quasar | e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
Size

3.1MB
MD5

6994654133f79a7a2b10a366fa153dc0
SHA1

57fc57f78b20b052f109ad3cb2201cd23c389fa4
SHA256

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52
SHA512

e9008515064390bf63c9fb03bd97d478863633eee6ee97b919a3070bf1231d7accd4ed5b9aa9392763d754b68717346c64aec4bb16b122598c7888d9d97f4b6d
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4280-1-0x0000000000480000-0x00000000007A4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c7a-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
2008	Client.exe
4444	Client.exe
2324	Client.exe
4644	Client.exe
1352	Client.exe
4372	Client.exe
4880	Client.exe
2324	Client.exe
1160	Client.exe
2032	Client.exe
800	Client.exe
2616	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2640	PING.EXE
60	PING.EXE
1892	PING.EXE
4152	PING.EXE
3824	PING.EXE
2228	PING.EXE
2356	PING.EXE
1656	PING.EXE
3296	PING.EXE
3128	PING.EXE
2372	PING.EXE
1496	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4152	PING.EXE
3296	PING.EXE
2372	PING.EXE
1656	PING.EXE
1496	PING.EXE
1892	PING.EXE
3824	PING.EXE
3128	PING.EXE
2228	PING.EXE
2356	PING.EXE
2640	PING.EXE
60	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3844	schtasks.exe
4316	schtasks.exe
3568	schtasks.exe
848	schtasks.exe
680	schtasks.exe
540	schtasks.exe
2032	schtasks.exe
1612	schtasks.exe
4592	schtasks.exe
1116	schtasks.exe
3660	schtasks.exe
372	schtasks.exe
3016	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	4280	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
Token: SeDebugPrivilege	2008	Client.exe
Token: SeDebugPrivilege	4444	Client.exe
Token: SeDebugPrivilege	2324	Client.exe
Token: SeDebugPrivilege	4644	Client.exe
Token: SeDebugPrivilege	1352	Client.exe
Token: SeDebugPrivilege	4372	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	2324	Client.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	2032	Client.exe
Token: SeDebugPrivilege	800	Client.exe
Token: SeDebugPrivilege	2616	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	Process	procid_target
PID 4280 wrote to memory of 3660	4280	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	83
PID 4280 wrote to memory of 3660	4280	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	83
PID 4280 wrote to memory of 2008	4280	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	85
PID 4280 wrote to memory of 2008	4280	e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe	85
PID 2008 wrote to memory of 372	2008	Client.exe	86
PID 2008 wrote to memory of 372	2008	Client.exe	86
PID 2008 wrote to memory of 800	2008	Client.exe	88
PID 2008 wrote to memory of 800	2008	Client.exe	88
PID 800 wrote to memory of 4064	800	cmd.exe	90
PID 800 wrote to memory of 4064	800	cmd.exe	90
PID 800 wrote to memory of 4152	800	cmd.exe	91
PID 800 wrote to memory of 4152	800	cmd.exe	91
PID 800 wrote to memory of 4444	800	cmd.exe	105
PID 800 wrote to memory of 4444	800	cmd.exe	105
PID 4444 wrote to memory of 3568	4444	Client.exe	106
PID 4444 wrote to memory of 3568	4444	Client.exe	106
PID 4444 wrote to memory of 3084	4444	Client.exe	109
PID 4444 wrote to memory of 3084	4444	Client.exe	109
PID 3084 wrote to memory of 3668	3084	cmd.exe	111
PID 3084 wrote to memory of 3668	3084	cmd.exe	111
PID 3084 wrote to memory of 3296	3084	cmd.exe	112
PID 3084 wrote to memory of 3296	3084	cmd.exe	112
PID 3084 wrote to memory of 2324	3084	cmd.exe	114
PID 3084 wrote to memory of 2324	3084	cmd.exe	114
PID 2324 wrote to memory of 3016	2324	Client.exe	115
PID 2324 wrote to memory of 3016	2324	Client.exe	115
PID 2324 wrote to memory of 4816	2324	Client.exe	118
PID 2324 wrote to memory of 4816	2324	Client.exe	118
PID 4816 wrote to memory of 2556	4816	cmd.exe	120
PID 4816 wrote to memory of 2556	4816	cmd.exe	120
PID 4816 wrote to memory of 3824	4816	cmd.exe	121
PID 4816 wrote to memory of 3824	4816	cmd.exe	121
PID 4816 wrote to memory of 4644	4816	cmd.exe	125
PID 4816 wrote to memory of 4644	4816	cmd.exe	125
PID 4644 wrote to memory of 540	4644	Client.exe	126
PID 4644 wrote to memory of 540	4644	Client.exe	126
PID 4644 wrote to memory of 608	4644	Client.exe	129
PID 4644 wrote to memory of 608	4644	Client.exe	129
PID 608 wrote to memory of 3696	608	cmd.exe	131
PID 608 wrote to memory of 3696	608	cmd.exe	131
PID 608 wrote to memory of 3128	608	cmd.exe	132
PID 608 wrote to memory of 3128	608	cmd.exe	132
PID 608 wrote to memory of 1352	608	cmd.exe	134
PID 608 wrote to memory of 1352	608	cmd.exe	134
PID 1352 wrote to memory of 2032	1352	Client.exe	135
PID 1352 wrote to memory of 2032	1352	Client.exe	135
PID 1352 wrote to memory of 676	1352	Client.exe	138
PID 1352 wrote to memory of 676	1352	Client.exe	138
PID 676 wrote to memory of 868	676	cmd.exe	140
PID 676 wrote to memory of 868	676	cmd.exe	140
PID 676 wrote to memory of 2372	676	cmd.exe	141
PID 676 wrote to memory of 2372	676	cmd.exe	141
PID 676 wrote to memory of 4372	676	cmd.exe	143
PID 676 wrote to memory of 4372	676	cmd.exe	143
PID 4372 wrote to memory of 848	4372	Client.exe	144
PID 4372 wrote to memory of 848	4372	Client.exe	144
PID 4372 wrote to memory of 3468	4372	Client.exe	147
PID 4372 wrote to memory of 3468	4372	Client.exe	147
PID 3468 wrote to memory of 904	3468	cmd.exe	149
PID 3468 wrote to memory of 904	3468	cmd.exe	149
PID 3468 wrote to memory of 2228	3468	cmd.exe	150
PID 3468 wrote to memory of 2228	3468	cmd.exe	150
PID 3468 wrote to memory of 4880	3468	cmd.exe	152
PID 3468 wrote to memory of 4880	3468	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe
"C:\Users\Admin\AppData\Local\Temp\e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3660
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f3TlOTsbv635.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4064
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4152
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BiszIwTKqJq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3668
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3296
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOe17sSqTpdU.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZHKNODCP84KO.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m8aIHF1Af9Cs.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lThoty9hLqqJ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1NmuDV6diOly.bat" "
        15⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwJ7LSJAVBhl.bat" "
        17⤵
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K6d2SSiuveVv.bat" "
        19⤵
        
        PID:4492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9HN7JOwIacQV.bat" "
        21⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqOfRggvfGW2.bat" "
        23⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6lvkvIFrkt7s.bat" "
        25⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1NmuDV6diOly.bat

Filesize
207B

MD5
52d63d0c5854c081103155197caac66f

SHA1
1ddb522892aaa055369e46fb1ee70b59c6e92a12

SHA256
1f57244145ff3603b2d017596b4ed1cde475b9f009e2692e9dd4dec6150571f2

SHA512
145c5348713db556ad2c0fb8ed267409b5092fc43f94021184600699002739d107d571819a8b10640f5b45bca4f3628cb7a3d1b8a299457891762c90f4cca763

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lvkvIFrkt7s.bat

Filesize
207B

MD5
1fe1427b76ed7ec9873df72bc35bb39e

SHA1
7db7213c59f70f148796fb43ad032efac741e46d

SHA256
d023c294bc956839eb3606eef25f2ade11541fccc1b08a00ec06e3eb9dab23ae

SHA512
9eb0dbf721154b8241a8633263c1f63443a16cf02e2d6319d373b5eaf493e24f5d489a5f5fe0c0a5724e99df8a4c5340b39306e6efe03d6ddd40f0a90f246f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BiszIwTKqJq.bat

Filesize
207B

MD5
b395b6b09d1dd2753a02d9ca02b64241

SHA1
0fa5e3c0a8f52de48841cb11052e62a6ac3255e8

SHA256
0838a2cf052685d39f9fc78d7d02eb97d87d08709391f403deee316f8f30cbb9

SHA512
6cf08483cbea4cd3927e619ec10a48ce50a35b16d5bbebf73ccd08c32d98b7d3ebfadc7cb136a4ca45844dd294ac32aac2ab19b295c930a60cda863343daded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HN7JOwIacQV.bat

Filesize
207B

MD5
f8f219583f41d09fc279f1650e6377e5

SHA1
99b1d44bcedb8a35286b4da2e655c85a87da7578

SHA256
feb08723b9b5c7ba14c4d8612696bbaef7d5dadbb8309fcc5093c49ec72cb612

SHA512
88f527ea2b5ac0faf18f2dbba16b58cc66f11245439f46b9772b327e01417df0611d459ac4b3de98ea123ff21014141d172dfb384f64d37292b37b247d06f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwJ7LSJAVBhl.bat

Filesize
207B

MD5
ae04016cd1922ead9d3afa3ced9af788

SHA1
5e9fbe40f748812151559b37fece60ca12181d58

SHA256
f59f95b7373e0ce9d2e9192b2eaaaa7273e10b126737e1ce04045edc92be88aa

SHA512
026280ad1ab7a58682273306f86f87b69c0151a8056c6bc8224f5fd7911e599d439314d8a203c7a7cf64342747d5ba348ec093f3e46d77901a90e9f0a7e6edf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\K6d2SSiuveVv.bat

Filesize
207B

MD5
4f28810ad98410d42314ab365880b370

SHA1
dd937c467c14d738d3cb515899030d1b698f32cf

SHA256
49e2956e6f6556b0529f8cd033451752dd039615bee7ce0e7b75404f8600d575

SHA512
be4413d3db1d7b7a16d1485b3dac0ff00b865fd178343dc0130b5bc6580a182f8ef4e4eba62ed2cca05af6cb534f2891b8a4025a7af90516bad85df237bdfcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqOfRggvfGW2.bat

Filesize
207B

MD5
8d95cb9028aa22a709eb1143383be21b

SHA1
49a49ea79e92a4179051d0c4e276d1762063eb9d

SHA256
50b6575a91d06df261a1b3cc506a8ccf16c093bd234023a6b8348d50436ff3c7

SHA512
d76e20c5a04f5a3674c5a5c2174f5b2e20356cc702c99c9838bebaa45c18e6e7756b36e4343f07e1c0d4198529b0f55ed01cb0475d727c172471af03c141ab16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHKNODCP84KO.bat

Filesize
207B

MD5
598b94aecb7a9de992c3ee54fea95687

SHA1
72b7e66e592d6158a012547a6e0e03681304cff4

SHA256
16b71b990ba110f5f2b31dbe422b8f0e0900b7a1a3f2bf2a13682b2cd9bc0f10

SHA512
0d945d4e0bebfc2e9823b718e4dc7d80ed3d1d148f9d04d259144e6a00bdc54e5c664bc12ef139c71dd06afa440169014c40bb58e60ca4e88def267754090791

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOe17sSqTpdU.bat

Filesize
207B

MD5
c5b3b28c5c94ac1995f4a3ce163821d4

SHA1
aba8698bf549f01bf5ba4c47b26bd3042d7bc4b6

SHA256
e0e48f4f0710e8e8b28dedc4fcde8cfced7607c38d86d6ae4eacbdb4ef548535

SHA512
6651fec9615eb71617dace6a3143407a33440c6355bbe91f331c669aff257a31b96e4636e2816c9b707ea0a3152601bc48e63a35861c5dbbe4095afdea6c9b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3TlOTsbv635.bat

Filesize
207B

MD5
553fdcd7bd612387c2e578723dbf8e05

SHA1
342f5664ddb1ea9614d007ed69e36e3e14cc82a8

SHA256
deb3eb8e58991f25375d6ddb0e28fe9ed248587f4cc6c645c379f0c472047b2f

SHA512
8c5ab70f6a6e455b64bdd4a42ee549c1f8c7d5a9c6713e05f57372239dc97add8b4d1a84949192b6568e41fa83f2b931d02f3c007791c8cb9c1a8569a6c13bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lThoty9hLqqJ.bat

Filesize
207B

MD5
df40b7f0577eb7d6e3f493ed4cd6d023

SHA1
7a3cfb9ddc6569a54237cff7da2b7a1c7082b4e1

SHA256
0a2b1408398f952076aee6bc25bda77402e718da88af6bc7f4d27b1402584300

SHA512
c0d8d8472e68509418f239b751784a5a6be0aa81b5221b05ab67250aa7c7335b7171c1af83db537e0e93a63e2677ece3eecbdec548c94bcc234be1123a79b6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m8aIHF1Af9Cs.bat

Filesize
207B

MD5
4bc9bbc6b62728cbad1630879021fb43

SHA1
1485a3db46c2b7f51300deaaa96e3a213c192857

SHA256
7dfadce34c2048e734ca12c72cac2b56cdf52a4185aec6b50006bcbf6053f8e8

SHA512
b1e9de570fe4900b5708065948e1f6e4bc46653a06349e8de99831ae89923cb62223878bf4521166ac3b42442ae113b7258c632e34732554cab2beee179943ee

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
6994654133f79a7a2b10a366fa153dc0

SHA1
57fc57f78b20b052f109ad3cb2201cd23c389fa4

SHA256
e23474d4ced13b09f65a3b139a26a5cd8058ecb4868cd3341f2f66753c058e52

SHA512
e9008515064390bf63c9fb03bd97d478863633eee6ee97b919a3070bf1231d7accd4ed5b9aa9392763d754b68717346c64aec4bb16b122598c7888d9d97f4b6d

Download Submit
memory/2008-19-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

Filesize
10.8MB

Download
memory/2008-13-0x000000001C290000-0x000000001C342000-memory.dmp

Filesize
712KB

Download
memory/2008-12-0x000000001C180000-0x000000001C1D0000-memory.dmp

Filesize
320KB

Download
memory/2008-11-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

Filesize
10.8MB

Download
memory/2008-9-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

Filesize
10.8MB

Download
memory/4280-0-0x00007FFD651D3000-0x00007FFD651D5000-memory.dmp

Filesize
8KB

Download
memory/4280-10-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

Filesize
10.8MB

Download
memory/4280-2-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

Filesize
10.8MB

Download
memory/4280-1-0x0000000000480000-0x00000000007A4000-memory.dmp

Filesize
3.1MB

Download