quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
46s
max time network
44s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045035-2.dat	family_quasar
behavioral1/memory/2208-5-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
2208	kreo q zi.exe
3976	Client.exe
2232	Client.exe
4824	kreo q zi.exe
2604	Client.exe
2056	Client.exe
3652	kreo q zi.exe
2756	Client.exe
1372	Client.exe
3588	Client.exe
3884	Client.exe
4080	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1968	PING.EXE
3908	PING.EXE
460	PING.EXE
2500	PING.EXE
1704	PING.EXE
380	PING.EXE
4320	PING.EXE
4100	PING.EXE
5032	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1704	PING.EXE
460	PING.EXE
2500	PING.EXE
4320	PING.EXE
4100	PING.EXE
1968	PING.EXE
380	PING.EXE
3908	PING.EXE
5032	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4504	schtasks.exe
2980	schtasks.exe
3296	schtasks.exe
1728	schtasks.exe
1708	schtasks.exe
3732	schtasks.exe
1640	schtasks.exe
4752	schtasks.exe
2532	schtasks.exe
1828	schtasks.exe
780	schtasks.exe
2940	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3992	7zFM.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	3992	7zFM.exe
Token: 35	3992	7zFM.exe
Token: SeSecurityPrivilege	3992	7zFM.exe
Token: SeDebugPrivilege	2208	kreo q zi.exe
Token: SeDebugPrivilege	3976	Client.exe
Token: SeDebugPrivilege	2232	Client.exe
Token: SeDebugPrivilege	4824	kreo q zi.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	3652	kreo q zi.exe
Token: SeDebugPrivilege	2756	Client.exe
Token: SeDebugPrivilege	1372	Client.exe
Token: SeDebugPrivilege	3588	Client.exe
Token: SeDebugPrivilege	3884	Client.exe
Token: SeDebugPrivilege	4080	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3992	7zFM.exe
3992	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4752	2208	kreo q zi.exe	94
PID 2208 wrote to memory of 4752	2208	kreo q zi.exe	94
PID 2208 wrote to memory of 3976	2208	kreo q zi.exe	96
PID 2208 wrote to memory of 3976	2208	kreo q zi.exe	96
PID 3976 wrote to memory of 2532	3976	Client.exe	97
PID 3976 wrote to memory of 2532	3976	Client.exe	97
PID 3976 wrote to memory of 1972	3976	Client.exe	99
PID 3976 wrote to memory of 1972	3976	Client.exe	99
PID 1972 wrote to memory of 1788	1972	cmd.exe	101
PID 1972 wrote to memory of 1788	1972	cmd.exe	101
PID 1972 wrote to memory of 1968	1972	cmd.exe	102
PID 1972 wrote to memory of 1968	1972	cmd.exe	102
PID 1972 wrote to memory of 2232	1972	cmd.exe	104
PID 1972 wrote to memory of 2232	1972	cmd.exe	104
PID 2232 wrote to memory of 1828	2232	Client.exe	105
PID 2232 wrote to memory of 1828	2232	Client.exe	105
PID 2232 wrote to memory of 4452	2232	Client.exe	107
PID 2232 wrote to memory of 4452	2232	Client.exe	107
PID 4452 wrote to memory of 3516	4452	cmd.exe	109
PID 4452 wrote to memory of 3516	4452	cmd.exe	109
PID 4452 wrote to memory of 1704	4452	cmd.exe	110
PID 4452 wrote to memory of 1704	4452	cmd.exe	110
PID 4824 wrote to memory of 4504	4824	kreo q zi.exe	112
PID 4824 wrote to memory of 4504	4824	kreo q zi.exe	112
PID 4824 wrote to memory of 2604	4824	kreo q zi.exe	114
PID 4824 wrote to memory of 2604	4824	kreo q zi.exe	114
PID 2604 wrote to memory of 780	2604	Client.exe	115
PID 2604 wrote to memory of 780	2604	Client.exe	115
PID 2604 wrote to memory of 3868	2604	Client.exe	117
PID 2604 wrote to memory of 3868	2604	Client.exe	117
PID 3868 wrote to memory of 1684	3868	cmd.exe	119
PID 3868 wrote to memory of 1684	3868	cmd.exe	119
PID 3868 wrote to memory of 380	3868	cmd.exe	120
PID 3868 wrote to memory of 380	3868	cmd.exe	120
PID 4452 wrote to memory of 2056	4452	cmd.exe	122
PID 4452 wrote to memory of 2056	4452	cmd.exe	122
PID 2056 wrote to memory of 2980	2056	Client.exe	123
PID 2056 wrote to memory of 2980	2056	Client.exe	123
PID 2056 wrote to memory of 2100	2056	Client.exe	125
PID 2056 wrote to memory of 2100	2056	Client.exe	125
PID 2100 wrote to memory of 2896	2100	cmd.exe	127
PID 2100 wrote to memory of 2896	2100	cmd.exe	127
PID 2100 wrote to memory of 3908	2100	cmd.exe	128
PID 2100 wrote to memory of 3908	2100	cmd.exe	128
PID 3652 wrote to memory of 3296	3652	kreo q zi.exe	130
PID 3652 wrote to memory of 3296	3652	kreo q zi.exe	130
PID 3652 wrote to memory of 2756	3652	kreo q zi.exe	132
PID 3652 wrote to memory of 2756	3652	kreo q zi.exe	132
PID 2756 wrote to memory of 2940	2756	Client.exe	133
PID 2756 wrote to memory of 2940	2756	Client.exe	133
PID 2756 wrote to memory of 4380	2756	Client.exe	135
PID 2756 wrote to memory of 4380	2756	Client.exe	135
PID 4380 wrote to memory of 2868	4380	cmd.exe	137
PID 4380 wrote to memory of 2868	4380	cmd.exe	137
PID 4380 wrote to memory of 460	4380	cmd.exe	138
PID 4380 wrote to memory of 460	4380	cmd.exe	138
PID 3868 wrote to memory of 1372	3868	cmd.exe	139
PID 3868 wrote to memory of 1372	3868	cmd.exe	139
PID 1372 wrote to memory of 1728	1372	Client.exe	140
PID 1372 wrote to memory of 1728	1372	Client.exe	140
PID 1372 wrote to memory of 2496	1372	Client.exe	142
PID 1372 wrote to memory of 2496	1372	Client.exe	142
PID 2496 wrote to memory of 3880	2496	cmd.exe	144
PID 2496 wrote to memory of 3880	2496	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3992

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4752
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmtfqagOxTVI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1788
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1968
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hh1jKKYQxEgi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3516
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6W3Uw6n9ong.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8nRYrJXGXbp.bat" "
        9⤵
        
        PID:3148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4320

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4504
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YTuDS1hCguhO.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1684
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:380
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7DILB5kp8wkb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3880
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67QdBSdfGN2s.bat" "
        7⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5032

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3296
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E17GWdFvKfk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2868
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:460
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3884
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gbRCi35bm9fq.bat" "
        5⤵
        
        PID:3656
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1012
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kreo q zi.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E17GWdFvKfk.bat

Filesize
207B

MD5
c465b96b329898d16c55b8d2891479d1

SHA1
66b43adc59ee3b35a2bb6e0b1fd93d9e10f55b7d

SHA256
17d27ab9b4083bd2f6efaef3c2fcc82292a56230d85d3f943cbb66ede36a95e4

SHA512
7b34182f1b138a2c2c29978966e181f6487ae58f0d0b1731eb47184b9d6e27cf23b8a24a5f431bdb80943aaefef0b67607fba721e45980a859396ca040003cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\67QdBSdfGN2s.bat

Filesize
207B

MD5
48be70b2d461e1a7c9bdd273ce1e09a1

SHA1
743d9356e885ba001c31e97f729c459326a1009a

SHA256
a23d716c7a08efea89b43218ff60fd104db8da136705907ec99cf10141ff6387

SHA512
94d17b42d9fe44104aad7482479eb5b4bc241743b6f06449ed37d4803efb72e650c7c457fbc8a876e29c37a2c51d7952bf7fd6eef40322e13d5720665fac8d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DILB5kp8wkb.bat

Filesize
207B

MD5
aa9205ac5f928e653a4bddefb61d366f

SHA1
121e398958125b6fe903a7effe7bc8c2bc2d96a1

SHA256
460f37a3ebd0fe528718ee08a77c51310cc4472a1150ff5c31442c5beb722dfe

SHA512
f75d6cc4ece89bc2ea80cbe5309dd101694f6cece8b00ea971d4a6fc69c84de74b7fa3e490620ee5225e81cccc8cc3b0735c123c4c1dc7a5cbd5c31d9c212fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hh1jKKYQxEgi.bat

Filesize
207B

MD5
64473d03ea39f4b73430bc7016e92c16

SHA1
fb25c436159e5bc5dabb03b6b6a3fa0e329953b4

SHA256
b59344dc659b1f71cb9065f5bfffc805da38de303da6abf7ec8cb492b7a93919

SHA512
9ba3490da8e8c5f86edf79b2b78805784ceb3a5ceb660d614f2151e742f9849f88be54d038929f558c85d0b8f703707e7bef677efad009afe33ed7777e928e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6W3Uw6n9ong.bat

Filesize
207B

MD5
8f3b56441394fa347446b63d63c0873f

SHA1
851c18e123e07d1723520a7411209f77a3261ae6

SHA256
1047cc4122702e44ecacbb3de63a32a9e01a11aed589b07e3dff4697912812d7

SHA512
d343e46836c572fa8eca35bda1797d991f32e1c6156cc48cc47b0ddfe603c9bfac5ebc7c0f34ec0157a9c7da79ad54a0d896aee2c567a8cd53b252d4d52f5924

Download Submit
C:\Users\Admin\AppData\Local\Temp\T8nRYrJXGXbp.bat

Filesize
207B

MD5
500d1b7420abb3f20338b15718997284

SHA1
f3ebeeb90210113821dfba58e01560a43939dac9

SHA256
f3657da8c6bbf2decc9f8d93a5f63555e6578afb31fd4f51c1749d8307f6afe3

SHA512
1a0ed714f3ac3c8ec743c769ca5159853a34b97d3dfae4faa23d74457052a33540f9d722465d7799c2a42df3d5d7de45da9863c4f884388f1e53d6000e03129d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmtfqagOxTVI.bat

Filesize
207B

MD5
9cbf9c58842b46226d2b4f46906c059c

SHA1
b705aef3d410a4059bf0faf93f3a30bc8303e9c6

SHA256
07ece02157e4e98db598ad1d4d54ea46b738db1e8a120185bb447032189f4fa1

SHA512
c9f20fb015cc1681ff04894afe567875ea41b3fe2d316c92d6f7323d66c28ad91ea3ed42377bcf4ad9b0373540e060cb7e15dc5cb6d22d067c6ef42537470b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTuDS1hCguhO.bat

Filesize
207B

MD5
4530cc7509dc13d748d00aaf1ff32c51

SHA1
dc846ca403352598004d278e31f07cf07b180ec4

SHA256
2089e5b44826ec9609cd3636b8ae98579164ffe969e4acd06c6c9cbd7ce0e31e

SHA512
30bd2c7ca3d1a56f1327e674902821539c55fe7e8a63649b5fb8772c7653ad2a62e77d0e66291becfe38d4eedfe7c78d41b83ed16ea36724ae0779af40f333df

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbRCi35bm9fq.bat

Filesize
207B

MD5
0a28baa36fb18791cd88d0a36d7cb884

SHA1
cafa19b907e74e854395135dad622b60ae2e90d8

SHA256
37f528c4eff15118ec37b786c0049ec13332e41bb3c51ffb7fbb12447221bb4d

SHA512
25ede069e1ffa8c9029b55f79384d847b7d19ed17bf8ca8c23befab0f4b599f05a5394bf1eab67edee4c4d1b3ede46463520d669e0aae97aa55edf4581582c1b

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/2208-9-0x00007FFB69CF0000-0x00007FFB6A7B2000-memory.dmp

Filesize
10.8MB

Download
memory/2208-6-0x00007FFB69CF0000-0x00007FFB6A7B2000-memory.dmp

Filesize
10.8MB

Download
memory/2208-5-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/2208-4-0x00007FFB69CF3000-0x00007FFB69CF5000-memory.dmp

Filesize
8KB

Download
memory/3976-11-0x000000001C550000-0x000000001C602000-memory.dmp

Filesize
712KB

Download
memory/3976-10-0x000000001C440000-0x000000001C490000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads