quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3764-1-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b7f-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1856	Client.exe
4348	Client.exe
696	Client.exe
1856	Client.exe
1576	Client.exe
3108	Client.exe
464	Client.exe
2864	Client.exe
888	Client.exe
2216	Client.exe
3416	Client.exe
2656	Client.exe
2856	Client.exe
3484	Client.exe
4684	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2176	PING.EXE
4936	PING.EXE
5024	PING.EXE
4672	PING.EXE
2116	PING.EXE
4944	PING.EXE
1028	PING.EXE
3416	PING.EXE
2328	PING.EXE
840	PING.EXE
1428	PING.EXE
4892	PING.EXE
3452	PING.EXE
5016	PING.EXE
4580	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3416	PING.EXE
840	PING.EXE
4944	PING.EXE
3452	PING.EXE
4892	PING.EXE
5016	PING.EXE
4580	PING.EXE
2116	PING.EXE
1428	PING.EXE
5024	PING.EXE
1028	PING.EXE
4672	PING.EXE
2176	PING.EXE
2328	PING.EXE
4936	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3080	schtasks.exe
3432	schtasks.exe
1112	schtasks.exe
2232	schtasks.exe
3864	schtasks.exe
3192	schtasks.exe
1112	schtasks.exe
1124	schtasks.exe
4840	schtasks.exe
5116	schtasks.exe
2008	schtasks.exe
4588	schtasks.exe
2956	schtasks.exe
4932	schtasks.exe
1436	schtasks.exe
1124	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	4348	Client.exe
Token: SeDebugPrivilege	696	Client.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	1576	Client.exe
Token: SeDebugPrivilege	3108	Client.exe
Token: SeDebugPrivilege	464	Client.exe
Token: SeDebugPrivilege	2864	Client.exe
Token: SeDebugPrivilege	888	Client.exe
Token: SeDebugPrivilege	2216	Client.exe
Token: SeDebugPrivilege	3416	Client.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	2856	Client.exe
Token: SeDebugPrivilege	3484	Client.exe
Token: SeDebugPrivilege	4684	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1112	3764	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	83
PID 3764 wrote to memory of 1112	3764	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	83
PID 3764 wrote to memory of 1856	3764	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	85
PID 3764 wrote to memory of 1856	3764	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	85
PID 1856 wrote to memory of 2232	1856	Client.exe	86
PID 1856 wrote to memory of 2232	1856	Client.exe	86
PID 1856 wrote to memory of 3192	1856	Client.exe	88
PID 1856 wrote to memory of 3192	1856	Client.exe	88
PID 3192 wrote to memory of 1888	3192	cmd.exe	90
PID 3192 wrote to memory of 1888	3192	cmd.exe	90
PID 3192 wrote to memory of 4672	3192	cmd.exe	91
PID 3192 wrote to memory of 4672	3192	cmd.exe	91
PID 3192 wrote to memory of 4348	3192	cmd.exe	93
PID 3192 wrote to memory of 4348	3192	cmd.exe	93
PID 4348 wrote to memory of 3080	4348	Client.exe	94
PID 4348 wrote to memory of 3080	4348	Client.exe	94
PID 4348 wrote to memory of 3708	4348	Client.exe	97
PID 4348 wrote to memory of 3708	4348	Client.exe	97
PID 3708 wrote to memory of 4772	3708	cmd.exe	99
PID 3708 wrote to memory of 4772	3708	cmd.exe	99
PID 3708 wrote to memory of 3416	3708	cmd.exe	100
PID 3708 wrote to memory of 3416	3708	cmd.exe	100
PID 3708 wrote to memory of 696	3708	cmd.exe	110
PID 3708 wrote to memory of 696	3708	cmd.exe	110
PID 696 wrote to memory of 4932	696	Client.exe	114
PID 696 wrote to memory of 4932	696	Client.exe	114
PID 696 wrote to memory of 5112	696	Client.exe	117
PID 696 wrote to memory of 5112	696	Client.exe	117
PID 5112 wrote to memory of 1640	5112	cmd.exe	119
PID 5112 wrote to memory of 1640	5112	cmd.exe	119
PID 5112 wrote to memory of 2176	5112	cmd.exe	120
PID 5112 wrote to memory of 2176	5112	cmd.exe	120
PID 5112 wrote to memory of 1856	5112	cmd.exe	124
PID 5112 wrote to memory of 1856	5112	cmd.exe	124
PID 1856 wrote to memory of 1436	1856	Client.exe	125
PID 1856 wrote to memory of 1436	1856	Client.exe	125
PID 1856 wrote to memory of 4064	1856	Client.exe	128
PID 1856 wrote to memory of 4064	1856	Client.exe	128
PID 4064 wrote to memory of 2728	4064	cmd.exe	130
PID 4064 wrote to memory of 2728	4064	cmd.exe	130
PID 4064 wrote to memory of 2328	4064	cmd.exe	131
PID 4064 wrote to memory of 2328	4064	cmd.exe	131
PID 4064 wrote to memory of 1576	4064	cmd.exe	134
PID 4064 wrote to memory of 1576	4064	cmd.exe	134
PID 1576 wrote to memory of 3864	1576	Client.exe	135
PID 1576 wrote to memory of 3864	1576	Client.exe	135
PID 1576 wrote to memory of 2612	1576	Client.exe	138
PID 1576 wrote to memory of 2612	1576	Client.exe	138
PID 2612 wrote to memory of 4680	2612	cmd.exe	140
PID 2612 wrote to memory of 4680	2612	cmd.exe	140
PID 2612 wrote to memory of 4936	2612	cmd.exe	141
PID 2612 wrote to memory of 4936	2612	cmd.exe	141
PID 2612 wrote to memory of 3108	2612	cmd.exe	143
PID 2612 wrote to memory of 3108	2612	cmd.exe	143
PID 3108 wrote to memory of 5116	3108	Client.exe	144
PID 3108 wrote to memory of 5116	3108	Client.exe	144
PID 3108 wrote to memory of 1328	3108	Client.exe	147
PID 3108 wrote to memory of 1328	3108	Client.exe	147
PID 1328 wrote to memory of 2840	1328	cmd.exe	149
PID 1328 wrote to memory of 2840	1328	cmd.exe	149
PID 1328 wrote to memory of 4892	1328	cmd.exe	150
PID 1328 wrote to memory of 4892	1328	cmd.exe	150
PID 1328 wrote to memory of 464	1328	cmd.exe	153
PID 1328 wrote to memory of 464	1328	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1112
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6f3ukgHdaC1W.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1888
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4672
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t4PuHVZg5ZVs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4772
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SZ53wDHGFKsa.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g2K32Xqfj5xQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOyqZ7eBXydr.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vNUgQfwcZrLO.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XlW5eS2Jyftp.bat" "
        15⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omeM1wUyNRMT.bat" "
        17⤵
        
        PID:3484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Msojmp313OxO.bat" "
        19⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OF2imaBGRAlF.bat" "
        21⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oNhiF4VxxeXi.bat" "
        23⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Op7OIyxuZmK4.bat" "
        25⤵
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSXlQbv9m6i9.bat" "
        27⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f6Y7S1Eylo9x.bat" "
        29⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uxVJbJGCZ9xp.bat" "
        31⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f3ukgHdaC1W.bat

Filesize
207B

MD5
80d9619173e3e1ebb8af043e4b7789f1

SHA1
9b78e6d45c9484f9d3e7a96548ef07c53b501b9e

SHA256
a952d07f3571125ef79b27ee7743b683f23ce2e768a6579988ec57a717ac9c7e

SHA512
04a4cf8fc7d0e315395e3a7d41df77d802f89a2b5c51d892f887cf068a590d9bfc7aba4edbaf11d0e5fd8633380d9577bdab6e333fadf0fde126d7920162f14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msojmp313OxO.bat

Filesize
207B

MD5
106ab810dec09ee37ca568ee7fba130d

SHA1
a2bc03e34ab49be5e5a3fd5ce92f89782f07ccc7

SHA256
1059188bc824ffab104a6bbb3b71ca00a7e3d8c69325cf12d6162e8e58374218

SHA512
602b1b60d4d8c71caa786f2a1164c97bddfde4e7df03ba38159aca96236457cac0373febc8554ad938072c89a883ae2e8ab6b6a6a7a9eebbae8968970a317c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OF2imaBGRAlF.bat

Filesize
207B

MD5
d0e5b318ef42a16a8787ecd5247d10c4

SHA1
618a66624e705d8e7a6d5049d695f6aafcf8fedf

SHA256
b019b87eca17c5a37d72690e3878693608e1806d86aa1bcfbf9c5667a35ae2b5

SHA512
638b044a86d6253d663256155db68e1f0165d55422674b3a1372775691513ad4f49b660b4f2c7e9f86a98b8ed45ea858919732a7f63d2990e4e25385b294ce17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Op7OIyxuZmK4.bat

Filesize
207B

MD5
fe7d7c9fc5f02223efc2ed929faee3e4

SHA1
0a4c0032643433c8964d9417008bf62bec029b26

SHA256
75aea07e152a5b2c763978c68ae157b782d5d34dc8ed88a011ff39d46ac10943

SHA512
750c27a0b7175e696abd84a418825125a27fe3122d892e6fd13080cfeea9345fd4aed20706873e914938d2fac0879a0252fc673941e3e97e2af64a52a9f87ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZ53wDHGFKsa.bat

Filesize
207B

MD5
bc3172ea8a6284f9b18793af2246c47a

SHA1
6e92a407e6155dc5800cdf221de90a8029e9c72f

SHA256
30f2bdf87e3f262c122a6ef35eec91bbb0e9889359b5a70012c9c1fe9668b320

SHA512
b952dc450d4c7dfa60c0e8eb7a4ccbc053b2845cb0ddc961996a7bd905b04087d2d9a24c6b41ed140f30e44a24ccfa5a3484fb6aa77856d95447603e0646d54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XlW5eS2Jyftp.bat

Filesize
207B

MD5
f1378430fbb453d5df767e053f055223

SHA1
970c1daf73146df1c19fb26b8f4884c64f056722

SHA256
5214484ffb949be1f6f635128af3e2a2e6b9db4e0c0003af13ca30dbf5b690a9

SHA512
f49c0fd00bf964be2aebfafe5f217459b7031219c6d7c838daf43c86fd164f4682d6f734ecac9d590c98eb9fc25ce66cc53a3b54b1b3cdf3a29e71a0ad066c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6Y7S1Eylo9x.bat

Filesize
207B

MD5
6b0b2423880659d2166fe679c09ac07c

SHA1
4130d27edd67afdaad742ec869f81f8d6114372e

SHA256
d47178de19d04a0c40fd06202cece236753bf86295c00d3cb1d46cbb1721a173

SHA512
d088cce87f5d26451f3ba79d354f2d0a7fc01e4bc7ed254581338f2d74141741e46481e0b86fbfe569e5677c99dc3eabf9e4597495f57907b57bc7c3300a4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2K32Xqfj5xQ.bat

Filesize
207B

MD5
2162ddacde21d31d265292d9cc55a84a

SHA1
c283d403f266875af7bf5e43fc2d2374b3babfe4

SHA256
423ecf853f92be80e519572105cd2eb4953487be9b24f7d4b33e9f8665277b3e

SHA512
d1a99a2d0b2ba173738d1824e5c9104142ec6bf983402d7dba7c17d9512121e89212154f5dc9e5404e3b8931efea179337a6ece16a80c96c0be8e72e2e56c0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oNhiF4VxxeXi.bat

Filesize
207B

MD5
0990eb22d64835edda0331fec0efd56f

SHA1
e2da3897b93c2deae36289839992ac8fa6ea7760

SHA256
0a7784fe1f6575f2b20e86974d250c803810a71a1b61b8372fef2f7c8609cfcc

SHA512
db90a10679cad0abafe30957284aeb2358368e1d888f45fc7a0b5fb046d694790bc711646e60766c9f51cfa986c948779dea50af774ab1171e3e89f4921abb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\omeM1wUyNRMT.bat

Filesize
207B

MD5
be3ee2c415f353569d75cc7c3557063b

SHA1
4a0c236c9a7fde6590da6ba978edd6f7bce8fea8

SHA256
af55c36b7e867d1b7a43ede577702ffcef743c5d86842d0791609be0cc5de92d

SHA512
d9968f27dceb8c29427dd3e64c5b922d6f47efc2fc3a460dcf04f768834e3467876290ae82fa6cebafcade12a75b1f2ff27d26a15274d0c4680ef361396cec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSXlQbv9m6i9.bat

Filesize
207B

MD5
0da11162f1e341b086114a68f25f311c

SHA1
3af1663ad68b5e7b4b55bed7eac803eb295799ef

SHA256
bd3c57411c1029f166bd44d791511473e13372f725f2a20946d8ed77e3ac797e

SHA512
b818766965dd2a6fd1ff52bde70fb78c02f70fc714f52758623223c30d86c0e62821d7a80bd45ced2904321bf80a8bf5d8ef3a5124ee6375c2e863fec423af6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4PuHVZg5ZVs.bat

Filesize
207B

MD5
682e0f586d0361fa63958688915bc7b1

SHA1
8a870902773b0b6e33822ef64d9cd16d26c1c82e

SHA256
efbb8642c12d9fc89fcd2e010d192c5855a279c7c17225e4c0d74b18b9fa96b0

SHA512
39e958ee0430fcb1883c23121b0558027b10223883ea3f07faa8f603cbf27c23028d2ddf387a03ef48e397738706dc178f631d8f9b762b2a14a1f7bf433f080b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxVJbJGCZ9xp.bat

Filesize
207B

MD5
c2b2f61be0f6f663a5f30cfc003696e8

SHA1
400d8d08e96a0d58acba51ee6903709902ebe35f

SHA256
1d082743a19f7ad9ebdbac0ccaa3f37212ed7c02857e0c74662503a5a28c2d9e

SHA512
41dbc465bb9e15940e9fcd6ceb45a6d4150725e66ad6271fb28e9443dad5ca05cfbdd7d41d43ea0b49f3b57737af4f230007cc7d996bff6329c00548d2185b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vNUgQfwcZrLO.bat

Filesize
207B

MD5
12fc57204b2613f682b1db6dd3e85786

SHA1
84d52b813f17fe85b38f8c37c004a5dbb2b090a2

SHA256
8b4793d2f5d4646e67f69d57e45251bb9b9027a40ec92f61d08a53d42bf2550a

SHA512
993b7321d7aff1962d3c066f6d6ff101eaf4dba4449e38d271d480ae4a8cc2cedfa5a954cec6fe66671870198e4a83ce9609538991885427659b346058dd818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOyqZ7eBXydr.bat

Filesize
207B

MD5
1a7c9149cea433e2be7df5fcbddd9f7a

SHA1
1acd2dc8239b3fb127032aa8f04b078a0ada680f

SHA256
5a6d94ac325df1126cb9f72664a48324d0a38f00cb4b67cc5a22da97bb9c5b30

SHA512
b81f37260c7da5af6057f58f7d0e3a62b2ce6e143dae047a372fe959295c06ff6fe47303f41097ec637e0ebddd298455b52b74f9a476a70152b0b6ed7cf967c8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/1856-13-0x000000001C540000-0x000000001C5F2000-memory.dmp

Filesize
712KB

Download
memory/1856-12-0x000000001BD80000-0x000000001BDD0000-memory.dmp

Filesize
320KB

Download
memory/1856-11-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/1856-9-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/1856-19-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/3764-10-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/3764-0-0x00007FFD35BC3000-0x00007FFD35BC5000-memory.dmp

Filesize
8KB

Download
memory/3764-2-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/3764-1-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads