quasar | 74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

acf4f0b473278b8280c57f06a1a14752
SHA1

e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614
SHA256

74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3
SHA512

d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936
SSDEEP

49152:rvvI22SsaNYfdPBldt698dBcjHWC41JFLoGdxTHHB72eh2NT:rvg22SsaNYfdPBldt6+dBcjHWCe

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sites-talent.gl.at.ply.gg:12915:5050

Mutex

81bbd126-003c-423d-b244-5de29a86c135

Attributes

encryption_key
F1428A77E91FBF1B7AEC1D3D94E91E692E2ADBFF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
thisisarat
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2808-1-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c8c-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3864	Client.exe
2292	Client.exe
2820	Client.exe
4620	Client.exe
3368	Client.exe
1972	Client.exe
4476	Client.exe
4856	Client.exe
4900	Client.exe
3328	Client.exe
4956	Client.exe
900	Client.exe
5056	Client.exe
2284	Client.exe
2904	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1636	PING.EXE
3520	PING.EXE
5024	PING.EXE
1740	PING.EXE
4252	PING.EXE
3876	PING.EXE
3568	PING.EXE
1596	PING.EXE
4872	PING.EXE
3952	PING.EXE
2880	PING.EXE
4800	PING.EXE
3184	PING.EXE
4484	PING.EXE
3656	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1636	PING.EXE
5024	PING.EXE
3568	PING.EXE
3520	PING.EXE
2880	PING.EXE
4484	PING.EXE
3656	PING.EXE
3876	PING.EXE
1596	PING.EXE
3184	PING.EXE
4872	PING.EXE
4252	PING.EXE
4800	PING.EXE
1740	PING.EXE
3952	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4568	schtasks.exe
716	schtasks.exe
856	schtasks.exe
4604	schtasks.exe
808	schtasks.exe
2128	schtasks.exe
716	schtasks.exe
5064	schtasks.exe
2408	schtasks.exe
856	schtasks.exe
3484	schtasks.exe
2196	schtasks.exe
4284	schtasks.exe
4524	schtasks.exe
4760	schtasks.exe
3952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	Client-built.exe
Token: SeDebugPrivilege	3864	Client.exe
Token: SeDebugPrivilege	2292	Client.exe
Token: SeDebugPrivilege	2820	Client.exe
Token: SeDebugPrivilege	4620	Client.exe
Token: SeDebugPrivilege	3368	Client.exe
Token: SeDebugPrivilege	1972	Client.exe
Token: SeDebugPrivilege	4476	Client.exe
Token: SeDebugPrivilege	4856	Client.exe
Token: SeDebugPrivilege	4900	Client.exe
Token: SeDebugPrivilege	3328	Client.exe
Token: SeDebugPrivilege	4956	Client.exe
Token: SeDebugPrivilege	900	Client.exe
Token: SeDebugPrivilege	5056	Client.exe
Token: SeDebugPrivilege	2284	Client.exe
Token: SeDebugPrivilege	2904	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3864	Client.exe
2292	Client.exe
2820	Client.exe
4620	Client.exe
3368	Client.exe
1972	Client.exe
4476	Client.exe
4856	Client.exe
4900	Client.exe
3328	Client.exe
4956	Client.exe
900	Client.exe
5056	Client.exe
2284	Client.exe
2904	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3864	Client.exe
2292	Client.exe
2820	Client.exe
4620	Client.exe
3368	Client.exe
1972	Client.exe
4476	Client.exe
4856	Client.exe
4900	Client.exe
3328	Client.exe
4956	Client.exe
900	Client.exe
5056	Client.exe
2284	Client.exe
2904	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4760	2808	Client-built.exe	83
PID 2808 wrote to memory of 4760	2808	Client-built.exe	83
PID 2808 wrote to memory of 3864	2808	Client-built.exe	85
PID 2808 wrote to memory of 3864	2808	Client-built.exe	85
PID 3864 wrote to memory of 856	3864	Client.exe	86
PID 3864 wrote to memory of 856	3864	Client.exe	86
PID 3864 wrote to memory of 3972	3864	Client.exe	88
PID 3864 wrote to memory of 3972	3864	Client.exe	88
PID 3972 wrote to memory of 4556	3972	cmd.exe	90
PID 3972 wrote to memory of 4556	3972	cmd.exe	90
PID 3972 wrote to memory of 1636	3972	cmd.exe	91
PID 3972 wrote to memory of 1636	3972	cmd.exe	91
PID 3972 wrote to memory of 2292	3972	cmd.exe	93
PID 3972 wrote to memory of 2292	3972	cmd.exe	93
PID 2292 wrote to memory of 3952	2292	Client.exe	94
PID 2292 wrote to memory of 3952	2292	Client.exe	94
PID 2292 wrote to memory of 4524	2292	Client.exe	96
PID 2292 wrote to memory of 4524	2292	Client.exe	96
PID 4524 wrote to memory of 2020	4524	cmd.exe	99
PID 4524 wrote to memory of 2020	4524	cmd.exe	99
PID 4524 wrote to memory of 3520	4524	cmd.exe	100
PID 4524 wrote to memory of 3520	4524	cmd.exe	100
PID 4524 wrote to memory of 2820	4524	cmd.exe	115
PID 4524 wrote to memory of 2820	4524	cmd.exe	115
PID 2820 wrote to memory of 4284	2820	Client.exe	116
PID 2820 wrote to memory of 4284	2820	Client.exe	116
PID 2820 wrote to memory of 4092	2820	Client.exe	118
PID 2820 wrote to memory of 4092	2820	Client.exe	118
PID 4092 wrote to memory of 3292	4092	cmd.exe	121
PID 4092 wrote to memory of 3292	4092	cmd.exe	121
PID 4092 wrote to memory of 1596	4092	cmd.exe	122
PID 4092 wrote to memory of 1596	4092	cmd.exe	122
PID 4092 wrote to memory of 4620	4092	cmd.exe	127
PID 4092 wrote to memory of 4620	4092	cmd.exe	127
PID 4620 wrote to memory of 3484	4620	Client.exe	128
PID 4620 wrote to memory of 3484	4620	Client.exe	128
PID 4620 wrote to memory of 492	4620	Client.exe	130
PID 4620 wrote to memory of 492	4620	Client.exe	130
PID 492 wrote to memory of 3096	492	cmd.exe	133
PID 492 wrote to memory of 3096	492	cmd.exe	133
PID 492 wrote to memory of 2880	492	cmd.exe	134
PID 492 wrote to memory of 2880	492	cmd.exe	134
PID 492 wrote to memory of 3368	492	cmd.exe	136
PID 492 wrote to memory of 3368	492	cmd.exe	136
PID 3368 wrote to memory of 4604	3368	Client.exe	137
PID 3368 wrote to memory of 4604	3368	Client.exe	137
PID 3368 wrote to memory of 3200	3368	Client.exe	140
PID 3368 wrote to memory of 3200	3368	Client.exe	140
PID 3200 wrote to memory of 980	3200	cmd.exe	142
PID 3200 wrote to memory of 980	3200	cmd.exe	142
PID 3200 wrote to memory of 5024	3200	cmd.exe	143
PID 3200 wrote to memory of 5024	3200	cmd.exe	143
PID 3200 wrote to memory of 1972	3200	cmd.exe	145
PID 3200 wrote to memory of 1972	3200	cmd.exe	145
PID 1972 wrote to memory of 716	1972	Client.exe	146
PID 1972 wrote to memory of 716	1972	Client.exe	146
PID 1972 wrote to memory of 672	1972	Client.exe	149
PID 1972 wrote to memory of 672	1972	Client.exe	149
PID 672 wrote to memory of 3556	672	cmd.exe	151
PID 672 wrote to memory of 3556	672	cmd.exe	151
PID 672 wrote to memory of 3184	672	cmd.exe	152
PID 672 wrote to memory of 3184	672	cmd.exe	152
PID 672 wrote to memory of 4476	672	cmd.exe	153
PID 672 wrote to memory of 4476	672	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4760
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2uBIyo9bErBL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4556
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1636
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQXmCv2IBdnq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2020
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6qYV8LG5UF0.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3p8v2ZU6cCy0.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ONfFOZShgXcI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t1A7bJvj13Wz.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAidxPmmS5MY.bat" "
        15⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\db8hmUPIvhto.bat" "
        17⤵
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2urAsO4kdG9.bat" "
        19⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzeDsjWqnTzd.bat" "
        21⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RR3hOsrg9dYB.bat" "
        23⤵
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqBapELNqilA.bat" "
        25⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q0cSDAjGA83s.bat" "
        27⤵
        
        PID:4196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tw4xblX84p5R.bat" "
        29⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAU64W2P2nAb.bat" "
        31⤵
        
        PID:368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2uBIyo9bErBL.bat

Filesize
207B

MD5
750f22902a23e801a5bcb9a013af37d9

SHA1
feb5650e917d6d0071e87530d709bdab3619919d

SHA256
27f60e8b7f7624868b81f96cc1f07426f001d47125c486b99cbd8229f2189296

SHA512
52f442ab7e1f7b1eb20df1fe41d5424ee33e18c5d2d699ddf75f4b86044b8cbf6ff8a946bf7e2923c73d88ca62b8ce0e9e5db33abc1a3268f661979c14278856

Download Submit
C:\Users\Admin\AppData\Local\Temp\3p8v2ZU6cCy0.bat

Filesize
207B

MD5
b34f971d4cb8da1c244095a3e6a77aa9

SHA1
7f1501b01877a2f2ab517856cd1e6ea09ecd000e

SHA256
2fb24d58205d4d4f0bff3cf6993a70886cbcadf11c233113eb0d7034da5a1bb8

SHA512
88a2871232b65fa8b76bf75624af9e86b49b82ea5e4bda0206e08e66ece1bd3b14a9bc1c8435387003d96cd4c7c6d8413bec7446fd2e187c3599b3d96cb16003

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2urAsO4kdG9.bat

Filesize
207B

MD5
3f7622966d27cb1d99fda3885c3f64f8

SHA1
3d4d6f11c0e6f1f0474c2587151011cf94eaf716

SHA256
9c15d672167184161598c6d510bcc46644e90958c31f0774d02437957a9a5b58

SHA512
31e11da5143f5230b7f111b52ae6e9093155587aff1b466fba9d6ba5abcc8f93bc0f5814e290f81e3ffaf5d18f30a55f53d700bc00cf0bbd5110b8200299cec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAU64W2P2nAb.bat

Filesize
207B

MD5
95bba87c0c8f3e3c252d6f5753f2d8af

SHA1
36e4f2128b1d507f0f86db27d5b596517366caee

SHA256
2612b89e4ccd453f3ddf213a80f8c96d0815debcb60b694dda62a5d27ea4ec44

SHA512
b678426c23f13f3926783a30602405c42077dc4cab3cf78c8e64b087d30930106b297003029ed1b284c0a45fcd9ba4478244e7be171c0d8c53eebfcffbf28c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONfFOZShgXcI.bat

Filesize
207B

MD5
978408cd3c4252fefece90a944436bc7

SHA1
5f8e938a6655299335cef4c22f3929800b3385f8

SHA256
945147bac4a4d34cd27803829e192cbcc4faae311723d3936d6b498bd48616b4

SHA512
5b0f4d157d6728e390c63d85fcc0b5c31367c7f733ce7d6c1536bcc7bd79632d87134e6548493f8e368b35cfe27c803fb2af8eef3bfcea22155ef522794fc6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0cSDAjGA83s.bat

Filesize
207B

MD5
8824d0ea4aebb086de6699d0e4ebbb89

SHA1
4300975354cd13471bb4c299b26f04cd4dbc821e

SHA256
8e3f72e4946b09a39a55dd5889e3bb37aa6859fa021bce14aebd5826a758a8cf

SHA512
f18be08e48a596291633fa7b3d7c3f146e8c8638dda5208ed2d8dd03f7a294f906bef9aec19bba513238393e63df5de3554f685125b85f13cf89d0dcd4b5e5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAidxPmmS5MY.bat

Filesize
207B

MD5
de85dfb274b0384deef26df91e055692

SHA1
e003c5ed4424eefea8cdab44e226c7b926140bb0

SHA256
a694c676e654dad7019cd59316d4c8ab24f447eb70834225f2970cd53d54bd7b

SHA512
39603973314e0995f2efcf6ae053a3c17ddbd78123aeeac7509b6a3fad7292bf6099c791974730c938e79f4cf8f1d0b8fe6b403428a93f440b66c5923c18d2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RR3hOsrg9dYB.bat

Filesize
207B

MD5
d2536edc6a5250d9668c9de4103e4458

SHA1
83b331cdf5b32269824e10fad7b336073f3efd2a

SHA256
e79826755dd949e89f80182f5a331fa7707331081990c5f9ce30b7b6a311b917

SHA512
e7d67b1961908d107e51e03285f4f4ef6881e0366bf00d7eb8f77dcd9db3f861373fb0b84565380cf8dfb797b0c29390ea753c1dc6f428eee2ba3df0e6e41498

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQXmCv2IBdnq.bat

Filesize
207B

MD5
9eae0226dfb1844878c59e5dee0226c7

SHA1
af2730dee90fae53d5d16af7faeae0dfc49ed8da

SHA256
ea2e10069dfcc04a6f7ca2b1cd932451bff92bbe76d44afd9e23ed281a8d2efb

SHA512
fa902082f8ea42a03bfa08679de4a0f189d105b389134fea6f3418bb9ed11bdade8ba44675d16ecda4fddab2f37ebe5dfe4aeebf33832c4788dd74d77a83de28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZzeDsjWqnTzd.bat

Filesize
207B

MD5
034e93b12bf829d42880d96ddacf56dd

SHA1
be1b0945ccaaa8f4f31c9dea6d85e3177ce543d3

SHA256
3a104414f0a73936310e57b9a92b048b26898c19118d4126ed398a34e472d26d

SHA512
409c2664c8d5acb17043bc6e9db7946ccec6800614308e5e28e57dbe32aca3984ae61db95d3d90ca73a0d3c1112a495f2a6f67874ab6701a6500c03c1078e516

Download Submit
C:\Users\Admin\AppData\Local\Temp\db8hmUPIvhto.bat

Filesize
207B

MD5
311806d8586447250f64a16349f232f9

SHA1
ef8cecff9d7e093dfa7ba16e441e5dda32a24386

SHA256
cfd8859cc064db412d179daccc5903588ae5f01941ba0fe7a6f76302e759d4e5

SHA512
67ac284115e531f6bfa6e9738a16cf40b7282adbf352ad978f0e4d4c9be2f59b5ce563afc8620f3a5cb068671c1b049565e77fb5899960be5bbffedce3dd901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqBapELNqilA.bat

Filesize
207B

MD5
fb8fb3a9d38f8fe1f4802bba57f95c7e

SHA1
8f14f8edc13e00a3225d8ec2f813100088e35523

SHA256
c23a61580ea159a6eb128843102b5eee43e405a2121dac204ca0e8dfbaaa6f18

SHA512
2483756114461c95cb072244a59b5b7fd7a2efd9c0e539beccafcfe666e57f358cf687f9a3de989fb8ea176ff8646111a44056b84fab5667cfcadc9d1eec48e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6qYV8LG5UF0.bat

Filesize
207B

MD5
2cdeba7aaadd79b7279f0105548dd13e

SHA1
088d092e774e3fa35f22297066bceb8a44190e46

SHA256
cf79376227347b0ac9fe63863729c094cb37fb08f65c50e6e9ad738433761243

SHA512
be178df6381bd3ff12ef0dfff52088a074cf43092e56e0381ebc4f1ad6c5bcaa7440971150c06a611e54df838a40c4ac4356e6b5f54c41c5a7b9ca8cff8a9c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t1A7bJvj13Wz.bat

Filesize
207B

MD5
d265257406b04cb79f37bf2684638f54

SHA1
320b74dde9208f700eadca6891e140a0e42031de

SHA256
5b020ef704d3f41e25c2f41fef9324fcdbb065f6e77cac32de2e1b8010b2206c

SHA512
f848f6f49e0516838f4b1ff21a3cbeeecd48410e2c597163012bda9db7185ef82d7ac6dc4fb12c95abdcaf552c154cce648ed95b4eb8d26fcc1ab88db986185c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tw4xblX84p5R.bat

Filesize
207B

MD5
b0bfc6139c64cfa21cfc366b82d5bc02

SHA1
385071c040b60e4d2654b8b39631173a7c607c7a

SHA256
bb535523f8fef703c806614543dde6bce5602a1bfc7987d30ebe06d8f334cd53

SHA512
8cb39c48074f63d85abef7af6f4b8c4f9b2ed59f9c69be9f7fc80fc1a05f1bddf077b9b9b63736052025b9745307999744abc580caae7d709a9d0a2612d7b871

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
acf4f0b473278b8280c57f06a1a14752

SHA1
e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614

SHA256
74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

SHA512
d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936

Download Submit
memory/2808-0-0x00007FFE6DBB3000-0x00007FFE6DBB5000-memory.dmp

Filesize
8KB

Download
memory/2808-9-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/2808-2-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/2808-1-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/3864-17-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/3864-8-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/3864-10-0x00007FFE6DBB0000-0x00007FFE6E671000-memory.dmp

Filesize
10.8MB

Download
memory/3864-11-0x000000001C980000-0x000000001C9D0000-memory.dmp

Filesize
320KB

Download
memory/3864-12-0x000000001CA90000-0x000000001CB42000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads