quasar | 258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Size

3.1MB
MD5

4b831b964f39059bfd95f56e78086830
SHA1

48649150d6a30522ee550b2cfc5b00fdda00889e
SHA256

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db
SHA512

ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT8:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cYp

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2340-1-0x0000000000460000-0x0000000000784000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b75-6.dat	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
1856	Client.exe
4064	Client.exe
628	Client.exe
3588	Client.exe
1784	Client.exe
4532	Client.exe
4796	Client.exe
2076	Client.exe
4828	Client.exe
2300	Client.exe
4860	Client.exe
4560	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4624	PING.EXE
448	PING.EXE
428	PING.EXE
3036	PING.EXE
5076	PING.EXE
4468	PING.EXE
4676	PING.EXE
4928	PING.EXE
3952	PING.EXE
4468	PING.EXE
4440	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4468	PING.EXE
4440	PING.EXE
3036	PING.EXE
5076	PING.EXE
4468	PING.EXE
4624	PING.EXE
4928	PING.EXE
3952	PING.EXE
448	PING.EXE
428	PING.EXE
4676	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
968	schtasks.exe
5092	schtasks.exe
1420	schtasks.exe
4140	schtasks.exe
1180	schtasks.exe
2044	schtasks.exe
1980	schtasks.exe
1468	schtasks.exe
3608	schtasks.exe
2160	schtasks.exe
3192	schtasks.exe
1936	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	2340	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	4064	Client.exe
Token: SeDebugPrivilege	628	Client.exe
Token: SeDebugPrivilege	3588	Client.exe
Token: SeDebugPrivilege	1784	Client.exe
Token: SeDebugPrivilege	4532	Client.exe
Token: SeDebugPrivilege	4796	Client.exe
Token: SeDebugPrivilege	2076	Client.exe
Token: SeDebugPrivilege	4828	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	4860	Client.exe
Token: SeDebugPrivilege	4560	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	Process	procid_target
PID 2340 wrote to memory of 1420	2340	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	83
PID 2340 wrote to memory of 1420	2340	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	83
PID 2340 wrote to memory of 1856	2340	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	85
PID 2340 wrote to memory of 1856	2340	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	85
PID 1856 wrote to memory of 4140	1856	Client.exe	86
PID 1856 wrote to memory of 4140	1856	Client.exe	86
PID 1856 wrote to memory of 1100	1856	Client.exe	90
PID 1856 wrote to memory of 1100	1856	Client.exe	90
PID 1100 wrote to memory of 4480	1100	cmd.exe	92
PID 1100 wrote to memory of 4480	1100	cmd.exe	92
PID 1100 wrote to memory of 4624	1100	cmd.exe	93
PID 1100 wrote to memory of 4624	1100	cmd.exe	93
PID 1100 wrote to memory of 4064	1100	cmd.exe	103
PID 1100 wrote to memory of 4064	1100	cmd.exe	103
PID 4064 wrote to memory of 3608	4064	Client.exe	104
PID 4064 wrote to memory of 3608	4064	Client.exe	104
PID 4064 wrote to memory of 4408	4064	Client.exe	107
PID 4064 wrote to memory of 4408	4064	Client.exe	107
PID 4408 wrote to memory of 2192	4408	cmd.exe	109
PID 4408 wrote to memory of 2192	4408	cmd.exe	109
PID 4408 wrote to memory of 4928	4408	cmd.exe	110
PID 4408 wrote to memory of 4928	4408	cmd.exe	110
PID 4408 wrote to memory of 628	4408	cmd.exe	112
PID 4408 wrote to memory of 628	4408	cmd.exe	112
PID 628 wrote to memory of 1180	628	Client.exe	113
PID 628 wrote to memory of 1180	628	Client.exe	113
PID 628 wrote to memory of 3356	628	Client.exe	116
PID 628 wrote to memory of 3356	628	Client.exe	116
PID 3356 wrote to memory of 3524	3356	cmd.exe	118
PID 3356 wrote to memory of 3524	3356	cmd.exe	118
PID 3356 wrote to memory of 3952	3356	cmd.exe	119
PID 3356 wrote to memory of 3952	3356	cmd.exe	119
PID 3356 wrote to memory of 3588	3356	cmd.exe	124
PID 3356 wrote to memory of 3588	3356	cmd.exe	124
PID 3588 wrote to memory of 2044	3588	Client.exe	125
PID 3588 wrote to memory of 2044	3588	Client.exe	125
PID 3588 wrote to memory of 2088	3588	Client.exe	128
PID 3588 wrote to memory of 2088	3588	Client.exe	128
PID 2088 wrote to memory of 3592	2088	cmd.exe	130
PID 2088 wrote to memory of 3592	2088	cmd.exe	130
PID 2088 wrote to memory of 448	2088	cmd.exe	131
PID 2088 wrote to memory of 448	2088	cmd.exe	131
PID 2088 wrote to memory of 1784	2088	cmd.exe	133
PID 2088 wrote to memory of 1784	2088	cmd.exe	133
PID 1784 wrote to memory of 2160	1784	Client.exe	134
PID 1784 wrote to memory of 2160	1784	Client.exe	134
PID 1784 wrote to memory of 1288	1784	Client.exe	137
PID 1784 wrote to memory of 1288	1784	Client.exe	137
PID 1288 wrote to memory of 4484	1288	cmd.exe	139
PID 1288 wrote to memory of 4484	1288	cmd.exe	139
PID 1288 wrote to memory of 4468	1288	cmd.exe	140
PID 1288 wrote to memory of 4468	1288	cmd.exe	140
PID 1288 wrote to memory of 4532	1288	cmd.exe	142
PID 1288 wrote to memory of 4532	1288	cmd.exe	142
PID 4532 wrote to memory of 3192	4532	Client.exe	143
PID 4532 wrote to memory of 3192	4532	Client.exe	143
PID 4532 wrote to memory of 940	4532	Client.exe	146
PID 4532 wrote to memory of 940	4532	Client.exe	146
PID 940 wrote to memory of 3472	940	cmd.exe	148
PID 940 wrote to memory of 3472	940	cmd.exe	148
PID 940 wrote to memory of 4440	940	cmd.exe	149
PID 940 wrote to memory of 4440	940	cmd.exe	149
PID 940 wrote to memory of 4796	940	cmd.exe	151
PID 940 wrote to memory of 4796	940	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
"C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1420
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IvV9vhBRIL4a.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4480
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4624
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYxy3dKFEsy5.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2192
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgpK9x90GgGy.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lpmOajrkGUE9.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMIcoBZtNOXm.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeC3ui8rKa0i.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\og2bkD4qbkXe.bat" "
        15⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gY3hBDKMUxcq.bat" "
        17⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOoEDoctrpBq.bat" "
        19⤵
        
        PID:712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Uhou0Uwhog1.bat" "
        21⤵
        
        PID:100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVAFI2bfcSde.bat" "
        23⤵
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Uhou0Uwhog1.bat

Filesize
207B

MD5
a640be6a025bd7e103bbfccdf6661ce6

SHA1
17402b65f42ed74f0817a2ec2b6d3c4a2c5bf302

SHA256
bb4d91868fd17cc04bb744b67bf8787deb16cad22054442acbab03957e324acf

SHA512
984b93932074391f2a731a4cda22389e6d4767c836fb791e4f8d6882e3e61b53c93000c66cfb94c52c9ddf0717ef9c31f774ccd5bd1caba9f1ea98598e03527a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgpK9x90GgGy.bat

Filesize
207B

MD5
3fff000ebcef2c4abbe5cc7aa32cb7af

SHA1
37e8992d16952be3078e35e6d5bb6384f9572c20

SHA256
1997056c79868a7185f09135b717613ecbbdf6a6bc22bba56fad8fed63383eaf

SHA512
d5ccf1e2a177d7f1d8ad8b474ae8096d13ecf8d02436323e9db7a832eb455b245b9d8a1dff65550d87eefeeaf01c6c23c2f2e5c30e073fe0ddecde550abff8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvV9vhBRIL4a.bat

Filesize
207B

MD5
88e30ca74bce3b31b6ccb371641fcd7f

SHA1
f64561805f86947221399a79ce44a413b440c672

SHA256
5b2dadbe7f9f2b27666decfcef4fb013ac94dac52613d1d6c2fa96a26441e115

SHA512
a074ce5121e534b2b64252808a8e3d9f9487dd984937c0ec622c288138b551e5c92832ff058a3ca659bde3aa4a786a8aa5a57d0c45c3841b687a15882745e813

Download Submit
C:\Users\Admin\AppData\Local\Temp\LeC3ui8rKa0i.bat

Filesize
207B

MD5
c593baef29cf0fcb9e5751d7dc29fb2a

SHA1
ddd69e93d42016d9eec3b12b709ed2ac66d0a4a5

SHA256
04c86e88442c4fc6793423a8f4c9d18388a6c3091fb203b0bfd6629ee8a8f9bb

SHA512
0ee424cd459631a0ee0f2374bfdbd078f5060e97e7cf3401bd3980e089c2cae52ed38b56caed03050f92910b26d9d95d3db77b7088ca967300402333275c055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMIcoBZtNOXm.bat

Filesize
207B

MD5
9010eafc46790ecc4358fa6b7c823f0b

SHA1
fb5acddc8837b51b4ce748f1d83d435bdb460f7f

SHA256
704f408a2c9dd83fab573f7e0f252975caf47699e2ac0704805f023604a13072

SHA512
9a4d01465178a404b0d4177fa99cce1a84b32d45df74b92d8688c6c8acdcfcb4c4426092706355aaf1eedda4cf8013e16b7b247e23a7d1f723224a53fef01518

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVAFI2bfcSde.bat

Filesize
207B

MD5
0c3b77f6eb6a7604f34c3c331f635ef1

SHA1
4a4d4da755ebbcd28ae0e5ad17c0c515fde5da31

SHA256
bc6c66c63f887d185f946a8bbf8d7708f7d390f52c4a148ecb6e45e96c91cb80

SHA512
a9f089436e32207774504033c0246fd21a5754e0eb50b899bd308e7c7d00a888e70780ffe2379db9ebcc4ecada40f2ceb0cb7e55fc92043f759d52e606c327e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYxy3dKFEsy5.bat

Filesize
207B

MD5
39586645b9e509fdf63232c011a59ce2

SHA1
8404d6344ba9f8f8c20e8758d79c93a0d0ed8c5d

SHA256
79f0ce76d4d2b7e4d614b6f22db5b2fbcb0ec1d7ebaf1a67b4f203ed01efa5a5

SHA512
cd75d8cc0625b59fa744cbb143c83d008604d58eeb4c1a69eb33c68aa3f18f115180bf9397746643bbd2f596f2e6004e8e1e94dbbfe930613793eb7225d7213d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gY3hBDKMUxcq.bat

Filesize
207B

MD5
4fcc4cdb063adc6f08fd216c57ea68af

SHA1
d00fc390db13d4b94904bc878b6d21773703fd7e

SHA256
1e5c1a74098b2af533fa93480f04860da442a0ab6208a9e99eed707fdf6ba973

SHA512
61d1210043d1d676eac7f83d66fd192189a4a9397197f4e1e780a4c8755f2e6ea393004e1c31251d41307103c98596987b9cb2de2b261568e443e5ff6d4baf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOoEDoctrpBq.bat

Filesize
207B

MD5
b6bece3db9aa1f727ad633779f95d5a4

SHA1
999a88f7d22b0bfb8c69cef39c3f339822cdce3c

SHA256
45d85f78797a51e390e944b5ad4d1a112a00e16efc6b7b95502fea8919e0d66a

SHA512
0a586d1b4344092220e35d828fe5c1f7d09a4973cc1431de0c6698e6f5abda160f411914731315cfe00234a80d05b99bb7d314d07f8689d674bc0269372dad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpmOajrkGUE9.bat

Filesize
207B

MD5
b887aeb983d352d33d43f9ae418abcc5

SHA1
85595202ceed5467dd27fb8dd235bb5bdd44f3b7

SHA256
1c0223a0c6e1fcc15be1419ab3f1f3baeb45ba6e0c060822245988a90cf2a037

SHA512
925edf41b38318c8b06708208345b5c52e276d9063d5c32776ea3295cbb3e0c276ecf3e3533e9e4517f14c95e3d31c469c2a1b0fcf810a8200eaa7beecd2e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\og2bkD4qbkXe.bat

Filesize
207B

MD5
48917352b4847edbce29674ef412cb22

SHA1
fc69a537a848078bfb353bbc7f608531be5b80d6

SHA256
b4aa5f99ab650f1d7e5d1f9539cc0d9ba820148970aafca84051b8591f0ca93f

SHA512
f42982d634014539c2efab645a4909b105dd958fe78a5aa4b025f390500da25bf90c13cc24f6a8186946c32cd3f95cf0e04237f6699e92fc21d829d96f930700

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4b831b964f39059bfd95f56e78086830

SHA1
48649150d6a30522ee550b2cfc5b00fdda00889e

SHA256
258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

SHA512
ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398

Download Submit
memory/1856-10-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/1856-11-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/1856-18-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/1856-13-0x000000001B9A0000-0x000000001BA52000-memory.dmp

Filesize
712KB

Download
memory/1856-12-0x000000001B200000-0x000000001B250000-memory.dmp

Filesize
320KB

Download
memory/2340-9-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/2340-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/2340-2-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/2340-1-0x0000000000460000-0x0000000000784000-memory.dmp

Filesize
3.1MB

Download