quasar | 258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Size

3.1MB
MD5

4b831b964f39059bfd95f56e78086830
SHA1

48649150d6a30522ee550b2cfc5b00fdda00889e
SHA256

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db
SHA512

ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT8:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cYp

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2820-1-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2852-9-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral1/memory/628-23-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar
behavioral1/memory/1876-35-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/memory/2184-46-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/2448-57-0x0000000000D90000-0x00000000010B4000-memory.dmp	family_quasar
behavioral1/memory/1992-79-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/2808-91-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/1748-102-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar
behavioral1/memory/2720-156-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2852	Client.exe
628	Client.exe
1876	Client.exe
2184	Client.exe
2448	Client.exe
1648	Client.exe
1992	Client.exe
2808	Client.exe
1748	Client.exe
1544	Client.exe
1960	Client.exe
2144	Client.exe
2972	Client.exe
996	Client.exe
2720	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1512	PING.EXE
1472	PING.EXE
1496	PING.EXE
2096	PING.EXE
336	PING.EXE
1828	PING.EXE
1860	PING.EXE
692	PING.EXE
2548	PING.EXE
1952	PING.EXE
2832	PING.EXE
2876	PING.EXE
2780	PING.EXE
1924	PING.EXE
1696	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2832	PING.EXE
1860	PING.EXE
2876	PING.EXE
336	PING.EXE
692	PING.EXE
1828	PING.EXE
1696	PING.EXE
1952	PING.EXE
1924	PING.EXE
1512	PING.EXE
1472	PING.EXE
2548	PING.EXE
1496	PING.EXE
2096	PING.EXE
2780	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2808	schtasks.exe
2156	schtasks.exe
1608	schtasks.exe
1764	schtasks.exe
1196	schtasks.exe
2180	schtasks.exe
1524	schtasks.exe
3012	schtasks.exe
2204	schtasks.exe
3032	schtasks.exe
3060	schtasks.exe
2888	schtasks.exe
948	schtasks.exe
796	schtasks.exe
1420	schtasks.exe
2860	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Token: SeDebugPrivilege	2852	Client.exe
Token: SeDebugPrivilege	628	Client.exe
Token: SeDebugPrivilege	1876	Client.exe
Token: SeDebugPrivilege	2184	Client.exe
Token: SeDebugPrivilege	2448	Client.exe
Token: SeDebugPrivilege	1648	Client.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	1748	Client.exe
Token: SeDebugPrivilege	1544	Client.exe
Token: SeDebugPrivilege	1960	Client.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	2720	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2820 wrote to memory of 3060	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	schtasks.exe
PID 2820 wrote to memory of 3060	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	schtasks.exe
PID 2820 wrote to memory of 3060	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	schtasks.exe
PID 2820 wrote to memory of 2852	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	Client.exe
PID 2820 wrote to memory of 2852	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	Client.exe
PID 2820 wrote to memory of 2852	2820	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	Client.exe
PID 2852 wrote to memory of 2808	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 2808	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 2808	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 2984	2852	Client.exe	cmd.exe
PID 2852 wrote to memory of 2984	2852	Client.exe	cmd.exe
PID 2852 wrote to memory of 2984	2852	Client.exe	cmd.exe
PID 2984 wrote to memory of 264	2984	cmd.exe	chcp.com
PID 2984 wrote to memory of 264	2984	cmd.exe	chcp.com
PID 2984 wrote to memory of 264	2984	cmd.exe	chcp.com
PID 2984 wrote to memory of 692	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 692	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 692	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 628	2984	cmd.exe	Client.exe
PID 2984 wrote to memory of 628	2984	cmd.exe	Client.exe
PID 2984 wrote to memory of 628	2984	cmd.exe	Client.exe
PID 628 wrote to memory of 2888	628	Client.exe	schtasks.exe
PID 628 wrote to memory of 2888	628	Client.exe	schtasks.exe
PID 628 wrote to memory of 2888	628	Client.exe	schtasks.exe
PID 628 wrote to memory of 644	628	Client.exe	cmd.exe
PID 628 wrote to memory of 644	628	Client.exe	cmd.exe
PID 628 wrote to memory of 644	628	Client.exe	cmd.exe
PID 644 wrote to memory of 2436	644	cmd.exe	chcp.com
PID 644 wrote to memory of 2436	644	cmd.exe	chcp.com
PID 644 wrote to memory of 2436	644	cmd.exe	chcp.com
PID 644 wrote to memory of 1828	644	cmd.exe	PING.EXE
PID 644 wrote to memory of 1828	644	cmd.exe	PING.EXE
PID 644 wrote to memory of 1828	644	cmd.exe	PING.EXE
PID 644 wrote to memory of 1876	644	cmd.exe	Client.exe
PID 644 wrote to memory of 1876	644	cmd.exe	Client.exe
PID 644 wrote to memory of 1876	644	cmd.exe	Client.exe
PID 1876 wrote to memory of 1196	1876	Client.exe	schtasks.exe
PID 1876 wrote to memory of 1196	1876	Client.exe	schtasks.exe
PID 1876 wrote to memory of 1196	1876	Client.exe	schtasks.exe
PID 1876 wrote to memory of 2760	1876	Client.exe	cmd.exe
PID 1876 wrote to memory of 2760	1876	Client.exe	cmd.exe
PID 1876 wrote to memory of 2760	1876	Client.exe	cmd.exe
PID 2760 wrote to memory of 1732	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 1732	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 1732	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 1924	2760	cmd.exe	PING.EXE
PID 2760 wrote to memory of 1924	2760	cmd.exe	PING.EXE
PID 2760 wrote to memory of 1924	2760	cmd.exe	PING.EXE
PID 2760 wrote to memory of 2184	2760	cmd.exe	Client.exe
PID 2760 wrote to memory of 2184	2760	cmd.exe	Client.exe
PID 2760 wrote to memory of 2184	2760	cmd.exe	Client.exe
PID 2184 wrote to memory of 2156	2184	Client.exe	schtasks.exe
PID 2184 wrote to memory of 2156	2184	Client.exe	schtasks.exe
PID 2184 wrote to memory of 2156	2184	Client.exe	schtasks.exe
PID 2184 wrote to memory of 2116	2184	Client.exe	cmd.exe
PID 2184 wrote to memory of 2116	2184	Client.exe	cmd.exe
PID 2184 wrote to memory of 2116	2184	Client.exe	cmd.exe
PID 2116 wrote to memory of 1400	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 1400	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 1400	2116	cmd.exe	chcp.com
PID 2116 wrote to memory of 1512	2116	cmd.exe	PING.EXE
PID 2116 wrote to memory of 1512	2116	cmd.exe	PING.EXE
PID 2116 wrote to memory of 1512	2116	cmd.exe	PING.EXE
PID 2116 wrote to memory of 2448	2116	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
"C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3060
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UBfBtSHB0xfX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:264
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:692
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m2lH8yzDivK1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2436
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1828
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ya53p0Yps9be.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\f5ZewpUw00fG.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bG1OCYCokrDU.bat" "
        11⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3f2AUBhjGyrT.bat" "
        13⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XZP3Lyn2MLtJ.bat" "
        15⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuV7JjIfT74L.bat" "
        17⤵
        
        PID:264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3t8kTYToUi5o.bat" "
        19⤵
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\crNMvpCughHV.bat" "
        21⤵
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MebDn5fcef5d.bat" "
        23⤵
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sVibnNhxAsaM.bat" "
        25⤵
        
        PID:656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOgZKLi3Zwc1.bat" "
        27⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQRMVGtB8pPW.bat" "
        29⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\33TDaI3efU29.bat" "
        31⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33TDaI3efU29.bat

Filesize
207B

MD5
29ff2977942157be44bece543bef850c

SHA1
dd039043fb4aade2fde8055e815ff2c03da94f0b

SHA256
5ccba59aed31fb994275401d46b81de76977de52b3b7f47ea9b652f6de507782

SHA512
fb603ef4c1f7deeb1c3677849e0e809f387e7ed1d4959c0386f18aef2638806bd112d8a94f4a65f1aba4a2035fb46184c3c9626314908cf9e8514fb7149f03a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f2AUBhjGyrT.bat

Filesize
207B

MD5
3fec2fef7983d97cef74564a579e80aa

SHA1
c4892fba9d3c071117f63e5d736c367142266ff9

SHA256
173fad7e493f339a3a66dd1bd3d933e5b0486ee0f9c65d72a6b3370afc5552a7

SHA512
9e7ee4a4586f8fc181668d8bf8a84c5cb01d194b28238dc82572e146c4de4def5762f61c38cb21c4b1661f4ce433e628b4320e301136714484e6383fc47263bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3t8kTYToUi5o.bat

Filesize
207B

MD5
ff76de2cf40826da8a933049ec468b50

SHA1
b050b0f1bf5076f2fb9f638a28b79a3bad1156d6

SHA256
9e1085ad2d7cba4f6ccfa850c601dab00d200b272428248b6b93afe7c47e253e

SHA512
3a50ce44aac5b8f60e19569ce11461ba78837a0c530b54009958007f962282833ec3692b12325dd7d61030f0caab876991a9e8bc080dc20d1731a893a5b3cc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuV7JjIfT74L.bat

Filesize
207B

MD5
9496370e8fa3eb83579ca95e922d90d5

SHA1
a1d211010731f2d9e788b9117a3a73a8e51b813d

SHA256
e1ffb5b2e4d49eded3e5968441708d5fc1015fdf09cde7e36ab47c84e43803e6

SHA512
4150764dcc9af88f065d6d025e8501f6f59a6c0fcf413529b609e38b9b8696002e5077ff123c4f131cf19fe2aef54664c44bc7ca057be51baacc5838a0860c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\MebDn5fcef5d.bat

Filesize
207B

MD5
4bad7b5262d4753b371505875e7d49c3

SHA1
37910a83797174bd962b96deb8612ca708ab98f7

SHA256
34fc4352335e147b6cc1baca03079d374c1c59fcdd3e6b127f06145d9472a0ec

SHA512
9b07e6cab2511fd576d55e673b134cd0e28c48441ff04d499803b5882e63cab0101c4ad21879368b71745e7dc262ae32cb809dc8085c04ed4b4ba999ee57da0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOgZKLi3Zwc1.bat

Filesize
207B

MD5
b79cd5684d256836ba05e3bc2f76ae15

SHA1
2d6ad84bf1b0f9c6121f1ec0a0507db48a65ad07

SHA256
ea5d5e9f9f9afa48459a7583612d483f2610b261bb3fb9a9f5616087b7f48137

SHA512
c4bce8361161fa90aadf392037f7b9cb985762ce9dc5ae62b83dd934f7c568c0aeb79c0f8f79afeab0bf127b37b223ff2a559bd04e4d08c1d0c8d2821641565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBfBtSHB0xfX.bat

Filesize
207B

MD5
8134437ee0de952b8bdfab43fa07eb1d

SHA1
3f799da8e710db67a28f289a3f9f9a5947b883b7

SHA256
1b4c7ded0619c8d9014feb2b3e844df1ad7687ec1b5604fe65c5f2ca2acf333b

SHA512
07c578fdfb65c25dc15c6262943118399b51bf018efaecce3ef74f7f23fe777008673724a890c9aeadcfd4505ea5577591f0200739e1c0cb5804d01e0014507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZP3Lyn2MLtJ.bat

Filesize
207B

MD5
a521559a5aed36292f7fc64e67d2dc1b

SHA1
2d1f8b6829bcdf10c9ceb4920a968dc549715226

SHA256
a1eabc5736fedb92d0a73bd688a2d5de223dbf157979f5932c896a5f8f108fa6

SHA512
6365955c1847b81eb5b01b76119f6a42f3a52666c63033465a93bf01e408b29b0440250f26959f60ec425aceaa4bd72f69a734f182740e0d82507278b268c7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\bG1OCYCokrDU.bat

Filesize
207B

MD5
439a46aecdb9bdc6220e7e9fab5ea91e

SHA1
199701cc3b385b77097364ab1dd716faf8496182

SHA256
92528147be13a57fe20283713f34f42fe77f853703522d6534a03d70327e3171

SHA512
54e06a07ffed1350a37aa7bc1fe9ba6e2bc61e937440641d7b01c937fc29ba301f35495509124eebb9e91be6bda485dd517e588ea33ec82cbacb1ef621be8c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\crNMvpCughHV.bat

Filesize
207B

MD5
b973afc978ce030d3bf052b2703ce61d

SHA1
bf50637f901dcc5a3a63d21c18cedc6c38e8859c

SHA256
6429f05e19c1f0841038a2cf38cf998d11de416a36b3533adc2cc15b7934e6c4

SHA512
284147e57c56358f760765f407416e9ad399f683bdc1f5810b43466a3317dbdda2bd290398fc54227b93898da177b7389514e70bac2ae0d9eeeb0e6fb8ee6777

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5ZewpUw00fG.bat

Filesize
207B

MD5
a3bb48436dd91acc75ab0c1631691c3e

SHA1
bec68e52472219676336f4dfde98bd7bd7dcffbc

SHA256
e726c62f7848758210df7c09f0a28810b0c54fcac18756c3a37fce5eb163ef22

SHA512
34fed2e6f52d8fd9fc6487483506e89a67ac96a255df70adde87ebadee420458d40b60a82052b90c67e28a4315fd9a0cef3300c56c7fb8db93508bb9b20673ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2lH8yzDivK1.bat

Filesize
207B

MD5
786c8a393f3134d2ebcdc8da791af456

SHA1
6e4c924b768c1b7d9b75f7d6788e5702508e383c

SHA256
2b7114eb719f806daf9e55098e9d883c9c8af2ecae1834b4374b6c88c1676d80

SHA512
2cec816f586f9875290335eaa3b7eb7cb6be25ea68578f590b3d951d7bf91459bb056a1cc2d9f5d071bc06cb5482f8f91f9cb3d85aa23ac8857c5b0bbd85e578

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVibnNhxAsaM.bat

Filesize
207B

MD5
da006294b19bc43c2db1bcc0549b5a12

SHA1
96f1ef04dc3c238d2d5cc2aee1006fdf0e427aa1

SHA256
92a12e74555319bbbe2d30a6e451ecff80d36086577c98251201efe6aca0531e

SHA512
f7ea5908a86e396b7580a9ce60e84178ea9ad0aea8ea4b26617b3699aa11ea9541636bb686bb991752e76612cbe82c9df3bb0d16caec7ea9b5d34c21394c4593

Download Submit
C:\Users\Admin\AppData\Local\Temp\ya53p0Yps9be.bat

Filesize
207B

MD5
a1f4cda343fec5a2b77cf0441192028b

SHA1
1441dd4efe74a1a08cbc5a9ca30bdf1e73ece4d8

SHA256
9ec33333c248a5913f430bed51f4d736bc478f77f590a802bc559afc1be0519d

SHA512
5d366772d31d482030512eb4d9f3b4c530d8b8e1158cd3f4377563cea9c9f9c0c9ec8b0f83c565bd398ff3cbca989373798fa918b0072b3d35884e5d9e08a5ce

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4b831b964f39059bfd95f56e78086830

SHA1
48649150d6a30522ee550b2cfc5b00fdda00889e

SHA256
258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

SHA512
ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/628-23-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/1748-102-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download
memory/1876-35-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/1992-79-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2184-46-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/2448-57-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/2720-156-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2808-91-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/2820-8-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/2852-10-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-11-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2852-9-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2852-20-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download