quasar | 74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

acf4f0b473278b8280c57f06a1a14752
SHA1

e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614
SHA256

74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3
SHA512

d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936
SSDEEP

49152:rvvI22SsaNYfdPBldt698dBcjHWC41JFLoGdxTHHB72eh2NT:rvg22SsaNYfdPBldt6+dBcjHWCe

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sites-talent.gl.at.ply.gg:12915:5050

Mutex

81bbd126-003c-423d-b244-5de29a86c135

Attributes

encryption_key
F1428A77E91FBF1B7AEC1D3D94E91E692E2ADBFF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
thisisarat
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/1548-1-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016c66-5.dat	family_quasar
behavioral1/memory/2000-9-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/2816-22-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral1/memory/1840-33-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar
behavioral1/memory/2904-44-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar
behavioral1/memory/1932-55-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/1464-67-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/1424-78-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2828-89-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/memory/2144-101-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
behavioral1/memory/1968-113-0x0000000000EC0000-0x00000000011E4000-memory.dmp	family_quasar
behavioral1/memory/2372-146-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/848-157-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/2880-169-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2000	Client.exe
2816	Client.exe
1840	Client.exe
2904	Client.exe
1932	Client.exe
1464	Client.exe
1424	Client.exe
2828	Client.exe
2144	Client.exe
1968	Client.exe
1868	Client.exe
2088	Client.exe
2372	Client.exe
848	Client.exe
2880	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1480	PING.EXE
2532	PING.EXE
1180	PING.EXE
2324	PING.EXE
2360	PING.EXE
1364	PING.EXE
1940	PING.EXE
2148	PING.EXE
2056	PING.EXE
2764	PING.EXE
2236	PING.EXE
1620	PING.EXE
1836	PING.EXE
2084	PING.EXE
2492	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2148	PING.EXE
1620	PING.EXE
2236	PING.EXE
1180	PING.EXE
2324	PING.EXE
2764	PING.EXE
2360	PING.EXE
1364	PING.EXE
1480	PING.EXE
2532	PING.EXE
1836	PING.EXE
1940	PING.EXE
2492	PING.EXE
2056	PING.EXE
2084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2108	schtasks.exe
2352	schtasks.exe
1660	schtasks.exe
3008	schtasks.exe
2228	schtasks.exe
2860	schtasks.exe
2064	schtasks.exe
2876	schtasks.exe
2268	schtasks.exe
1552	schtasks.exe
2732	schtasks.exe
2564	schtasks.exe
1456	schtasks.exe
1536	schtasks.exe
2916	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	Client-built.exe
Token: SeDebugPrivilege	2000	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	1840	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	1932	Client.exe
Token: SeDebugPrivilege	1464	Client.exe
Token: SeDebugPrivilege	1424	Client.exe
Token: SeDebugPrivilege	2828	Client.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	1968	Client.exe
Token: SeDebugPrivilege	1868	Client.exe
Token: SeDebugPrivilege	2088	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	848	Client.exe
Token: SeDebugPrivilege	2880	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2000	Client.exe
2816	Client.exe
1840	Client.exe
2904	Client.exe
1932	Client.exe
1464	Client.exe
1424	Client.exe
2828	Client.exe
2144	Client.exe
1968	Client.exe
1868	Client.exe
2088	Client.exe
2372	Client.exe
848	Client.exe
2880	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2000	Client.exe
2816	Client.exe
1840	Client.exe
2904	Client.exe
1932	Client.exe
1464	Client.exe
1424	Client.exe
2828	Client.exe
2144	Client.exe
1968	Client.exe
1868	Client.exe
2088	Client.exe
2372	Client.exe
848	Client.exe
2880	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2564	1548	Client-built.exe	30
PID 1548 wrote to memory of 2564	1548	Client-built.exe	30
PID 1548 wrote to memory of 2564	1548	Client-built.exe	30
PID 1548 wrote to memory of 2000	1548	Client-built.exe	32
PID 1548 wrote to memory of 2000	1548	Client-built.exe	32
PID 1548 wrote to memory of 2000	1548	Client-built.exe	32
PID 2000 wrote to memory of 2228	2000	Client.exe	33
PID 2000 wrote to memory of 2228	2000	Client.exe	33
PID 2000 wrote to memory of 2228	2000	Client.exe	33
PID 2000 wrote to memory of 2756	2000	Client.exe	36
PID 2000 wrote to memory of 2756	2000	Client.exe	36
PID 2000 wrote to memory of 2756	2000	Client.exe	36
PID 2756 wrote to memory of 2724	2756	cmd.exe	38
PID 2756 wrote to memory of 2724	2756	cmd.exe	38
PID 2756 wrote to memory of 2724	2756	cmd.exe	38
PID 2756 wrote to memory of 2764	2756	cmd.exe	39
PID 2756 wrote to memory of 2764	2756	cmd.exe	39
PID 2756 wrote to memory of 2764	2756	cmd.exe	39
PID 2756 wrote to memory of 2816	2756	cmd.exe	40
PID 2756 wrote to memory of 2816	2756	cmd.exe	40
PID 2756 wrote to memory of 2816	2756	cmd.exe	40
PID 2816 wrote to memory of 2656	2816	Client.exe	41
PID 2816 wrote to memory of 2656	2816	Client.exe	41
PID 2816 wrote to memory of 2656	2816	Client.exe	41
PID 2816 wrote to memory of 272	2816	Client.exe	43
PID 2816 wrote to memory of 272	2816	Client.exe	43
PID 2816 wrote to memory of 272	2816	Client.exe	43
PID 272 wrote to memory of 1992	272	cmd.exe	45
PID 272 wrote to memory of 1992	272	cmd.exe	45
PID 272 wrote to memory of 1992	272	cmd.exe	45
PID 272 wrote to memory of 2360	272	cmd.exe	46
PID 272 wrote to memory of 2360	272	cmd.exe	46
PID 272 wrote to memory of 2360	272	cmd.exe	46
PID 272 wrote to memory of 1840	272	cmd.exe	47
PID 272 wrote to memory of 1840	272	cmd.exe	47
PID 272 wrote to memory of 1840	272	cmd.exe	47
PID 1840 wrote to memory of 2064	1840	Client.exe	48
PID 1840 wrote to memory of 2064	1840	Client.exe	48
PID 1840 wrote to memory of 2064	1840	Client.exe	48
PID 1840 wrote to memory of 1832	1840	Client.exe	50
PID 1840 wrote to memory of 1832	1840	Client.exe	50
PID 1840 wrote to memory of 1832	1840	Client.exe	50
PID 1832 wrote to memory of 2588	1832	cmd.exe	52
PID 1832 wrote to memory of 2588	1832	cmd.exe	52
PID 1832 wrote to memory of 2588	1832	cmd.exe	52
PID 1832 wrote to memory of 1364	1832	cmd.exe	53
PID 1832 wrote to memory of 1364	1832	cmd.exe	53
PID 1832 wrote to memory of 1364	1832	cmd.exe	53
PID 1832 wrote to memory of 2904	1832	cmd.exe	54
PID 1832 wrote to memory of 2904	1832	cmd.exe	54
PID 1832 wrote to memory of 2904	1832	cmd.exe	54
PID 2904 wrote to memory of 2860	2904	Client.exe	55
PID 2904 wrote to memory of 2860	2904	Client.exe	55
PID 2904 wrote to memory of 2860	2904	Client.exe	55
PID 2904 wrote to memory of 2980	2904	Client.exe	57
PID 2904 wrote to memory of 2980	2904	Client.exe	57
PID 2904 wrote to memory of 2980	2904	Client.exe	57
PID 2980 wrote to memory of 1444	2980	cmd.exe	59
PID 2980 wrote to memory of 1444	2980	cmd.exe	59
PID 2980 wrote to memory of 1444	2980	cmd.exe	59
PID 2980 wrote to memory of 1480	2980	cmd.exe	60
PID 2980 wrote to memory of 1480	2980	cmd.exe	60
PID 2980 wrote to memory of 1480	2980	cmd.exe	60
PID 2980 wrote to memory of 1932	2980	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2564
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2228
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\PDF5uce0vxOK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2724
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\22fAjU56BuIU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:272
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1992
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\19aL63RPMNeZ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aBeURhvVAdWY.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCc79LWG0Kn1.bat" "
        11⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6F5Ait2JJ41I.bat" "
        13⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1424
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JvkTY0rZLCBd.bat" "
        15⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2828
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\f4BmnozD8EGz.bat" "
        17⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IHpfPWED10LU.bat" "
        19⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dCn7iiM7BpHb.bat" "
        21⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FvBU9yKC1MeR.bat" "
        23⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3JZJ3bKVNHXu.bat" "
        25⤵
        
        PID:1308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7SUYWLolmGBZ.bat" "
        27⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yW7Sss19V1zM.bat" "
        29⤵
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\t6c0z1Nv2SgD.bat" "
        31⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19aL63RPMNeZ.bat

Filesize
207B

MD5
6abe6a690be303187ca7a7b111b1682d

SHA1
abfab28daa673048226d88cfb7ec0b064e50f58f

SHA256
f3a4fb54e9d3e607997579e4281ad881b118d994451b6731c741540b27f8e4e1

SHA512
6c67f568faa13255ec85289a4e1c5f4ee1e3ac01a7dd05101f91f1e7e8a533455034e3a86f78a7d2335dbd03274eac2786fee96aadd19740594b00557c1b65a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\22fAjU56BuIU.bat

Filesize
207B

MD5
405f90246c7403f142fe07809e6018eb

SHA1
f15dc29ab9dd360703c0cbc3a61e349fbc78c730

SHA256
c15be3bbcdbfa41d7bdf8c5bacc540495eafbb81a806bf3664b90ad8749a0010

SHA512
dd9b2d1d94ba67e7ae387df292bb36d44da56efa98277a886c8b838b3133e3230ee56c569f2fd7fb78ba45be5d31f6b4b99f1c968c501879ed4570fd167a3d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\3JZJ3bKVNHXu.bat

Filesize
207B

MD5
80d82badd527e0afb07f845ce3329652

SHA1
af901d856ec281b7545561ba14a330fa3e91fefa

SHA256
17363b1bcf8d9e88b932659d61c5d5102ca9dd5c353df15602e5c202e89ffed5

SHA512
36638310eef9b140269edcd270682993b2652bde725e1b3f4c10fb163238e8a2fabea09cec97cd7f7f4b4a396d3b6448a0f3af6c8bf1dd12b41499824d5e97f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F5Ait2JJ41I.bat

Filesize
207B

MD5
818623fbf5583bf4e0c53377ef509228

SHA1
a39e399f13b3e86c4c354dcf133d04249e82ac11

SHA256
c611c488430820964a5374d324270b434c88ade7da6ae740e70b1f3cb6baea94

SHA512
1824d15d4b88c2991ea7f997c10200e6b00d20402d59c987d68efa36bc5735745fde0bf438621c464a8e001a8930ba2ae39a7b9005b69a202bed8b85ae6e758b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7SUYWLolmGBZ.bat

Filesize
207B

MD5
985350c037ff586263c6f145daa38384

SHA1
fe88ac0fb0116f93fcf420832d6b431b686ddb0c

SHA256
7246db28025d96d7e796d447cd4dd188bfd3842d8ca1693dd1ddbdab7d34c701

SHA512
d8b3e04a0d9293cda147cd98cc3fb39c31a66d0f6c48abe4322be88f8da0ab54079537892663548ab15d696db6f079da7f4139738ec6a3b247ab3ba6f7685355

Download Submit
C:\Users\Admin\AppData\Local\Temp\FvBU9yKC1MeR.bat

Filesize
207B

MD5
155c889f259329ca99af9a0c39a7009e

SHA1
36d2999be0ab19161f21bc76942d9e8ac9f6d453

SHA256
676a733d67340505b3bbd9197f799a6a5afc2d5be8d1ee40efa197eacf71a727

SHA512
52089b336f9434a7c14b013673d00974149280b6f69be19569dcf7c00683cecc25449905c8494d48498c1a8680d9311df06dc36f07ed0468f75004ab004a5a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IHpfPWED10LU.bat

Filesize
207B

MD5
ef0c3674b97774f759c4060307e6ee60

SHA1
f01e6c70cbb79469054104cf9cfe211e5e93fc91

SHA256
6e2794a68a163794365bb1e0bb638b5574ce33eafcd4271380210de6cbc9cf5e

SHA512
8445d2243dd557dd50d78b1742b27f1dbf1b9845a7897abed0f5cd42cabe582320a973fd28ea2a89079b3efdee9fce8d1cea63306f7fe7aa850ef51a82dad852

Download Submit
C:\Users\Admin\AppData\Local\Temp\JvkTY0rZLCBd.bat

Filesize
207B

MD5
73eb705b85e172058bbdae1df6c235aa

SHA1
9995317f55ba805d54d61e35f49b99baa5e272a7

SHA256
f3e5328dac53655b35bbfdcd39124f660a871608757f17db75877417de40ce09

SHA512
95bb7012bb066bcbd76c20641bae32997493c3e931a57d75ba0d29888778301db2aa62d969a543b2b3a1a5b8d10f6b3dccdc26512acad80401f329a7c6418f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCc79LWG0Kn1.bat

Filesize
207B

MD5
34674e94fd884c659de7eb0cd6b889d8

SHA1
e57fc99032bc8069517654b5bcdfa9b9d95009a8

SHA256
17068b38ee0c611f22422ffdc0697e91fb65313dcfe7ddc4a421ea00feb3dd34

SHA512
2abc29ab560277ec9df34102b00e009476946a60a70f2c31edf18175d21463d2f34763e319dbe4b9e752e0241061da7b6a0689363c881e023dd518fee35129f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDF5uce0vxOK.bat

Filesize
207B

MD5
1204e8c517c2e637c0ffb80ed09afb1c

SHA1
6ccc5b99cb5053ab7aa789b0a2c5b172565d9cd1

SHA256
da46c06a95056ba5610e8b668c666b4b326d490f2f4e82177991d2ed2f0fe188

SHA512
6e1b988baaff2b9288b27a7bbbd05b7bf1445dfe16a44fc734968ab1f603a8cde4a621c9ae438e2752c063744518a2c92468ff6f373cdb88b03fbc574a5bdc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\aBeURhvVAdWY.bat

Filesize
207B

MD5
48711a266a99bddccd3bb8569530064d

SHA1
c0c3f203de8eb92e3e74c6469ca6448b8b7f97d1

SHA256
961304d84433c90b9b3d2e70508eb8cfef4469894a5f56d513495de9b6d6fa49

SHA512
93bb0075677e5a4f419439a2fa9041e18bd31705da650fcd6f2b8e9e2a1e8a07407b57650e04569e846fe1f8d5d89953c854266577fe6a166b880272685bfe89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCn7iiM7BpHb.bat

Filesize
207B

MD5
ac9d4cb4c60a3cbe5d2a2b42e20d6b3f

SHA1
a6c628347dd6068ac0e511bdf88e14acdea690fb

SHA256
ef9725535589c5ae38f6ad3cf459ac54443aac3642708fb0c52377ddb32d5613

SHA512
4bc72c748e47e7e119d79958ab01e9a00bd8b48a5a900845095ba48072d456ae502072142aa2994a96ff9202d60546cac1931ed9a19cf75a7c6e8b89ba0b1f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4BmnozD8EGz.bat

Filesize
207B

MD5
f60b5b87c3f218e12619adfa15af64a9

SHA1
19ec076369c0d4716c5ea92e605ce396f0aabee9

SHA256
39b11181e8df8571028b7f287e46cfb361b75f4f089938fcad5c8a8fd80e1581

SHA512
cb596584b59d31ce8941ba4ab725c3d6a2d69d66513694babb652883b6fbe8fdd3b765b6185bb5c09a53412dd05f5d414d5139829844525beb23267f6fe1fd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6c0z1Nv2SgD.bat

Filesize
207B

MD5
eda3f26a438d9e90df71fa6c760063bf

SHA1
39158f7321424a13424d8ee6d94fc5f3ea1b3504

SHA256
312e3537d290420c0d2a81e97538a933e0937fd270f54a37bd82279db44a571a

SHA512
180ba576c8aaea3c97ec307f14404f0e9ba5f8484c75def86f64272664edac5d0e9be82157a1187bcb218002f5a3b09a6b5ca05338b7f3e1b3ed13f57646d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW7Sss19V1zM.bat

Filesize
207B

MD5
f9aafc64e75ba080ac052fe4dbd34277

SHA1
ede496048715d75e2faf049ba27fbbf1c157a726

SHA256
d38f598482a59089a02a0b703c67cb2f232fbc442581b79870947444a1582157

SHA512
8a37f0a1f0beb497ef4201521fe4f5791c11d582eb4d0cc3bef382ab1cd74e298bd0fde9ff3ca9fa6e5034fa0a21b49705d1c1676376dbc2a65e9b3448b2f6ad

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
acf4f0b473278b8280c57f06a1a14752

SHA1
e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614

SHA256
74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

SHA512
d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936

Download Submit
memory/848-157-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/1424-78-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/1464-67-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/1548-8-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-1-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/1548-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1840-33-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/1932-55-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/1968-113-0x0000000000EC0000-0x00000000011E4000-memory.dmp

Filesize
3.1MB

Download
memory/2000-20-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-10-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-9-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/2000-7-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-101-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2372-146-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/2816-22-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/2828-89-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/2880-169-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2904-44-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads