ad1954860011836f5011b312500f209f495e1842509986e87e6a6775ea8f743e8f9279f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat

Filesize
207B

MD5
a723a49440c4e67da632ba0bfcef0ea3

SHA1
30feabd5a92246908cfc569f6bb0bd6d56405e1e

SHA256
4dbc523742f4ac1f1b37440623aade437462f5dc6e96bd57ddf478acdb3a7fda

SHA512
a723044f1b8249d6603f14a4ad739e37e4be0c6900df93ff11e95bf9dce35db98cc9430decd7488cbb96d498930718810c344e62ca5a77dec0c33383beba692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat

Filesize
207B

MD5
bfdfea9b1b8c3d1dd8e7b527c358e6fe

SHA1
36084e844f8b2a86160e845a8c9a86a3a69998b6

SHA256
187e93d936de7668f711752280065926e80aaebb619746653be6f3cefe391168

SHA512
68a8901f11784bba0c8f462cb8f4735ccfc516dac6c1b2001db1bdc273bb790ed80fd35b9cf5ee04f90b720cd5c61c28ed63e8f76732e094eb3f95f6f0146022

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat

Filesize
207B

MD5
cb9a80992c7f67e9d358fe4910670c23

SHA1
bb9a17578ed3d29ad7bb65bbb66d9e6a2334265f

SHA256
f4ddb0f19dbc0718b026b156048b7f0bb9cc3878223ec36f27208f52db10209b

SHA512
7f2648e58d9d4f6da488b37a4e4d71fff09d47d0dc09f2d1913dac51059a89d35bdaeeaa15505608a217934f944fea2d5a51cf0fd31c0fb4db683b112bd6ac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat

Filesize
207B

MD5
4b0570b31a18aae65fe90dd8c4cb76ff

SHA1
d9c8dcd1cfb838df045bfde06b6e33579d5abab5

SHA256
d8969505eaf98ee40c118e813c979d1c027a8e010bad7e34911841da7d915bb2

SHA512
941a232c76a799f6ee97ca7cc30115d788f7891cf6cfc7849896e8874359a2a50e2c54abb6eaf33f5554dd4592b25ae9c9ba9f0c1dac3717ada0777ce4ff8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat

Filesize
207B

MD5
e2313dddf756f98db9a01021112d48e6

SHA1
3bde279840268527660f43412df2690c012da310

SHA256
64602250401c4cb41eaf6392f20343a3554c0a86576bba7bdfa3d8c1fd4dceae

SHA512
0e8da7b04e86d6023656a9d61332b3c2237e07aa54fe35714efa38d4c1712948f66d88f97fd8edb6419839d9ee2af3f74995a5bd2a273f50eff4e3f6da966d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat

Filesize
207B

MD5
d49087af4e2aa84e7a14f35b9b6aa0d4

SHA1
aabebf38da629654894cbb64c3b8c6a6423a1b5f

SHA256
b657361f8d47bad911e229f34784fe5dc7269c435ce63381020b7d0cc48d3bdd

SHA512
7b8d1eb196b8ce8142c9fc75bd3be6d473f64c3e7c03efaf03faeea0a752b0b3d5f2d197baf305ed3658c0c5d822755cd717512ddc8b830f5a5539aecf55b4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat

Filesize
207B

MD5
a208cef53201e21f8c705b246f9ff53c

SHA1
b5cac5cfab520ecd0c6cbf747948576cb7888083

SHA256
2c05fe8f85c427dcf5d24eb982b916a5f59082238f00750a1180b815427be304

SHA512
b2a10e5b5da86b5c00c7e6000c57bfe05f760ccfa2941e6b6098a783487a63c2712cd15914d3e5ccd39389c1a0008656e0133e9260b16623e56e08b703d1fa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat

Filesize
207B

MD5
81d7d5326d718a4fe3d7852199ff230e

SHA1
2a8357cd742fbb9bb3e5f59846e4bc0beeddddd2

SHA256
2160159ed9e00a64cb505ae6fd6309ee3449dd5871e56e888053ee5b8961386f

SHA512
cc518238a9dc7e1d80eb4b6690c62235c92d8eb3241cd58c27630d40f0cdd2bc57dce517191493bf9eb51a337c5d173c9605cc13ee5dd5b19b4800165dfa75ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat

Filesize
207B

MD5
fd5be971eefbd7ec9c94c6f2af289381

SHA1
79394287d00320402787fc6ae5f0ced6d22b159f

SHA256
427b2df17151f83a87b0f05a0c8c90d79f97515ec6f12bb182c9dd56e0e8feb0

SHA512
9d09abc3d89b3d1f0dd28548ec1337f9450623c511d95cb81370dd276847e9ef8c4eac2aceb99588e4cd749d35888f0a591a42c813099603b980b86c667d8a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat

Filesize
207B

MD5
c026636222ba27ebb2e3642645ac4d04

SHA1
290e46214c185bb6b72be3d1659690004c31122e

SHA256
5c25f73a610b701f63a7957fc73d3b8393348823bf2b33f0878f3cf38bed54a0

SHA512
bf938209668eea5d03ddc459eea40fecdb3a86b738dd8d6b9aedd005c814469a36d505340e7a9a1fc6b691d659562c71d9cf9342964cc9ae5a672d4a2724295b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
cd8d41167dc2fae9b0ae6a8648d5070f

SHA1
97a475e752d8bbd6a66bb2231b5ab830f86fdc06

SHA256
9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220

SHA512
d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b

Download Submit
memory/1052-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download
memory/1052-2-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1052-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

Filesize
8KB

Download
memory/1052-9-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1860-12-0x000000001C350000-0x000000001C402000-memory.dmp

Filesize
712KB

Download
memory/1860-8-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1860-10-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1860-11-0x00000000031B0000-0x0000000003200000-memory.dmp

Filesize
320KB

Download
memory/1860-17-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download