quasar | 74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

acf4f0b473278b8280c57f06a1a14752
SHA1

e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614
SHA256

74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3
SHA512

d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936
SSDEEP

49152:rvvI22SsaNYfdPBldt698dBcjHWC41JFLoGdxTHHB72eh2NT:rvg22SsaNYfdPBldt6+dBcjHWCe

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sites-talent.gl.at.ply.gg:12915:5050

Mutex

81bbd126-003c-423d-b244-5de29a86c135

Attributes

encryption_key
F1428A77E91FBF1B7AEC1D3D94E91E692E2ADBFF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
thisisarat
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1136-1-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b70-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
556	Client.exe
3388	Client.exe
1548	Client.exe
3932	Client.exe
976	Client.exe
2116	Client.exe
2668	Client.exe
4008	Client.exe
1340	Client.exe
3824	Client.exe
1752	Client.exe
4396	Client.exe
5100	Client.exe
960	Client.exe
4576	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2296	PING.EXE
4812	PING.EXE
4220	PING.EXE
2472	PING.EXE
1988	PING.EXE
2732	PING.EXE
2000	PING.EXE
2560	PING.EXE
1016	PING.EXE
552	PING.EXE
1680	PING.EXE
4728	PING.EXE
4572	PING.EXE
100	PING.EXE
532	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1016	PING.EXE
1680	PING.EXE
532	PING.EXE
4812	PING.EXE
552	PING.EXE
2296	PING.EXE
2472	PING.EXE
2732	PING.EXE
2000	PING.EXE
4572	PING.EXE
100	PING.EXE
1988	PING.EXE
4728	PING.EXE
2560	PING.EXE
4220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4828	schtasks.exe
3960	schtasks.exe
4852	schtasks.exe
324	schtasks.exe
2876	schtasks.exe
3932	schtasks.exe
1140	schtasks.exe
3880	schtasks.exe
2404	schtasks.exe
2000	schtasks.exe
4216	schtasks.exe
4692	schtasks.exe
4360	schtasks.exe
2416	schtasks.exe
2748	schtasks.exe
3244	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	Client-built.exe
Token: SeDebugPrivilege	556	Client.exe
Token: SeDebugPrivilege	3388	Client.exe
Token: SeDebugPrivilege	1548	Client.exe
Token: SeDebugPrivilege	3932	Client.exe
Token: SeDebugPrivilege	976	Client.exe
Token: SeDebugPrivilege	2116	Client.exe
Token: SeDebugPrivilege	2668	Client.exe
Token: SeDebugPrivilege	4008	Client.exe
Token: SeDebugPrivilege	1340	Client.exe
Token: SeDebugPrivilege	3824	Client.exe
Token: SeDebugPrivilege	1752	Client.exe
Token: SeDebugPrivilege	4396	Client.exe
Token: SeDebugPrivilege	5100	Client.exe
Token: SeDebugPrivilege	960	Client.exe
Token: SeDebugPrivilege	4576	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
556	Client.exe
3388	Client.exe
1548	Client.exe
3932	Client.exe
976	Client.exe
2116	Client.exe
2668	Client.exe
4008	Client.exe
1340	Client.exe
3824	Client.exe
1752	Client.exe
4396	Client.exe
5100	Client.exe
960	Client.exe
4576	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
556	Client.exe
3388	Client.exe
1548	Client.exe
3932	Client.exe
976	Client.exe
2116	Client.exe
2668	Client.exe
4008	Client.exe
1340	Client.exe
3824	Client.exe
1752	Client.exe
4396	Client.exe
5100	Client.exe
960	Client.exe
4576	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 3932	1136	Client-built.exe	83
PID 1136 wrote to memory of 3932	1136	Client-built.exe	83
PID 1136 wrote to memory of 556	1136	Client-built.exe	85
PID 1136 wrote to memory of 556	1136	Client-built.exe	85
PID 556 wrote to memory of 4216	556	Client.exe	86
PID 556 wrote to memory of 4216	556	Client.exe	86
PID 556 wrote to memory of 2384	556	Client.exe	88
PID 556 wrote to memory of 2384	556	Client.exe	88
PID 2384 wrote to memory of 2892	2384	cmd.exe	90
PID 2384 wrote to memory of 2892	2384	cmd.exe	90
PID 2384 wrote to memory of 4728	2384	cmd.exe	91
PID 2384 wrote to memory of 4728	2384	cmd.exe	91
PID 2384 wrote to memory of 3388	2384	cmd.exe	93
PID 2384 wrote to memory of 3388	2384	cmd.exe	93
PID 3388 wrote to memory of 4828	3388	Client.exe	96
PID 3388 wrote to memory of 4828	3388	Client.exe	96
PID 3388 wrote to memory of 4484	3388	Client.exe	99
PID 3388 wrote to memory of 4484	3388	Client.exe	99
PID 4484 wrote to memory of 2448	4484	cmd.exe	101
PID 4484 wrote to memory of 2448	4484	cmd.exe	101
PID 4484 wrote to memory of 2000	4484	cmd.exe	102
PID 4484 wrote to memory of 2000	4484	cmd.exe	102
PID 4484 wrote to memory of 1548	4484	cmd.exe	113
PID 4484 wrote to memory of 1548	4484	cmd.exe	113
PID 1548 wrote to memory of 4692	1548	Client.exe	114
PID 1548 wrote to memory of 4692	1548	Client.exe	114
PID 1548 wrote to memory of 4452	1548	Client.exe	116
PID 1548 wrote to memory of 4452	1548	Client.exe	116
PID 4452 wrote to memory of 4328	4452	cmd.exe	119
PID 4452 wrote to memory of 4328	4452	cmd.exe	119
PID 4452 wrote to memory of 4572	4452	cmd.exe	120
PID 4452 wrote to memory of 4572	4452	cmd.exe	120
PID 4452 wrote to memory of 3932	4452	cmd.exe	124
PID 4452 wrote to memory of 3932	4452	cmd.exe	124
PID 3932 wrote to memory of 4360	3932	Client.exe	125
PID 3932 wrote to memory of 4360	3932	Client.exe	125
PID 3932 wrote to memory of 2128	3932	Client.exe	128
PID 3932 wrote to memory of 2128	3932	Client.exe	128
PID 2128 wrote to memory of 2348	2128	cmd.exe	130
PID 2128 wrote to memory of 2348	2128	cmd.exe	130
PID 2128 wrote to memory of 4812	2128	cmd.exe	131
PID 2128 wrote to memory of 4812	2128	cmd.exe	131
PID 2128 wrote to memory of 976	2128	cmd.exe	134
PID 2128 wrote to memory of 976	2128	cmd.exe	134
PID 976 wrote to memory of 3960	976	Client.exe	135
PID 976 wrote to memory of 3960	976	Client.exe	135
PID 976 wrote to memory of 64	976	Client.exe	137
PID 976 wrote to memory of 64	976	Client.exe	137
PID 64 wrote to memory of 1624	64	cmd.exe	140
PID 64 wrote to memory of 1624	64	cmd.exe	140
PID 64 wrote to memory of 100	64	cmd.exe	141
PID 64 wrote to memory of 100	64	cmd.exe	141
PID 64 wrote to memory of 2116	64	cmd.exe	143
PID 64 wrote to memory of 2116	64	cmd.exe	143
PID 2116 wrote to memory of 2416	2116	Client.exe	144
PID 2116 wrote to memory of 2416	2116	Client.exe	144
PID 2116 wrote to memory of 3116	2116	Client.exe	146
PID 2116 wrote to memory of 3116	2116	Client.exe	146
PID 3116 wrote to memory of 676	3116	cmd.exe	149
PID 3116 wrote to memory of 676	3116	cmd.exe	149
PID 3116 wrote to memory of 2560	3116	cmd.exe	150
PID 3116 wrote to memory of 2560	3116	cmd.exe	150
PID 3116 wrote to memory of 2668	3116	cmd.exe	152
PID 3116 wrote to memory of 2668	3116	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3932
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jywvVkPTPODy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2892
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4728
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wzgeJO8zDyy3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2448
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6A7FULUcXzx.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9bLncN6O3GWG.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yXHNSj4fPzVQ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:100
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZnVH6rmiaIu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZXudqcNRw5BB.bat" "
        15⤵
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nysnehfIbE6M.bat" "
        17⤵
        
        PID:3224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gxK2hV6tJRVq.bat" "
        19⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMap6EurjHqn.bat" "
        21⤵
        
        PID:3480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v9aoG03mLzpa.bat" "
        23⤵
        
        PID:4824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vM2Qco6VMCj5.bat" "
        25⤵
        
        PID:228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYHWzkrSsl5S.bat" "
        27⤵
        
        PID:3232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2pE1rdANU5OG.bat" "
        29⤵
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "thisisarat" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAxaIG9usvin.bat" "
        31⤵
        
        PID:4336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pE1rdANU5OG.bat

Filesize
207B

MD5
bb7216f12817989656c0385e72ab5226

SHA1
11ffbed2ddba383af4630e6ac873cad9f75f4d42

SHA256
ca5b2dbd4e981de9ce4783bc644fb9771a8feb5ec41af9b1d52e24f2705202b9

SHA512
dc83eda9a9f52c23c17b0a5a6274cbfc41bafe70e0b904c9218c87bb2125c79986971c5c0f233fc351df481b45ce69609a32b03723bc7d22f91376f417f1bbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bLncN6O3GWG.bat

Filesize
207B

MD5
541ff939cb41c4e52cb69f7a8e24b944

SHA1
6f51dceae5477d553f7fcd8dd054124a5c8fb753

SHA256
d57c8d3e782e1292cdc5e77724b5091e028eaf3de45706a1403cc96e711fb96e

SHA512
9286141bbb7c11e975a5e793aacd7e7eda15eec3687524862358134fae5cbe26cd8e960ec37037f2125971be2858568715923dd3e8761e6251d4cc390bcbdbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMap6EurjHqn.bat

Filesize
207B

MD5
55b6c32a6d2e79a680099decb5d75d36

SHA1
6da71a79cacfa382daf04d3322e1c6a44288b054

SHA256
759d5e05dd1fc8f00ee3c3ef09ae4123f88d1c65daf00e2cd0ab0607e29a3e04

SHA512
e78b837559ea44deddf04490ee1597a6890ec0f541f191ed51e9c702edc4cd99b656f0b04e328f69e24fd8bd464a23165d0f5c4104d37d55acfdb5df30293eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYHWzkrSsl5S.bat

Filesize
207B

MD5
1e2f80ca9893271e6aafe54f428e8969

SHA1
6493d604dd3030a90e04da201ee389ce966bc5b6

SHA256
713133cc27dd3aefb2ee104b43897b5fc5bbeb39384e45070206c823987385fc

SHA512
cdaa5e7609512c11f54a132acffbe5b41169b03baa412a855143c3b18845d4b28b0f071092ead46979f01822b14b63ecc4d06c113b58d58861787876d4d93f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAxaIG9usvin.bat

Filesize
207B

MD5
6213570657caaa5ffa42e6fe637a1d2c

SHA1
0307fc4a7419fcd4ae92694f37ea67286d99b2f2

SHA256
d5388e8af8043c06562f20dfdb7b7bd43a22ca4f37a7babb12b662f72517d24e

SHA512
f94b10e0785e2c67af029d8a2eb0730abee7274a83dded9006842f869b205f5d59380a0191cf6b7b591a622e1c9ef4a7e7f77eb097bee79429b9222578c33704

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXudqcNRw5BB.bat

Filesize
207B

MD5
7331bb24c18c6c7c36e4db85710c2dd8

SHA1
43865bce9ba66e9ee14026b1476f536056ad5d8e

SHA256
8406e4ceeb0955e0b346d479abe1e79d1568c4097a6395617f7a638ea14a9a0a

SHA512
23d7999a064a15cd6c2b2d411edb59e0e97d6e712741a18f8203737ea4d81ed2e3083f113fc2dbce85c5fa26c0f4d669f7c3ecbe1799649990f9a4867e572694

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxK2hV6tJRVq.bat

Filesize
207B

MD5
3cc9df9f977a5b484fdfed5d9df4580d

SHA1
134d81c01b2e9ddb6e540d045ce0bb4d6ee8ccdf

SHA256
29c95c46054c5be9f7594920f5f492f04b358fd2a3e12f8082680151dc88df4f

SHA512
afadc8d78bb2402202a7a5b9e82fd58e52806f37edaf376b7880b40ec1b0233a04a6ef6f199625a3753ed2da4958c1b5f108706ebf8bfd59dbc04948b168814c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jywvVkPTPODy.bat

Filesize
207B

MD5
096812b38b8359b021c7fe31b996660d

SHA1
dcae2cae30903b8417e748d9c7034ac183e486aa

SHA256
f79448199ea7db064a471ffafa402e122b452010dfcd5458b09654a7fef27de4

SHA512
f5d582c6eb95a9bd2a34cd2cf1e20c9c9458ac0791185ab30837283e708583a0725262aecbc605747692a50c5c26cd5f54d3fe9007e5949dabc48bf8db4edd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6A7FULUcXzx.bat

Filesize
207B

MD5
3dbefca3ecdef1c6a5835fd96b19ff1f

SHA1
af0cc8f3f6d880bf8b90b3075563a6fce62ae03b

SHA256
7b16cc30ff70307ec602584e9e40e904e76dc63c6c20880e2ed51fe10f878afd

SHA512
d782c3814702694e779727012b52ba11183644d429ff706b6286d0a22ec9f3ccc7fda1cb25c34c871097bc28152a722e4ee78f20421560717f544f7a41c171eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nysnehfIbE6M.bat

Filesize
207B

MD5
aaed472f3f04e67602f6bf6c691d5d66

SHA1
1c54e9e383959c19b3464c4ca5c532d5e2683a6d

SHA256
8b446c4b018a332fcfcbb34e8f66587cd0eff41bd542adad6edf2c23d551937f

SHA512
8f97c15c3ad62cc6ea5f4487744212fdf35eb3ad0f1353ef01201ab54c9a72b5ee0f367ddcbf4b81d8d430ef334fc1ec5b34ce58d0c127db56672d1e9bbd44ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZnVH6rmiaIu.bat

Filesize
207B

MD5
77197e2e0ccf925c9cb01b6f27e21b1e

SHA1
7af31fb3ede3b71243584d690ef3795f2d9fd144

SHA256
4a59540d20b223258c18c73b8b38b50b73c647fc0448dc00bcb899277d2afc79

SHA512
168edb0f043901f3a1c4780ea5cf058909187651a7dc48b012ef57ebd1a304a91198ca536cd51e73c68c71f9346b1d99c414e0be54cc2f202bb5330979fa5a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9aoG03mLzpa.bat

Filesize
207B

MD5
86f1f40986da8c9543eb66d304641b27

SHA1
2e1466256ba1b16848a82ab41cde4178d672b52f

SHA256
66e9cf8cc3ba82052bd143d7b05786737be6f516410d721dba1436fea20018c1

SHA512
bced30ad681becbf75700b2a60f24acde2ac43c0268eac99b70d37673e75768cbbc925e5dc1bfe5627f3c110a6721f8ded1740068d09bd8b92cf060fef835aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vM2Qco6VMCj5.bat

Filesize
207B

MD5
db90b73466d1f726ec4a195d61693e89

SHA1
55be5010f52580c501cfa4319b61077c70285888

SHA256
d960111c16af826769f63adccd79d52726c1f22200daeb31101211c50ef3d541

SHA512
0b75bff74db1f9e80e2516c10c384a9fc130b0645543abfb21652bcd536a1b5d8ddb29b885005288227f9008b766f5670d1f485f88ab7489ffafec4bfccfbbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzgeJO8zDyy3.bat

Filesize
207B

MD5
c7bee86e7b272947815dc391656f04ad

SHA1
3675145c34421168db7ee0a5425d423a5f1bc1ef

SHA256
7d9157d2ca19c10f948368b9313e073be57aa78053d1d6988a205f47c85ff309

SHA512
517e95c64cd7b2c78620fd699016afa941edd1bcd24998882d655d04ccd701049144899beb4ff7d0be34a83ec3d198cd530b8fae6f53daa41673d770987bf131

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXHNSj4fPzVQ.bat

Filesize
207B

MD5
2a1012439cfd0faa6bbf06107a753dd5

SHA1
700d22bd899146c33956fc6cb2e31c6f32217c36

SHA256
5da1f80f1128c23b38dfcae53ba790835e895c05e55305f0342c0f89b69a5dc9

SHA512
a497d08fa782e608897af7f7ee3422971acaea4b3f5e6ecab0c89d3a88832564875287a17e3be4589eb36d6e43356079a5faab2cd4404d2b0abebed3e270e2f2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
acf4f0b473278b8280c57f06a1a14752

SHA1
e3eb5b7e4d720cb9b3bf33f02c3c436c050dc614

SHA256
74eca969f95e873b2af9dcdedd0783e27d469aad3baf1af7b85ad751b34485a3

SHA512
d0be2e1ee64a2ae2bfd0a18b71fe4af44304b5fbaa8c2bad3c582750579c8503466e2b6edd00984cfafc78d8307e6e056a37a3da3bdb04b250623b99240ab936

Download Submit
memory/556-17-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/556-12-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download
memory/556-11-0x000000001BE20000-0x000000001BE70000-memory.dmp

Filesize
320KB

Download
memory/556-10-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/556-9-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-0-0x00007FFE304F3000-0x00007FFE304F5000-memory.dmp

Filesize
8KB

Download
memory/1136-8-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-2-0x00007FFE304F0000-0x00007FFE30FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-1-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads