quasar | 74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

acf4f0b473278b8280c57f06a1a14752
SHA1

e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614
SHA256

74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3
SHA512

d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936
SSDEEP

49152:rvvI22SsaNYfdPBldt698dBcjHWC41JFLoGdxTHHB72eh2NT:rvg22SsaNYfdPBldt6+dBcjHWCe

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sites-talent.gl.at.ply.gg:12915:5050

Mutex

81bbd126-003c-423d-b244-5de29a86c135

Attributes

encryption_key
F1428A77E91FBF1B7AEC1D3D94E91E692E2ADBFF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
thisisarat
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000017403-5.dat	family_quasar
behavioral1/memory/2420-9-0x00000000011F0000-0x0000000001514000-memory.dmp	family_quasar
behavioral1/memory/672-73-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar
behavioral1/memory/2900-94-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar
behavioral1/memory/1168-106-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/2364-118-0x0000000000BB0000-0x0000000000ED4000-memory.dmp	family_quasar
behavioral1/memory/1936-129-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar
behavioral1/memory/2716-160-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2420	Client.exe
1744	Client.exe
2996	Client.exe
1988	Client.exe
2972	Client.exe
920	Client.exe
672	Client.exe
2816	Client.exe
2900	Client.exe
1168	Client.exe
2364	Client.exe
1936	Client.exe
2712	Client.exe
1704	Client.exe
2716	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1200	PING.EXE
1724	PING.EXE
2916	PING.EXE
2504	PING.EXE
2844	PING.EXE
2212	PING.EXE
2768	PING.EXE
1632	PING.EXE
1620	PING.EXE
2140	PING.EXE
572	PING.EXE
1072	PING.EXE
2088	PING.EXE
1748	PING.EXE
2688	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE
2212	PING.EXE
1620	PING.EXE
2140	PING.EXE
1072	PING.EXE
1200	PING.EXE
1724	PING.EXE
2088	PING.EXE
1748	PING.EXE
2916	PING.EXE
2768	PING.EXE
2504	PING.EXE
2688	PING.EXE
572	PING.EXE
2844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe
2832	schtasks.exe
852	schtasks.exe
1808	schtasks.exe
3016	schtasks.exe
1400	schtasks.exe
1408	schtasks.exe
976	schtasks.exe
2472	schtasks.exe
1984	schtasks.exe
2800	schtasks.exe
1060	schtasks.exe
2624	schtasks.exe
2092	schtasks.exe
2860	schtasks.exe
2376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	Client-built.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	1744	Client.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	1988	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	920	Client.exe
Token: SeDebugPrivilege	672	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	2900	Client.exe
Token: SeDebugPrivilege	1168	Client.exe
Token: SeDebugPrivilege	2364	Client.exe
Token: SeDebugPrivilege	1936	Client.exe
Token: SeDebugPrivilege	2712	Client.exe
Token: SeDebugPrivilege	1704	Client.exe
Token: SeDebugPrivilege	2716	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2420	Client.exe
1744	Client.exe
2996	Client.exe
1988	Client.exe
2972	Client.exe
920	Client.exe
672	Client.exe
2816	Client.exe
2900	Client.exe
1168	Client.exe
2364	Client.exe
1936	Client.exe
2712	Client.exe
1704	Client.exe
2716	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2420	Client.exe
1744	Client.exe
2996	Client.exe
1988	Client.exe
2972	Client.exe
920	Client.exe
672	Client.exe
2816	Client.exe
2900	Client.exe
1168	Client.exe
2364	Client.exe
1936	Client.exe
2712	Client.exe
1704	Client.exe
2716	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2420	Client.exe
2996	Client.exe
2364	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1808	2424	Client-built.exe	30
PID 2424 wrote to memory of 1808	2424	Client-built.exe	30
PID 2424 wrote to memory of 1808	2424	Client-built.exe	30
PID 2424 wrote to memory of 2420	2424	Client-built.exe	32
PID 2424 wrote to memory of 2420	2424	Client-built.exe	32
PID 2424 wrote to memory of 2420	2424	Client-built.exe	32
PID 2420 wrote to memory of 2800	2420	Client.exe	33
PID 2420 wrote to memory of 2800	2420	Client.exe	33
PID 2420 wrote to memory of 2800	2420	Client.exe	33
PID 2420 wrote to memory of 2844	2420	Client.exe	35
PID 2420 wrote to memory of 2844	2420	Client.exe	35
PID 2420 wrote to memory of 2844	2420	Client.exe	35
PID 2844 wrote to memory of 2828	2844	cmd.exe	37
PID 2844 wrote to memory of 2828	2844	cmd.exe	37
PID 2844 wrote to memory of 2828	2844	cmd.exe	37
PID 2844 wrote to memory of 2768	2844	cmd.exe	38
PID 2844 wrote to memory of 2768	2844	cmd.exe	38
PID 2844 wrote to memory of 2768	2844	cmd.exe	38
PID 2844 wrote to memory of 1744	2844	cmd.exe	40
PID 2844 wrote to memory of 1744	2844	cmd.exe	40
PID 2844 wrote to memory of 1744	2844	cmd.exe	40
PID 1744 wrote to memory of 2376	1744	Client.exe	41
PID 1744 wrote to memory of 2376	1744	Client.exe	41
PID 1744 wrote to memory of 2376	1744	Client.exe	41
PID 1744 wrote to memory of 2500	1744	Client.exe	43
PID 1744 wrote to memory of 2500	1744	Client.exe	43
PID 1744 wrote to memory of 2500	1744	Client.exe	43
PID 2500 wrote to memory of 2600	2500	cmd.exe	45
PID 2500 wrote to memory of 2600	2500	cmd.exe	45
PID 2500 wrote to memory of 2600	2500	cmd.exe	45
PID 2500 wrote to memory of 572	2500	cmd.exe	46
PID 2500 wrote to memory of 572	2500	cmd.exe	46
PID 2500 wrote to memory of 572	2500	cmd.exe	46
PID 2500 wrote to memory of 2996	2500	cmd.exe	47
PID 2500 wrote to memory of 2996	2500	cmd.exe	47
PID 2500 wrote to memory of 2996	2500	cmd.exe	47
PID 2996 wrote to memory of 976	2996	Client.exe	48
PID 2996 wrote to memory of 976	2996	Client.exe	48
PID 2996 wrote to memory of 976	2996	Client.exe	48
PID 2996 wrote to memory of 592	2996	Client.exe	50
PID 2996 wrote to memory of 592	2996	Client.exe	50
PID 2996 wrote to memory of 592	2996	Client.exe	50
PID 592 wrote to memory of 1152	592	cmd.exe	52
PID 592 wrote to memory of 1152	592	cmd.exe	52
PID 592 wrote to memory of 1152	592	cmd.exe	52
PID 592 wrote to memory of 1072	592	cmd.exe	53
PID 592 wrote to memory of 1072	592	cmd.exe	53
PID 592 wrote to memory of 1072	592	cmd.exe	53
PID 592 wrote to memory of 1988	592	cmd.exe	54
PID 592 wrote to memory of 1988	592	cmd.exe	54
PID 592 wrote to memory of 1988	592	cmd.exe	54
PID 1988 wrote to memory of 3016	1988	Client.exe	55
PID 1988 wrote to memory of 3016	1988	Client.exe	55
PID 1988 wrote to memory of 3016	1988	Client.exe	55
PID 1988 wrote to memory of 1976	1988	Client.exe	57
PID 1988 wrote to memory of 1976	1988	Client.exe	57
PID 1988 wrote to memory of 1976	1988	Client.exe	57
PID 1976 wrote to memory of 2064	1976	cmd.exe	59
PID 1976 wrote to memory of 2064	1976	cmd.exe	59
PID 1976 wrote to memory of 2064	1976	cmd.exe	59
PID 1976 wrote to memory of 1200	1976	cmd.exe	60
PID 1976 wrote to memory of 1200	1976	cmd.exe	60
PID 1976 wrote to memory of 1200	1976	cmd.exe	60
PID 1976 wrote to memory of 2972	1976	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1808
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\mnvx02BmXIGr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2828
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2768
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zjcto2VWcK9W.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2600
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:572
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\d732GeaT00nv.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6MDROo6Kp67a.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XtR2nsBnjzGG.bat" "
        11⤵
        
        PID:284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JhUNRSIObhxE.bat" "
        13⤵
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:672
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkKdUQZVj0a4.bat" "
        15⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y7twA1PlKddR.bat" "
        17⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2900
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9lo7vnK15K2f.bat" "
        19⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1168
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dadSNbtBLokl.bat" "
        21⤵
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukXH6DeES3DV.bat" "
        23⤵
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yJZ0hBCKxugP.bat" "
        25⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0ZbANk8HZzQH.bat" "
        27⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1704
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HLtZCkhKGG7x.bat" "
        29⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2716
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\POPa2IKBzbOt.bat" "
        31⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ZbANk8HZzQH.bat

Filesize
207B

MD5
424c79e651a4cbade996e476704b04ed

SHA1
8280c5706f1048ca1f58b60406708e4a3c0deb62

SHA256
fa12ac8cb9e9cdb95679a6e0ae7efc020fcee3fe5ee7647a05d71af3297eef27

SHA512
18290d85a1f20ada8347b9d832b9f5827d1576605e70f27532ba22ff0700fabd698ed029e5d653f9dec5f64a3dffc158523e409a3ddb1e9c0614356ff4f33b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\6MDROo6Kp67a.bat

Filesize
207B

MD5
7a49db21dc6848ac3dc80df17b6d6431

SHA1
1dab034201764c6040e64ad3859140d3de410bdf

SHA256
a2d8c9cbf71f30cc11c6126ceeaadda5608a45623710ee1de493f1fa60b3623b

SHA512
4e90df8805c93b87861c3332e28942ce332f34a24961dddb04d9b623143c589eba4d55c835e6c229a662eef9f607108cb4054b3605b9ae95839066a0f3821f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\9lo7vnK15K2f.bat

Filesize
207B

MD5
8ea0cb97f1317059d1c97416a2fb9c25

SHA1
ecf1879d5fd80a1acbb0f40716233ac4ede94451

SHA256
f7b6ce90145b33393c034a47176a1192cb52403adf9f6994db7b830cc55f0464

SHA512
b37cb2f24e1b7131eb5b16be6ea1bb84796f6248c2d5d1ca7b764586e9f98d35ae18ec411ea63c66497aa1c8d7cf5f45c3a7ab7318e18bc7ef84505ab2a89be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HLtZCkhKGG7x.bat

Filesize
207B

MD5
659fd69b9b34d1126246cd083f5b140d

SHA1
905a6a12442fbe2b82e7acdb91ae1c841697d004

SHA256
89159f3f5e4d5ca8f4f9c7f82c9ee024dbef0466442309012d5aa144357b4d8a

SHA512
ba88d2149586db6c06ee55f46950522de5088d8264bf8f451378ad313e7298ecf1f52d5eedf6fc3269a5b277bccb9c7c3956237d0c96809c3846c50caa02c905

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhUNRSIObhxE.bat

Filesize
207B

MD5
0e63513b683d5a0f0e18232579bf8f70

SHA1
e48794607df933b88990369d220c34ac7c0ade33

SHA256
6fc76d3be09379cb69743790cd0d24a1d14632fb5303a63de0e0ff8d622db83b

SHA512
022acd8139c5c4bef11593d36646efeefd055d2771786ca18beef997b14c1dccc06134953283baac1a50d767b87f81a2f6940afaac0881db4af9b7cbe4c6e614

Download Submit
C:\Users\Admin\AppData\Local\Temp\POPa2IKBzbOt.bat

Filesize
207B

MD5
f3d027d325fa5594e1e53edc6991bcf9

SHA1
638583ec36a94a684bab07e7d7c4066a7c338457

SHA256
54d8a6b029a1fcaaeb41a59fe1df0ccdb7d2a9d50e321a22239df78384d13ce6

SHA512
5c7938e5f1b1a500f36b643bf9382ee79dc03ef8a5b14d379cf376290f5f1412d778b8e5288e24ae2221441c5ab7009edb787077fe0b9d4128de84848f7e5dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XtR2nsBnjzGG.bat

Filesize
207B

MD5
d456fc2bb9c8903f5a3e4a09c5434b9b

SHA1
4dc83527c8207a62831c41630c3bca48667163b9

SHA256
baf46ff361bd6dce6afa52933d8b16ada8f9ef0e7088732880296d90370eaccd

SHA512
462f870ccabed003e8d726970a14a5870cd4845e5250e098b3ad4678f566f62f5f443f26beedf34231b744d272ae81dbc63617d54e3e32ae513f80dd1d020405

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y7twA1PlKddR.bat

Filesize
207B

MD5
80653440156a3b9edecb08ff6141d286

SHA1
6b9001cbf29d3b33e5a9d7e23cb3ccdaa0c8ff08

SHA256
966146e78859ef2df319d4fa40294ce0b82ef3406f0a3434a6f5713bfd04fe6a

SHA512
bc6f53c9c251ce9d6f6bd6a85d2c6966aa3920e8da8f77bbb0c005c0d855204bea0cec05534fd8b4674f1b8969968661c0c2c79601e60deef929c213e82d7c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zjcto2VWcK9W.bat

Filesize
207B

MD5
4775a1cb4d1d69a41a7138f31b8ed667

SHA1
ee62b24226350126aed62840784520c4b5d3d7c4

SHA256
2e16a3202d88a44b164e9c76fd3f56439597bd48d46b9e6ea1f47612f2d94d89

SHA512
d1a0730efa148fe6a06e34fd059a5802767ec9c3bed955446c8207b1f90c3ac14ed054f55e3e73543b78acfb4db13fbb4301f91fc9fe0ed1cda12abe8902554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d732GeaT00nv.bat

Filesize
207B

MD5
16f1a018c4eceb0776ecb4cbafb757e2

SHA1
e5507e0b6ab1ad4a9d7a57556f12b9eb1a580d14

SHA256
59857123d904bf9c680f474874324e100cf37a60c0010442fa9b8534296082dc

SHA512
179656b16e8f548d025d6eb31a22d0947dd0a70133e4cedd29aa8d72314f91bce9bce3d70941f1a6cf42e0fc07942bbe7d4323982c9ff0fe593bfec439842594

Download Submit
C:\Users\Admin\AppData\Local\Temp\dadSNbtBLokl.bat

Filesize
207B

MD5
8a43045185ba3a730f27eba143cce1ac

SHA1
28279235c7b6a65a5825859ff10cb67ec239eaee

SHA256
127a1a7ec0d55a9a11dcbc59b15199c62fbf39f531a1fc857e371759ecdd646d

SHA512
254c130ad9dd34499a80fea185950ebaee9c687099bfdef74c98ddf88674dfacc09bfd60f36d74eb33ecadf5c7e84b3980c6c68160cc5da09d7d02ac0f69f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkKdUQZVj0a4.bat

Filesize
207B

MD5
e61511e9b0056a5facedb3c387b7c935

SHA1
0085c8a9ffe551399b08c5c4746a423ca7b6a6d8

SHA256
10efd083992da169700bb37c825318452161c8aa3d166b4319f64f77683046ca

SHA512
3a4eb26cf88c875a9a2d6835aae3e02c371336b557341f8db891965835c83fd63664d70bc1f37c8d7594c68c132423f056620ace54056cc2d7d99a944d46e124

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnvx02BmXIGr.bat

Filesize
207B

MD5
4566fc822d3249475c29574e15881f13

SHA1
23999227d7ae17cbb3f993a0b047cffb91a1933a

SHA256
c68391dda4004df16abe0f1e467f0c2bae916592d808fcdafbe370b8615c1979

SHA512
875139071df3654bd991682dff273ca101229295dcfc5bb5dc52f683a1e95fd872ed4f143d1427d11bb42db9c6854c891e485d83dc1a0fad2abfb6f586bf1643

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukXH6DeES3DV.bat

Filesize
207B

MD5
88e65dc8922d9ff62c84b0a7756ecb84

SHA1
17e53183bda8d4398f5ff617b062bcd0e043a4c6

SHA256
184c48a8ef87cf526adaca241177fc40042cbbdf7d45ec53faa28b5d5e7de783

SHA512
dec6ae864d43fc8768cd7eb0fd674a71ff60e1ce25c17f0264d005a585fca658939b2668f72d185f1a4b93289ac01543225ba1c3ff78918e22ce4f4a9ae1ce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJZ0hBCKxugP.bat

Filesize
207B

MD5
2c55709b195c39fae1ebde3440bd17a5

SHA1
ba661b5303a6ce3c96b884835a1cb394403ee691

SHA256
d27a83ee36c2c0d862e2f1b73cb9358034be876bd01e3363de7ef5dd46d044ed

SHA512
7627934b649e2da2de9995c180f9000717fce3557a9c5a052bd7ac035189e500c10c4841db1d4ff7be37a5ec50d252e5ac6708a08475ec3a4717a76e4e2b20fc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
acf4f0b473278b8280c57f06a1a14752

SHA1
e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614

SHA256
74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

SHA512
d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936

Download Submit
memory/672-73-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/1168-106-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1936-129-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2364-118-0x0000000000BB0000-0x0000000000ED4000-memory.dmp

Filesize
3.1MB

Download
memory/2420-19-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-10-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-9-0x00000000011F0000-0x0000000001514000-memory.dmp

Filesize
3.1MB

Download
memory/2420-8-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2424-7-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-1-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2716-160-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2900-94-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads