quasar | a3ef678bd307c07f299a4b4c96d414ddba54e3f00e7e81a5ed5bc949cd65e682

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

52b81162360c34724757c2075a60e5af
SHA1

3fceb5947678c56b962a63853d20749f274b6db0
SHA256

a3ef678bd307c07f299a4b4c96d414ddba54e3f00e7e81a5ed5bc949cd65e682
SHA512

ea3e4b4218f5cca06102c97d85306fbd7f1697efd1546ecb3a9cf5f66a68c6354b176545c059aa78757bd7a2f9abbed2c16a16a2d1fbcee1506c9b21400c1f47
SSDEEP

49152:uv2I22SsaNYfdPBldt698dBcjHUiO10mzfioGdKiTHHB72eh2NT:uvb22SsaNYfdPBldt6+dBcjHbO1g

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Inversin-43597.portmap.host:43597

Mutex

80329fd2-f063-4b06-9c7e-8dbc6278c2a3

Attributes

encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4836-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c96-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
1712	Client.exe
3992	Client.exe
1884	Client.exe
1912	Client.exe
1700	Client.exe
2892	Client.exe
2124	Client.exe
3436	Client.exe
2336	Client.exe
1092	Client.exe
4672	Client.exe
4616	Client.exe
3896	Client.exe
2936	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4876	PING.EXE
2844	PING.EXE
1968	PING.EXE
1644	PING.EXE
4968	PING.EXE
4600	PING.EXE
1640	PING.EXE
3664	PING.EXE
752	PING.EXE
212	PING.EXE
2200	PING.EXE
3952	PING.EXE
1556	PING.EXE
4612	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4876	PING.EXE
4968	PING.EXE
212	PING.EXE
2844	PING.EXE
3664	PING.EXE
1556	PING.EXE
1644	PING.EXE
2200	PING.EXE
3952	PING.EXE
752	PING.EXE
1968	PING.EXE
4600	PING.EXE
4612	PING.EXE
1640	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
400	schtasks.exe
3736	schtasks.exe
4616	schtasks.exe
2928	schtasks.exe
4392	schtasks.exe
2436	schtasks.exe
1912	schtasks.exe
4836	schtasks.exe
2020	schtasks.exe
4076	schtasks.exe
4112	schtasks.exe
2704	schtasks.exe
3952	schtasks.exe
3824	schtasks.exe
1816	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	Client-built.exe
Token: SeDebugPrivilege	1712	Client.exe
Token: SeDebugPrivilege	3992	Client.exe
Token: SeDebugPrivilege	1884	Client.exe
Token: SeDebugPrivilege	1912	Client.exe
Token: SeDebugPrivilege	1700	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	3436	Client.exe
Token: SeDebugPrivilege	2336	Client.exe
Token: SeDebugPrivilege	1092	Client.exe
Token: SeDebugPrivilege	4672	Client.exe
Token: SeDebugPrivilege	4616	Client.exe
Token: SeDebugPrivilege	3896	Client.exe
Token: SeDebugPrivilege	2936	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1712	Client.exe
3992	Client.exe
1884	Client.exe
1912	Client.exe
1700	Client.exe
2892	Client.exe
2124	Client.exe
3436	Client.exe
2336	Client.exe
1092	Client.exe
4672	Client.exe
4616	Client.exe
3896	Client.exe
2936	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1712	Client.exe
3992	Client.exe
1884	Client.exe
1912	Client.exe
1700	Client.exe
2892	Client.exe
2124	Client.exe
3436	Client.exe
2336	Client.exe
1092	Client.exe
4672	Client.exe
4616	Client.exe
3896	Client.exe
2936	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1912	4836	Client-built.exe	89
PID 4836 wrote to memory of 1912	4836	Client-built.exe	89
PID 4836 wrote to memory of 1712	4836	Client-built.exe	91
PID 4836 wrote to memory of 1712	4836	Client-built.exe	91
PID 1712 wrote to memory of 3952	1712	Client.exe	92
PID 1712 wrote to memory of 3952	1712	Client.exe	92
PID 1712 wrote to memory of 4344	1712	Client.exe	94
PID 1712 wrote to memory of 4344	1712	Client.exe	94
PID 4344 wrote to memory of 1028	4344	cmd.exe	96
PID 4344 wrote to memory of 1028	4344	cmd.exe	96
PID 4344 wrote to memory of 1556	4344	cmd.exe	97
PID 4344 wrote to memory of 1556	4344	cmd.exe	97
PID 4344 wrote to memory of 3992	4344	cmd.exe	105
PID 4344 wrote to memory of 3992	4344	cmd.exe	105
PID 3992 wrote to memory of 400	3992	Client.exe	106
PID 3992 wrote to memory of 400	3992	Client.exe	106
PID 3992 wrote to memory of 5108	3992	Client.exe	108
PID 3992 wrote to memory of 5108	3992	Client.exe	108
PID 5108 wrote to memory of 2008	5108	cmd.exe	110
PID 5108 wrote to memory of 2008	5108	cmd.exe	110
PID 5108 wrote to memory of 4600	5108	cmd.exe	111
PID 5108 wrote to memory of 4600	5108	cmd.exe	111
PID 5108 wrote to memory of 1884	5108	cmd.exe	112
PID 5108 wrote to memory of 1884	5108	cmd.exe	112
PID 1884 wrote to memory of 3736	1884	Client.exe	113
PID 1884 wrote to memory of 3736	1884	Client.exe	113
PID 1884 wrote to memory of 388	1884	Client.exe	115
PID 1884 wrote to memory of 388	1884	Client.exe	115
PID 388 wrote to memory of 4768	388	cmd.exe	117
PID 388 wrote to memory of 4768	388	cmd.exe	117
PID 388 wrote to memory of 4612	388	cmd.exe	118
PID 388 wrote to memory of 4612	388	cmd.exe	118
PID 388 wrote to memory of 1912	388	cmd.exe	122
PID 388 wrote to memory of 1912	388	cmd.exe	122
PID 1912 wrote to memory of 4836	1912	Client.exe	123
PID 1912 wrote to memory of 4836	1912	Client.exe	123
PID 1912 wrote to memory of 892	1912	Client.exe	125
PID 1912 wrote to memory of 892	1912	Client.exe	125
PID 892 wrote to memory of 860	892	cmd.exe	127
PID 892 wrote to memory of 860	892	cmd.exe	127
PID 892 wrote to memory of 212	892	cmd.exe	128
PID 892 wrote to memory of 212	892	cmd.exe	128
PID 892 wrote to memory of 1700	892	cmd.exe	129
PID 892 wrote to memory of 1700	892	cmd.exe	129
PID 1700 wrote to memory of 2020	1700	Client.exe	130
PID 1700 wrote to memory of 2020	1700	Client.exe	130
PID 1700 wrote to memory of 2472	1700	Client.exe	132
PID 1700 wrote to memory of 2472	1700	Client.exe	132
PID 2472 wrote to memory of 3512	2472	cmd.exe	134
PID 2472 wrote to memory of 3512	2472	cmd.exe	134
PID 2472 wrote to memory of 2844	2472	cmd.exe	135
PID 2472 wrote to memory of 2844	2472	cmd.exe	135
PID 2472 wrote to memory of 2892	2472	cmd.exe	136
PID 2472 wrote to memory of 2892	2472	cmd.exe	136
PID 2892 wrote to memory of 4076	2892	Client.exe	137
PID 2892 wrote to memory of 4076	2892	Client.exe	137
PID 2892 wrote to memory of 1468	2892	Client.exe	139
PID 2892 wrote to memory of 1468	2892	Client.exe	139
PID 1468 wrote to memory of 4548	1468	cmd.exe	141
PID 1468 wrote to memory of 4548	1468	cmd.exe	141
PID 1468 wrote to memory of 1640	1468	cmd.exe	142
PID 1468 wrote to memory of 1640	1468	cmd.exe	142
PID 1468 wrote to memory of 2124	1468	cmd.exe	144
PID 1468 wrote to memory of 2124	1468	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1912
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59Rp9lOnb5ry.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1028
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1556
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEiutM1bb3Cu.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2008
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgEy1i19ytd6.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KnnYhjXzJl1P.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9JNau8VjDCe5.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EollFYDAbR7R.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGfJHHLuQkYf.bat" "
        15⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8kokHJjGyY3p.bat" "
        17⤵
        
        PID:348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9NF0HSz6IDkr.bat" "
        19⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMes6gu9iI4g.bat" "
        21⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxNWRa7L60lO.bat" "
        23⤵
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0bQNrjKFZwFT.bat" "
        25⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3896
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSe52WU3oEgi.bat" "
        27⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCBeuALSuGhd.bat" "
        29⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bQNrjKFZwFT.bat

Filesize
207B

MD5
c907e38dc2dd1106ba6e5483c2e410e9

SHA1
c6bbca18240ad070eaf5bb7358e22482ddf19d3e

SHA256
2592e4228ac26f62599a31a25cb090e9dcea97318ccaf38149afb7621684761e

SHA512
32c734b4ef118173a0b7cda586bbe7b26228b02821742acf3c0c257998abbed1762c00f373df2a5fc10790210a7f7d3da8f67241fe9057deb37624e9d782ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\59Rp9lOnb5ry.bat

Filesize
207B

MD5
ee8314880cfc86ab966201f7d028b036

SHA1
14d7ed9cec965158b8adebde4bd0e492282e4d6a

SHA256
595da6f740cfb922f87ebf9362712dbca8444cf97104af47a4fc9888c520cca2

SHA512
7a9d13f7b8e51e1d133da2ac0e036a753092996dc73c69dd0c0fc07cb63c0c0044d2bccfae812ecce8ebe4c2d630ba2e8991ed43e706762f8c256dcbb5e9d228

Download Submit
C:\Users\Admin\AppData\Local\Temp\8kokHJjGyY3p.bat

Filesize
207B

MD5
0fc8b2d228c73de74473c14321a3259f

SHA1
e3b0c4c30dd8b58ef16379f0e2ca92aac6d75878

SHA256
9d9fee55e59161e08e65f4cc94cb2fc27dea60dcff8fc26dd537c5c2eacd94e4

SHA512
99b733837735c80ad900b2e4d64007239d97c596d20ddcbf4ce6e704b2ab6b2a3ab02b1b6dc50bb096eae2831c053983f9f89da84de66584adf99c60cadd963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9JNau8VjDCe5.bat

Filesize
207B

MD5
23292d399822e80faa1140541d509a98

SHA1
87d971ef537aed473e750d4e575cd653a60a6e29

SHA256
a9a59b662b15cf1a0a4ff2e9e67340f819ab125ba93ed4eadffed8b76740d15b

SHA512
ecf781ec56d2e5254f4beb465dda7792cd1e406614c4e1726e162c2393ac70406b9bbcf43b13ff3d3bbfa76811ef9afcfef9aec49bfe1969293dbd9e3966874b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9NF0HSz6IDkr.bat

Filesize
207B

MD5
4e9fa3ec949d1889dd64163af48e737f

SHA1
7cd3020b9a134b538a37121c1875739ffc3edc41

SHA256
007b017c834272405b745b156ee58f064faa9afa0a0cf2586a05c495b9538644

SHA512
075bf5f320f49ed057f2125d92cccfa5bc94c7b2b0204e22b36d6c335ce8ab5455729741728bc5bc0c2f04a341690d952ea866df67e8d52f8358d46377d08efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EollFYDAbR7R.bat

Filesize
207B

MD5
cdf28443cee3e08f9a6f76e56b4e67a6

SHA1
1cae7fe804e83dda27de283155610aae719db001

SHA256
25a3d97496dfb7fbb86b40ea691cf0c581b036ced1fe2582817e15d53272bafc

SHA512
b00ecd3ca17663a7f3b9196bfaac3f914e8beb332c4bf2c8d270610de9456fee70ddd0f0765703ab34e50a4c2dbefe268ced3ffc30d30c823248094fd5f168b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCBeuALSuGhd.bat

Filesize
207B

MD5
e40a84dd7c9d03fe44f2941cdc6ee451

SHA1
945888670497572fa982d052b3b5bca74c411dbf

SHA256
bf9f6c9a6202056e58372a1768ce525620fb3bc940e7473e1980eca51f702b39

SHA512
aa9625605858448100aa0690cc1e160cc61fb82678034d4a17923dbfa6a9b765ff85a77df7d1ccda59ffe10b30562bc9e40b38f472d81c309523199a0dd3a96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnnYhjXzJl1P.bat

Filesize
207B

MD5
ebd1ac11669a960d78c4382ea8e71564

SHA1
363a16383cacb257cde60502723823efc288a7bd

SHA256
2bcc140a170e82a8e8b7d5a685e7f6e5727d5034419e6a4cf3f3c8abd26292a4

SHA512
9b406e72da2f748b05a477cd546a44beeb016719a320b7315f801df5c0e35e4496b0c2c7c76f56b7f7b9a332354d6c8613e69c3930d40e2ff3a9a5f79d97b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEiutM1bb3Cu.bat

Filesize
207B

MD5
712a8c2fb26da29642b0599a043e5bdb

SHA1
16d5845f35ca62d45d47fc22fd872af7e3514afb

SHA256
3a11a6c860445ef93b2e5f180e7b6216068454f07f734364097a8437c5c7e6b4

SHA512
6feb3bc5b499a9800a0d87d36db68c70f2fe2d4ec668b75be7ff9c895db8bb708ea519a30542d1161aab5be546a8ec4290c990b1493d257c3198f96d9b866726

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSe52WU3oEgi.bat

Filesize
207B

MD5
929ebfeca5982117a9d1da3ba51eb64b

SHA1
862d6101226553b6c56a3983e0e3945346a16476

SHA256
8002742cfbc9a3f93ec99686074c9d67ed92f843e9df25e08388faa0d5a7a87b

SHA512
bb11b617c326880ad99ce31061db876bef022cd7d6ec4c9ab65e5b58284b9aa4b8e0731abb225afdca1d7d7fae9fa1db86ed8ed08e7684ae6bc05e2d5af49f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMes6gu9iI4g.bat

Filesize
207B

MD5
cc81933f01d562368735c8d70e92d952

SHA1
f76c4917a84bffd857a6aac446f5184ad68769ee

SHA256
a61f6099c37f44f17e8bb6e0a5e3890627ab8eb5aefec7e6b946c02a11fda742

SHA512
be9a121355d0faebc7a0758ecee395e21dec48ead9fb986499aa560e99074d39fe676263f3b4728d685c474501dce58d7948a12a14d0a5fb069141fa03f42f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGfJHHLuQkYf.bat

Filesize
207B

MD5
17abd969d7820afe91716ebf7b2f3262

SHA1
8ec56cf35b77ff7e630cb7f641dec0b64cb89c28

SHA256
b7fff72423741aec5c582edd0ae958c124d29b44122b4aca14035d544d5afe28

SHA512
2ce601d501d5e54a2ce9922a15c8e8fe74f2fb670ece33c6a64eaf42df1dc4c4ab748a468d45e25e3cca5e9384819f531d1b8717ef839b63243ed013aa753e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxNWRa7L60lO.bat

Filesize
207B

MD5
3b8746bbac497bde02282f8f984dc9ca

SHA1
312d70ef2d0c07f827662e0d3c69ad63c41b37cb

SHA256
51131800f598a5f61b3ed85289a66c2e46f18eb70b7c939d0a56144281fa8090

SHA512
d0705cb11775ce77ca5dacf959bb273d6ab80ac839893f5a02d442a16656e628a2b27a0fff62593109513f014ec3fc1b4e8482d5260f329e372848277b754a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgEy1i19ytd6.bat

Filesize
207B

MD5
162fa1cc7538e67c601ad2cdefa2f53e

SHA1
3f2112693f6290d12df76727e36d855f2d519b57

SHA256
16187edc72d538deb5677b7f713c4448cfc6271b54c7bbb922dbc540f0a2f742

SHA512
5e2c1c705334dca70edcc5b8601f38357698c9169e7634047a31ebd6962a452589a2bc7bb5e98aa48bc42a1e0823cbd909ff21796fc9f88cac32c10187a65b50

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
52b81162360c34724757c2075a60e5af

SHA1
3fceb5947678c56b962a63853d20749f274b6db0

SHA256
a3ef678bd307c07f299a4b4c96d414ddba54e3f00e7e81a5ed5bc949cd65e682

SHA512
ea3e4b4218f5cca06102c97d85306fbd7f1697efd1546ecb3a9cf5f66a68c6354b176545c059aa78757bd7a2f9abbed2c16a16a2d1fbcee1506c9b21400c1f47

Download Submit
memory/1712-9-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/1712-10-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/1712-17-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/1712-11-0x000000001C600000-0x000000001C650000-memory.dmp

Filesize
320KB

Download
memory/1712-12-0x000000001C710000-0x000000001C7C2000-memory.dmp

Filesize
712KB

Download
memory/4836-8-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4836-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4836-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4836-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads