quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2232-1-0x0000000001080000-0x00000000013A4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d89-6.dat	family_quasar
behavioral1/memory/2008-10-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2900-23-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/memory/2284-35-0x00000000013C0000-0x00000000016E4000-memory.dmp	family_quasar
behavioral1/memory/936-56-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/memory/1360-67-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/2832-88-0x0000000001210000-0x0000000001534000-memory.dmp	family_quasar
behavioral1/memory/2312-99-0x0000000000320000-0x0000000000644000-memory.dmp	family_quasar
behavioral1/memory/264-110-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2008	Client.exe
2900	Client.exe
2284	Client.exe
2188	Client.exe
936	Client.exe
1360	Client.exe
1000	Client.exe
2832	Client.exe
2312	Client.exe
264	Client.exe
1920	Client.exe
2484	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1760	PING.EXE
1784	PING.EXE
1936	PING.EXE
1748	PING.EXE
2776	PING.EXE
856	PING.EXE
2420	PING.EXE
2364	PING.EXE
2512	PING.EXE
3008	PING.EXE
340	PING.EXE
1968	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE
856	PING.EXE
2420	PING.EXE
1760	PING.EXE
2364	PING.EXE
2512	PING.EXE
340	PING.EXE
1936	PING.EXE
1968	PING.EXE
1748	PING.EXE
2776	PING.EXE
1784	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe
2804	schtasks.exe
1816	schtasks.exe
1692	schtasks.exe
2764	schtasks.exe
1292	schtasks.exe
2596	schtasks.exe
952	schtasks.exe
328	schtasks.exe
2828	schtasks.exe
2220	schtasks.exe
496	schtasks.exe
2924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Token: SeDebugPrivilege	2008	Client.exe
Token: SeDebugPrivilege	2900	Client.exe
Token: SeDebugPrivilege	2284	Client.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	936	Client.exe
Token: SeDebugPrivilege	1360	Client.exe
Token: SeDebugPrivilege	1000	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	2312	Client.exe
Token: SeDebugPrivilege	264	Client.exe
Token: SeDebugPrivilege	1920	Client.exe
Token: SeDebugPrivilege	2484	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2008	Client.exe
2900	Client.exe
2284	Client.exe
2188	Client.exe
936	Client.exe
1360	Client.exe
1000	Client.exe
2832	Client.exe
2312	Client.exe
264	Client.exe
1920	Client.exe
2484	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2804	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 2232 wrote to memory of 2804	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 2232 wrote to memory of 2804	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 2232 wrote to memory of 2008	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 2232 wrote to memory of 2008	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 2232 wrote to memory of 2008	2232	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 2008 wrote to memory of 2828	2008	Client.exe	33
PID 2008 wrote to memory of 2828	2008	Client.exe	33
PID 2008 wrote to memory of 2828	2008	Client.exe	33
PID 2008 wrote to memory of 1204	2008	Client.exe	35
PID 2008 wrote to memory of 1204	2008	Client.exe	35
PID 2008 wrote to memory of 1204	2008	Client.exe	35
PID 1204 wrote to memory of 800	1204	cmd.exe	37
PID 1204 wrote to memory of 800	1204	cmd.exe	37
PID 1204 wrote to memory of 800	1204	cmd.exe	37
PID 1204 wrote to memory of 3008	1204	cmd.exe	38
PID 1204 wrote to memory of 3008	1204	cmd.exe	38
PID 1204 wrote to memory of 3008	1204	cmd.exe	38
PID 1204 wrote to memory of 2900	1204	cmd.exe	39
PID 1204 wrote to memory of 2900	1204	cmd.exe	39
PID 1204 wrote to memory of 2900	1204	cmd.exe	39
PID 2900 wrote to memory of 2220	2900	Client.exe	40
PID 2900 wrote to memory of 2220	2900	Client.exe	40
PID 2900 wrote to memory of 2220	2900	Client.exe	40
PID 2900 wrote to memory of 236	2900	Client.exe	42
PID 2900 wrote to memory of 236	2900	Client.exe	42
PID 2900 wrote to memory of 236	2900	Client.exe	42
PID 236 wrote to memory of 2312	236	cmd.exe	44
PID 236 wrote to memory of 2312	236	cmd.exe	44
PID 236 wrote to memory of 2312	236	cmd.exe	44
PID 236 wrote to memory of 340	236	cmd.exe	45
PID 236 wrote to memory of 340	236	cmd.exe	45
PID 236 wrote to memory of 340	236	cmd.exe	45
PID 236 wrote to memory of 2284	236	cmd.exe	46
PID 236 wrote to memory of 2284	236	cmd.exe	46
PID 236 wrote to memory of 2284	236	cmd.exe	46
PID 2284 wrote to memory of 496	2284	Client.exe	47
PID 2284 wrote to memory of 496	2284	Client.exe	47
PID 2284 wrote to memory of 496	2284	Client.exe	47
PID 2284 wrote to memory of 604	2284	Client.exe	49
PID 2284 wrote to memory of 604	2284	Client.exe	49
PID 2284 wrote to memory of 604	2284	Client.exe	49
PID 604 wrote to memory of 1028	604	cmd.exe	51
PID 604 wrote to memory of 1028	604	cmd.exe	51
PID 604 wrote to memory of 1028	604	cmd.exe	51
PID 604 wrote to memory of 1936	604	cmd.exe	52
PID 604 wrote to memory of 1936	604	cmd.exe	52
PID 604 wrote to memory of 1936	604	cmd.exe	52
PID 604 wrote to memory of 2188	604	cmd.exe	53
PID 604 wrote to memory of 2188	604	cmd.exe	53
PID 604 wrote to memory of 2188	604	cmd.exe	53
PID 2188 wrote to memory of 2924	2188	Client.exe	54
PID 2188 wrote to memory of 2924	2188	Client.exe	54
PID 2188 wrote to memory of 2924	2188	Client.exe	54
PID 2188 wrote to memory of 2100	2188	Client.exe	56
PID 2188 wrote to memory of 2100	2188	Client.exe	56
PID 2188 wrote to memory of 2100	2188	Client.exe	56
PID 2100 wrote to memory of 1920	2100	cmd.exe	58
PID 2100 wrote to memory of 1920	2100	cmd.exe	58
PID 2100 wrote to memory of 1920	2100	cmd.exe	58
PID 2100 wrote to memory of 1968	2100	cmd.exe	59
PID 2100 wrote to memory of 1968	2100	cmd.exe	59
PID 2100 wrote to memory of 1968	2100	cmd.exe	59
PID 2100 wrote to memory of 936	2100	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2804
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XShPLYBxYfHP.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:800
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3008
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hK3KLSS7OxAd.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:236
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2312
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:340
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Aj09Uxo4ZUF0.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tvz4QF0PyZ0C.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VPh22vM7XI7d.bat" "
        11⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rk8LAtPDSdF9.bat" "
        13⤵
        
        PID:1320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bbexRFp13V2m.bat" "
        15⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKr4V1zhOquy.bat" "
        17⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwW2LOKsOrF4.bat" "
        19⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8DxkvEJ7pHeJ.bat" "
        21⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOUxiXKiu7yA.bat" "
        23⤵
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CD3nsugANwTO.bat" "
        25⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8DxkvEJ7pHeJ.bat

Filesize
207B

MD5
d99d7dc56d392939bb85baac03db06cf

SHA1
ff746a42d30620e2f098d4d04957462a373adbf8

SHA256
9a13377e1ea7be133fd9554f0f3debfa13eefe2c1f3fc0fc16f06a597ebd8355

SHA512
853f883295c9855c0260d5d0de5cbb1605b5b12f36b8399ca9bb4b7d1e9de63d551919a613b82a315ccd19c577c1fd45a7e3535a155a69432372b5104b151098

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aj09Uxo4ZUF0.bat

Filesize
207B

MD5
645c86a744219b16de7bf7fa4c86486e

SHA1
a85cd1782b721ef93a86da77a553c3ead708c81c

SHA256
97b7234a6e5c6c3b4e9ddd2741c0a95993bc338298655b04226ecee5a804e4be

SHA512
07818c0bff4d3974e16a481b21b63a793baebdb4cc92564cb1396204d8b4015e474a093043ac5b3d017af3f424eba2789084462002ab9b5516308d39eafb5c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwW2LOKsOrF4.bat

Filesize
207B

MD5
ce74867d9eeacaf974dcf41d53edeebd

SHA1
a7b71550387c5891ef8b45a408a93f0a275eb4ad

SHA256
f9a13e1c3dbbcda4f86f09def306a5194378a05eda63ac9c416333e29f5f2232

SHA512
5c2c4f01219376efd87b2e9624140aaf3c947e103eb6480be79cdd052d1ce55ca15a0a333e01b4ecc677e84e90c06fec8475dbb380b396636bfb0c18229532b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD3nsugANwTO.bat

Filesize
207B

MD5
00ec6ab1756da0b7f73d6354816bb27c

SHA1
aca5abe19e590479d6453854f1d4edb6b808a499

SHA256
88025b64c98ce6385b70c6a25e6e42081e2cec31619d291236321583866fc26e

SHA512
e7be54cc64ebaab1ce14c4f8c1b1a999e2c41bcd0536c8c42fe0064299c66d383f30aabecca816349193a0f50529d12a1081da47970a34153cfa604feffb3bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOUxiXKiu7yA.bat

Filesize
207B

MD5
1bc023ad07697196566af1a2ecfefb1a

SHA1
0f08051c332a281cf4a8fb46cf19d7b8e7fb2b89

SHA256
b1577a06d91e9ec5bc3daccbd70fcf7d4d6c721fe24ea827bddf9df170ea2ea0

SHA512
81ee5cd303316e4dd4fb65ade771ea2491aa9f3b73dc644ba20293c589c39822a72e05cf4c0fb252ded5b9215cd8190fdb41ce3511f345b4899c028c86f984ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKr4V1zhOquy.bat

Filesize
207B

MD5
1711563e6ff2e0246e87e6f4fcb0cc76

SHA1
cfa4c214bf632a6d3e31859899c95106d934ba84

SHA256
86074d46f6bc21cc0d09b97df91dc7d4a2ea5387f101a92ef2a814c9eb2f0719

SHA512
76175e3491d17a77f72320529f0b48a4e738f8567b1cf021f005444b494903e31193b5284ab1768e7401fac746022a7f77835e4caa5eda5eb85d41283a4e7818

Download Submit
C:\Users\Admin\AppData\Local\Temp\VPh22vM7XI7d.bat

Filesize
207B

MD5
3a647bc2573d4f7984470b1f9b7aeb87

SHA1
4f5d031007353e8bf7daaa51bfb0321609cf5b63

SHA256
5a10f28da65c0058ea617456ff0d31b412903e473cba95e02a0add620976a8ab

SHA512
35723cd806f00ac2cf7aae1abf5ff05e060ad9859eda589fc846de15e8add1781d7a39c37e58cbd242de6a8ef8e2d4475bbfec21955d36dc54457396c5ce1246

Download Submit
C:\Users\Admin\AppData\Local\Temp\XShPLYBxYfHP.bat

Filesize
207B

MD5
f46fb35797472650782cbe5be30f05bd

SHA1
69b396a02edaeefacdf7b6c7ff2fc302ce0df956

SHA256
7427e12369e3150d4b216575fc53a7118b16ea82b409ab99b8d7559599c18afc

SHA512
f7d9382eb480341e885cea7d87bd40182e3b1fa974c152030b87235a1d684668d2d05089976fe1fc4565e11d4e4e4974e905f808062925b52d0482fe4b74f34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbexRFp13V2m.bat

Filesize
207B

MD5
cb461b0e7b6ff51b3d644e3ad28a3656

SHA1
68f268340caa056f8030601bc9ae3fe3c07c58c7

SHA256
a1ed8eea5d9662690efcbd01aa1dbf5e578174e163ea0667e0acce5521f3beb0

SHA512
fc5cf3f690af9d491a3a898221bffaaa13300ccac24dc534a46fa5cd182fadd5176c6c455e7df7abd50ed47d772f88094f28499106b3fdb4d4eb9b9f85f8c7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hK3KLSS7OxAd.bat

Filesize
207B

MD5
3bac474786b46d2ab769f51ec2bf19bf

SHA1
259122b32280f051c81767cc259d051815c1e088

SHA256
6dd6535fab3da713b56945299e63dd6f0cff4e786549fe5e3e25fdcfb1297fe7

SHA512
4fe05a886e78c67e1c5c392e54c1fc81f7cc390735bea2f57c44de29d284a7dc9d48a4884c0f9122a1d74c52d133dafc0dfa6859ce3a12b632b4db5fd846e157

Download Submit
C:\Users\Admin\AppData\Local\Temp\rk8LAtPDSdF9.bat

Filesize
207B

MD5
2084c0fb352340aa3aefbc8125b1fdae

SHA1
19a356d76af0b0aa352be23f9f3d01d230e9282d

SHA256
0ab13ee8a3d4153fa9b7ca936656e3cff0d70968f263228785f61855fce992ac

SHA512
77cfe9d906d93de06afc4afee44eadf442701f80cf05471d225b3159f652cf54d7b446f2f3dc74dc3455b23f70ae4df0e071bdeb3fc3de5ebf1d7d36584f8941

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvz4QF0PyZ0C.bat

Filesize
207B

MD5
8337f10412115cb74f92017b3d2d1958

SHA1
5ec48051e6ae4d148a52db2f2164c3c034431b1f

SHA256
b0ce7d3a4e4b663469b8f8c978a46d0c8e85600a5873f80aa1b0c74d248d03d3

SHA512
58b308693393e6e9d389a076e2aa6bfd6336fd7503bb0c2a9e11ed8ed0f74ab2814e99ae0e6f78ac7d458ed6f953e5965af7bb96cc3186aabc08b3d35e229dac

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/264-110-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/936-56-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/1360-67-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download
memory/2008-11-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-20-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-10-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2008-9-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2232-8-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-1-0x0000000001080000-0x00000000013A4000-memory.dmp

Filesize
3.1MB

Download
memory/2284-35-0x00000000013C0000-0x00000000016E4000-memory.dmp

Filesize
3.1MB

Download
memory/2312-99-0x0000000000320000-0x0000000000644000-memory.dmp

Filesize
3.1MB

Download
memory/2832-88-0x0000000001210000-0x0000000001534000-memory.dmp

Filesize
3.1MB

Download
memory/2900-23-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads