quasar | e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52

Analysis

max time kernel
113s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
Size

3.1MB
MD5

6994654133f79a7a2b10a366fa153dc0
SHA1

57fc57f78b20b052f109ad3cb2201cd23c389fa4
SHA256

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52
SHA512

e9008515064390bf63c9fb03bd97d478863633eee6ee97b919a3070bf1231d7accd4ed5b9aa9392763d754b68717346c64aec4bb16b122598c7888d9d97f4b6d
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/files/0x002b000000015c7b-6.dat	family_quasar
behavioral1/memory/2776-10-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/2996-23-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/2740-34-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/848-45-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar
behavioral1/memory/2948-56-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/1456-98-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/2736-109-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/2020-120-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
2776	Client.exe
2996	Client.exe
2740	Client.exe
848	Client.exe
2948	Client.exe
1736	Client.exe
876	Client.exe
1836	Client.exe
1456	Client.exe
2736	Client.exe
2020	Client.exe
2148	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1772	PING.EXE
2220	PING.EXE
600	PING.EXE
2156	PING.EXE
2580	PING.EXE
2980	PING.EXE
2556	PING.EXE
2128	PING.EXE
1624	PING.EXE
1984	PING.EXE
2056	PING.EXE
1888	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2128	PING.EXE
1624	PING.EXE
1772	PING.EXE
2220	PING.EXE
600	PING.EXE
1888	PING.EXE
2556	PING.EXE
1984	PING.EXE
2056	PING.EXE
2156	PING.EXE
2580	PING.EXE
2980	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2488	schtasks.exe
404	schtasks.exe
2632	schtasks.exe
1072	schtasks.exe
2488	schtasks.exe
2384	schtasks.exe
2544	schtasks.exe
2216	schtasks.exe
1468	schtasks.exe
300	schtasks.exe
1368	schtasks.exe
2088	schtasks.exe
2436	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
Token: SeDebugPrivilege	2776	Client.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	848	Client.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	876	Client.exe
Token: SeDebugPrivilege	1836	Client.exe
Token: SeDebugPrivilege	1456	Client.exe
Token: SeDebugPrivilege	2736	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	2148	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	Process	procid_target
PID 2200 wrote to memory of 2632	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	30
PID 2200 wrote to memory of 2632	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	30
PID 2200 wrote to memory of 2632	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	30
PID 2200 wrote to memory of 2776	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	32
PID 2200 wrote to memory of 2776	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	32
PID 2200 wrote to memory of 2776	2200	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	32
PID 2776 wrote to memory of 1072	2776	Client.exe	33
PID 2776 wrote to memory of 1072	2776	Client.exe	33
PID 2776 wrote to memory of 1072	2776	Client.exe	33
PID 2776 wrote to memory of 2552	2776	Client.exe	35
PID 2776 wrote to memory of 2552	2776	Client.exe	35
PID 2776 wrote to memory of 2552	2776	Client.exe	35
PID 2552 wrote to memory of 2524	2552	cmd.exe	37
PID 2552 wrote to memory of 2524	2552	cmd.exe	37
PID 2552 wrote to memory of 2524	2552	cmd.exe	37
PID 2552 wrote to memory of 2556	2552	cmd.exe	38
PID 2552 wrote to memory of 2556	2552	cmd.exe	38
PID 2552 wrote to memory of 2556	2552	cmd.exe	38
PID 2552 wrote to memory of 2996	2552	cmd.exe	39
PID 2552 wrote to memory of 2996	2552	cmd.exe	39
PID 2552 wrote to memory of 2996	2552	cmd.exe	39
PID 2996 wrote to memory of 300	2996	Client.exe	40
PID 2996 wrote to memory of 300	2996	Client.exe	40
PID 2996 wrote to memory of 300	2996	Client.exe	40
PID 2996 wrote to memory of 2600	2996	Client.exe	42
PID 2996 wrote to memory of 2600	2996	Client.exe	42
PID 2996 wrote to memory of 2600	2996	Client.exe	42
PID 2600 wrote to memory of 1180	2600	cmd.exe	44
PID 2600 wrote to memory of 1180	2600	cmd.exe	44
PID 2600 wrote to memory of 1180	2600	cmd.exe	44
PID 2600 wrote to memory of 2128	2600	cmd.exe	45
PID 2600 wrote to memory of 2128	2600	cmd.exe	45
PID 2600 wrote to memory of 2128	2600	cmd.exe	45
PID 2600 wrote to memory of 2740	2600	cmd.exe	46
PID 2600 wrote to memory of 2740	2600	cmd.exe	46
PID 2600 wrote to memory of 2740	2600	cmd.exe	46
PID 2740 wrote to memory of 1368	2740	Client.exe	47
PID 2740 wrote to memory of 1368	2740	Client.exe	47
PID 2740 wrote to memory of 1368	2740	Client.exe	47
PID 2740 wrote to memory of 544	2740	Client.exe	49
PID 2740 wrote to memory of 544	2740	Client.exe	49
PID 2740 wrote to memory of 544	2740	Client.exe	49
PID 544 wrote to memory of 2680	544	cmd.exe	51
PID 544 wrote to memory of 2680	544	cmd.exe	51
PID 544 wrote to memory of 2680	544	cmd.exe	51
PID 544 wrote to memory of 1624	544	cmd.exe	52
PID 544 wrote to memory of 1624	544	cmd.exe	52
PID 544 wrote to memory of 1624	544	cmd.exe	52
PID 544 wrote to memory of 848	544	cmd.exe	54
PID 544 wrote to memory of 848	544	cmd.exe	54
PID 544 wrote to memory of 848	544	cmd.exe	54
PID 848 wrote to memory of 2488	848	Client.exe	55
PID 848 wrote to memory of 2488	848	Client.exe	55
PID 848 wrote to memory of 2488	848	Client.exe	55
PID 848 wrote to memory of 2148	848	Client.exe	57
PID 848 wrote to memory of 2148	848	Client.exe	57
PID 848 wrote to memory of 2148	848	Client.exe	57
PID 2148 wrote to memory of 2412	2148	cmd.exe	59
PID 2148 wrote to memory of 2412	2148	cmd.exe	59
PID 2148 wrote to memory of 2412	2148	cmd.exe	59
PID 2148 wrote to memory of 1984	2148	cmd.exe	60
PID 2148 wrote to memory of 1984	2148	cmd.exe	60
PID 2148 wrote to memory of 1984	2148	cmd.exe	60
PID 2148 wrote to memory of 2948	2148	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
"C:\Users\Admin\AppData\Local\Temp\e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2632
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1072
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\fPvKRlXkBw0R.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2524
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2556
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:300
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\l8DzUL8DtQ6w.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1180
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1tJzMpCQAhWh.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCpcWvTYQPhP.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3IIWb9n6r6pt.bat" "
        11⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dG3thfLgqbX1.bat" "
        13⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSgnPLXTbaUy.bat" "
        15⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rzgUBE7t71PE.bat" "
        17⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OVqqF3GuFX6I.bat" "
        19⤵
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2bah3BMSFv21.bat" "
        21⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VR1VDFbZnvyi.bat" "
        23⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0BtosAqZvAN4.bat" "
        25⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0BtosAqZvAN4.bat

Filesize
207B

MD5
ed8b714070f771fe652870e8a3f2f8ad

SHA1
e34097c90ea0bbe9947baeb04ec0d28f9504ca7d

SHA256
d20a54e1e7432b03353aa2cd19652c5164ab6984e0068c183355e01058a27021

SHA512
9e15f21d811fb1ebbd23c5b1c8f4b1b64f546ea643c6af48d4c0a45f372cdacf51ae856ea8c3414123cd28c1740c5d6d31f876871fd23b3f1d9c191571117aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tJzMpCQAhWh.bat

Filesize
207B

MD5
3d3932ac42401b0c8ce88a43f167b3ae

SHA1
dc0b64b56e077f27e693862e1f513a304df675b9

SHA256
19f8bb9b79d29754aa4dd987f8b3850307fb420c2200b145bf300f878d305d49

SHA512
374710a24656c50cc6af482226fcc33cc8092dcec2ffa10df298636e8cb10c977303b52e62cc5dbbe99be695aca1fa8c8e390f43ba27582dc36b2064d42dc6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bah3BMSFv21.bat

Filesize
207B

MD5
dadb42fba5df56fa3c891fe130a36262

SHA1
9058367116332b0b81191ec05654bfb3839335e5

SHA256
9ec39f3b7ff05679fe0874f7fae34f1828d79fa6051730f2f3c66a3dbf808bfb

SHA512
f540d2a18ee06f321df2df2099abea9b52f9a08143aa103988662649227aeb8b78250ace6cdb261a596a8b32be7f1e7c5e41dcf36e69ea13f87a00e14ab334f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IIWb9n6r6pt.bat

Filesize
207B

MD5
82f905524c28b6fe60466de89b252397

SHA1
4112f14d97b9418336eef0c1349461ddcc55ca75

SHA256
d75a315127f7020ac46b629bb77a1e657e78e47952fb66d8734dfa19b6eca53b

SHA512
29cae0c05a9749e86feaf9980b1aab4639048ea77cc5589bf20bbe1c18c65bafe69ff6918f6e21bb00e281a8ad261c96586726dac7f2e2abf03a1fbb0d1423f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSgnPLXTbaUy.bat

Filesize
207B

MD5
ccd001f93b4eb47991d93ea0782c22ab

SHA1
c3b7934db06b0d44dbbdc0a9342879bbb2ec4e34

SHA256
54f7f2d1df794512c7cd7fb3f156d65176428d0ac413db2ddc827d1772f8fa5c

SHA512
647293ca189b942a1af3b8ea33d766f7280616e08ec90f473e3f3b180a5dca3817c90d975922777e6e4ba16a81607a2d13c4e335fbd91d03f6b08c0cf9fc9e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVqqF3GuFX6I.bat

Filesize
207B

MD5
34f9e4a1f2af8fa8fb83e2fb02852d77

SHA1
81936baba6cb1254094a407002076bb19b792f97

SHA256
234d3d86e7adf96969ed32b8364254730ac28d48e0e8628fa248792440288373

SHA512
de9f8c6c1791c1778fdaab05c3c2c10dfa4ffbed795214b07e168672169dea185994c129e9548abcd852ee68a3f8e9e659f5c69ae0d8b958567a650238308620

Download Submit
C:\Users\Admin\AppData\Local\Temp\VR1VDFbZnvyi.bat

Filesize
207B

MD5
f38714383e79115d9e7ab80afad73dd6

SHA1
21be38adc624b67d665d6b96c775040e1accaa3d

SHA256
d8a5c064d424ed85d5163fb91487b50ea78e20c7b9f2c957a113f53d0cdf5153

SHA512
186d0b0a4414c077031c55949c4bf1b70ddb021b28477ba8558ecec9ba95b0ea1085164df249dbb9177f426bd9becdeb22bd5663c370452b8d11e5647f4047a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dG3thfLgqbX1.bat

Filesize
207B

MD5
1d5a5c39753cc54c0894aa3c6501c2ec

SHA1
0914cc4ba0e59a486b033c6ebd581dd1557c10ae

SHA256
f484d0cc9e5ff889712bf282d11dc5ee2a3f29c41475b4171278e79da5ab9fc5

SHA512
7cc78c7280d1a39f905e6b6e0fc32d060c148b37a033dcbe67020a103045af9ab82a80b1314b4769e029ae1f60bec8683951f09680a16c96d3e2cff38ea655f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPvKRlXkBw0R.bat

Filesize
207B

MD5
a644e8346cf95f5c8e0b852ea185cafa

SHA1
d7bff87f49c56049134d96b8fcf7e75ebf065bc6

SHA256
e2cf2d9f33aea43bf583fb290a645b2600ab1a69e182afd3e2387735f0126008

SHA512
eebf2d0459bd41b5254aa498c77fc79e228eb1303cd2040025a3b7a8756e966f1f724b1ce7458932ab4428a88d0942d3b0d7dce4441e13a5e3095f969ad07173

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8DzUL8DtQ6w.bat

Filesize
207B

MD5
9cd2e6a4d37dd515f0e02baeefb280f7

SHA1
44aba0b11eaa64591cbd49d70af5c3f7183dcdbb

SHA256
5bbf56e2293ad43993f232a6a4dbe108fc8d6176e2f2a7ba3476b59c97761998

SHA512
2afff63e58781606aeaf100b15bb5242bf33726aab36586357da64b39e23ebef1bec392e04c06d4a8e80592e115a25038d8de9061961d99274ff5a9b27081352

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCpcWvTYQPhP.bat

Filesize
207B

MD5
5658e18cd7b66df2367a3215e0efd94b

SHA1
388bf5b631214c8d7f3ba332dbd322f17cb9eb35

SHA256
c9b104a1c7c5609783def0d34a0302fe132b80786e9c522a30d07a8cca48d0ab

SHA512
4b27063dc22e303723e0e471f34eaa01dfb774f07bb74e46927691064d1255396ee1fbdbf3c51050b9baef992bdf28cfddfcc33c8eacdd3e40525a18514a9fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzgUBE7t71PE.bat

Filesize
207B

MD5
967b405478b512a0def75438cef230a3

SHA1
f8b19a359d25d1c66dc4cbb54a110f3b25245715

SHA256
1133269dda71f8ea1466ae761cf967184c6fc272f16bdf4b7b474f915f03ec37

SHA512
92018de43a6855495a353540839ed02709231b819b97a45fc334000f0d88f5384dae662d9b330be38437348a9bbead3dc7ddc908d9bbe6699147ee5bc5170074

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
6994654133f79a7a2b10a366fa153dc0

SHA1
57fc57f78b20b052f109ad3cb2201cd23c389fa4

SHA256
e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52

SHA512
e9008515064390bf63c9fb03bd97d478863633eee6ee97b919a3070bf1231d7accd4ed5b9aa9392763d754b68717346c64aec4bb16b122598c7888d9d97f4b6d

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/848-45-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/1456-98-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2020-120-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/2200-9-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-1-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/2200-2-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2736-109-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/2740-34-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2776-10-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/2776-11-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-8-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-21-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-56-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/2996-23-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download