quasar | 655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

Analysis

max time kernel
146s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

ee86735f1427e86dcbba39339cecfe15
SHA1

cd492443264bdae1f0a5e5f16e57af3d1819a3ec
SHA256

655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995
SHA512

59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1
SSDEEP

49152:2v9t62XlaSFNWPjljiFa2RoUYI8IRJ6ibR3LoGdeoYtTHHB72eh2NT:2v/62XlaSFNWPjljiFXRoUYI8IRJ6c

Score

10^/10

quasar qussa discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Qussa

ggergejhijseih.myvnc.com:47820

Mutex

5910e19f-3073-4c42-a174-513d316126e7

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/804-1-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ace-6.dat	family_quasar
behavioral1/memory/2016-9-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/2652-23-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/384-34-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/1068-45-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar
behavioral1/memory/1592-76-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/868-88-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/memory/1616-99-0x00000000010C0000-0x00000000013E4000-memory.dmp	family_quasar
behavioral1/memory/1176-110-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2028-122-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/1716-133-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar
behavioral1/memory/2216-145-0x0000000000F30000-0x0000000001254000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2016	Client.exe
2652	Client.exe
384	Client.exe
1068	Client.exe
1164	Client.exe
2580	Client.exe
1592	Client.exe
868	Client.exe
1616	Client.exe
1176	Client.exe
2028	Client.exe
1716	Client.exe
2216	Client.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2704	PING.EXE
2644	PING.EXE
432	PING.EXE
2956	PING.EXE
2844	PING.EXE
1744	PING.EXE
2252	PING.EXE
2408	PING.EXE
2708	PING.EXE
1900	PING.EXE
1688	PING.EXE
864	PING.EXE
3044	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
432	PING.EXE
2956	PING.EXE
2844	PING.EXE
2704	PING.EXE
2644	PING.EXE
2708	PING.EXE
1900	PING.EXE
1688	PING.EXE
864	PING.EXE
3044	PING.EXE
2252	PING.EXE
1744	PING.EXE
2408	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1668	schtasks.exe
2556	schtasks.exe
2704	schtasks.exe
2192	schtasks.exe
2768	schtasks.exe
1148	schtasks.exe
2548	schtasks.exe
2684	schtasks.exe
2104	schtasks.exe
2508	schtasks.exe
936	schtasks.exe
2660	schtasks.exe
3068	schtasks.exe
1588	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	Client-built.exe
Token: SeDebugPrivilege	2016	Client.exe
Token: SeDebugPrivilege	2652	Client.exe
Token: SeDebugPrivilege	384	Client.exe
Token: SeDebugPrivilege	1068	Client.exe
Token: SeDebugPrivilege	1164	Client.exe
Token: SeDebugPrivilege	2580	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	868	Client.exe
Token: SeDebugPrivilege	1616	Client.exe
Token: SeDebugPrivilege	1176	Client.exe
Token: SeDebugPrivilege	2028	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	2216	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2556	804	Client-built.exe	31
PID 804 wrote to memory of 2556	804	Client-built.exe	31
PID 804 wrote to memory of 2556	804	Client-built.exe	31
PID 804 wrote to memory of 2016	804	Client-built.exe	33
PID 804 wrote to memory of 2016	804	Client-built.exe	33
PID 804 wrote to memory of 2016	804	Client-built.exe	33
PID 2016 wrote to memory of 2768	2016	Client.exe	34
PID 2016 wrote to memory of 2768	2016	Client.exe	34
PID 2016 wrote to memory of 2768	2016	Client.exe	34
PID 2016 wrote to memory of 2736	2016	Client.exe	36
PID 2016 wrote to memory of 2736	2016	Client.exe	36
PID 2016 wrote to memory of 2736	2016	Client.exe	36
PID 2736 wrote to memory of 3020	2736	cmd.exe	38
PID 2736 wrote to memory of 3020	2736	cmd.exe	38
PID 2736 wrote to memory of 3020	2736	cmd.exe	38
PID 2736 wrote to memory of 2644	2736	cmd.exe	39
PID 2736 wrote to memory of 2644	2736	cmd.exe	39
PID 2736 wrote to memory of 2644	2736	cmd.exe	39
PID 2736 wrote to memory of 2652	2736	cmd.exe	40
PID 2736 wrote to memory of 2652	2736	cmd.exe	40
PID 2736 wrote to memory of 2652	2736	cmd.exe	40
PID 2652 wrote to memory of 2104	2652	Client.exe	41
PID 2652 wrote to memory of 2104	2652	Client.exe	41
PID 2652 wrote to memory of 2104	2652	Client.exe	41
PID 2652 wrote to memory of 1692	2652	Client.exe	43
PID 2652 wrote to memory of 1692	2652	Client.exe	43
PID 2652 wrote to memory of 1692	2652	Client.exe	43
PID 1692 wrote to memory of 3016	1692	cmd.exe	45
PID 1692 wrote to memory of 3016	1692	cmd.exe	45
PID 1692 wrote to memory of 3016	1692	cmd.exe	45
PID 1692 wrote to memory of 2708	1692	cmd.exe	46
PID 1692 wrote to memory of 2708	1692	cmd.exe	46
PID 1692 wrote to memory of 2708	1692	cmd.exe	46
PID 1692 wrote to memory of 384	1692	cmd.exe	47
PID 1692 wrote to memory of 384	1692	cmd.exe	47
PID 1692 wrote to memory of 384	1692	cmd.exe	47
PID 384 wrote to memory of 2508	384	Client.exe	48
PID 384 wrote to memory of 2508	384	Client.exe	48
PID 384 wrote to memory of 2508	384	Client.exe	48
PID 384 wrote to memory of 1884	384	Client.exe	50
PID 384 wrote to memory of 1884	384	Client.exe	50
PID 384 wrote to memory of 1884	384	Client.exe	50
PID 1884 wrote to memory of 1896	1884	cmd.exe	52
PID 1884 wrote to memory of 1896	1884	cmd.exe	52
PID 1884 wrote to memory of 1896	1884	cmd.exe	52
PID 1884 wrote to memory of 1900	1884	cmd.exe	53
PID 1884 wrote to memory of 1900	1884	cmd.exe	53
PID 1884 wrote to memory of 1900	1884	cmd.exe	53
PID 1884 wrote to memory of 1068	1884	cmd.exe	54
PID 1884 wrote to memory of 1068	1884	cmd.exe	54
PID 1884 wrote to memory of 1068	1884	cmd.exe	54
PID 1068 wrote to memory of 936	1068	Client.exe	55
PID 1068 wrote to memory of 936	1068	Client.exe	55
PID 1068 wrote to memory of 936	1068	Client.exe	55
PID 1068 wrote to memory of 1180	1068	Client.exe	57
PID 1068 wrote to memory of 1180	1068	Client.exe	57
PID 1068 wrote to memory of 1180	1068	Client.exe	57
PID 1180 wrote to memory of 1064	1180	cmd.exe	59
PID 1180 wrote to memory of 1064	1180	cmd.exe	59
PID 1180 wrote to memory of 1064	1180	cmd.exe	59
PID 1180 wrote to memory of 432	1180	cmd.exe	60
PID 1180 wrote to memory of 432	1180	cmd.exe	60
PID 1180 wrote to memory of 432	1180	cmd.exe	60
PID 1180 wrote to memory of 1164	1180	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2556
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2768
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LrwZE9yysF9w.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3020
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2644
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qwf9Bm3R5Nm1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3016
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\U1cO7TgBsYcW.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKuSiLOmPGN2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:432
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TRxwqxbeSGbv.bat" "
        11⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WF1KZqeK4d3p.bat" "
        13⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g8HCdYpWOwi1.bat" "
        15⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OFgfemfohyD2.bat" "
        17⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LjR0jmUuFH18.bat" "
        19⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsSA8zogScQ6.bat" "
        21⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycTS0bxjQ2uv.bat" "
        23⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SspW5iAUYz1t.bat" "
        25⤵
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyFkJReUsmZp.bat" "
        27⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GKuSiLOmPGN2.bat

Filesize
196B

MD5
f0e0999795ba1dd5b6b83df0f99f54ac

SHA1
18aeba197f34d74b90223b5a7e81a8f286b2ce86

SHA256
4f3ff93d29cfd66754e4e3a5d51f6e11c9587447a9262e23d77b55fe9c6fa3e4

SHA512
4a38b45895ee29fe9911711b78b41c7bfadfc99ae086e1ad5ad041364d25c559bb58066c5fdbf987faab9add8a40dae4fa6859a6da4153d5b8512fd47d3e336b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LjR0jmUuFH18.bat

Filesize
196B

MD5
3212075557bd98861c8b7244286df877

SHA1
12d5a2e3549958fda0c61798285d96619ddaf3c1

SHA256
c03968a6575f6b2b7b36b25d1d0ce8e2b8b0ca9ddb829ea40a6ff13c0aae91ab

SHA512
ae8659b2b028ae2a7809d3a842c0897b17bcf9bf3be10acee693c4b6989fa448ed9be4a712f11403a14cba90653ba5e039f66fb1233406d23fc2638f86a6b153

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrwZE9yysF9w.bat

Filesize
196B

MD5
409445da622b6b556ada4721d096b827

SHA1
ae16834639d1bcbd31deeb730129c6b91412fdce

SHA256
afa0a64e0cb428549b84a16e9585ae4855ef51a4eda1033d259339b217099461

SHA512
60a21e19d004665ed2b0c83daf0c79d3d78e9dc736007a31b0afd6baee264c6db833aeb884093040298b1e120617d8b6696a577cc1e362708ddd4aa3a95c2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFgfemfohyD2.bat

Filesize
196B

MD5
e497198a67d35244b52a91d66a67103c

SHA1
7340b198bad2d4ded39cc0ac4c70bc78c0ed6307

SHA256
f64e182b24fd23997ad6cd2a81d1d408a8db03a7cb2594e12f78161cd70fe263

SHA512
6aee5d46e87f60d664dd3216f18dd01768ce2a522f03a611323bd666d6f114fb37d4afbc5ce9490a793c135552ff7e0d95e6fc841d4a981a1c0abf306a9d927d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwf9Bm3R5Nm1.bat

Filesize
196B

MD5
6c25600f6c12983cea03c95ec05a746f

SHA1
db360b05462178d250d7321373f416a7d5f14369

SHA256
9ca8aaf9e0991c11900fa2897d23f1356ba95c87318bbbdf02d4e48e85426fc9

SHA512
6dbea61a1b3fb0946d388caf53da012aa76c5d074c5ffbf89345f7e63f562acf1d8be90d4a8bedc056fe67335ef32da3e6ffb1c8ff05ef9084c89e0136b77a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\SspW5iAUYz1t.bat

Filesize
196B

MD5
cef38236611b1130471e5b1500ce1632

SHA1
07df991cad0181b2852fc6ead2a085b361e15591

SHA256
f80c121642326c897bd31a725323b177f6a12d96db75deaf407285efe669fcf6

SHA512
d7b286fc6ff3bdfd61d04ade91cd29f3b647ea6dea7cad5c11d29da400b3a947436f05aa666b4643ae6f35981ef092eba5df0599ca175a0fd821106ec7b598de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRxwqxbeSGbv.bat

Filesize
196B

MD5
f126d481467833c60da0b5bd9965b210

SHA1
3aa16582858d790056edec9c77f332078b71c37a

SHA256
776d5d8aa1f70183bd87c0a780136f4797f8740884a4a6701bb19423bd6fc1a9

SHA512
b5897e025903e0df43fa22c80b1af28c97ab66e3bc4cfc3c6a8ada2c5ca46f0ca3a0e4313d0c1a8393dc3c3a1eeac1d2c3d9abf4e21c5dacec8a6b2fda8aabb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1cO7TgBsYcW.bat

Filesize
196B

MD5
971771ddfecefdd3c11c06b5b4e008c7

SHA1
63fbd90c08d7e9ba465375f509ab90645c47223a

SHA256
ee9baf750ef8a17768a72f64d7a9c6d85fbfbdcdd17565bd64e67f27d8bbd02b

SHA512
3e7f2b47c082c7e40fb2bf4e312ad81953055cc2ef6f50846003d103fee0e25609165608b5fcb278b37d29c4e4709692036d7f42060be31165b1ec6aaecde6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF1KZqeK4d3p.bat

Filesize
196B

MD5
55c10b3586e9a24e9a4fce4363f56a7b

SHA1
a22273d636a425568a3c540e7d79518648c5e13a

SHA256
416a2eaecfde578005f11a00457cf7e6f5b43ff31cbb1bb9d143ed94818d84e0

SHA512
791add404da96642029d04d0d11c01d0128b655693053b9b6f05abe1a6d0da24ca63791c305e2a73f74ae2e5958a1b70a0e70be0a6042b50cdfacdad41c9b67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8HCdYpWOwi1.bat

Filesize
196B

MD5
f917ceed997cbe321734983f0193da34

SHA1
2b53ed5d0ed27a8f76b9f9444c4f9a4d3009211e

SHA256
bfa5b7345a3fb7f5409aceb58c0933259d4fd00fc9972bc1c7e736b2d92fe894

SHA512
658f0f62583ffe13afd9bc5a31a80931664e3141e8934e016a04abb2cba49b18342e5665b3ac7c3151468223d8aa7ba83cdb65063865a54deaf1a2f34f3c59e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyFkJReUsmZp.bat

Filesize
196B

MD5
90b76b7e4842d2290a7cc5fc303a23a4

SHA1
09de10d9756073d3dea5f30621859784347d7151

SHA256
c97b67e913af8385111bffe3a462a5fb40ca189efb45941a720380a7a06cf6e2

SHA512
2ad1fb01fb836c847e3fa1cbb0f8dd9bfc1b16c255aa2392232f820add592064148a7f061aa513a9b5eb50bd4859a0401bd001fa24d59f36e36d958bbff870f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsSA8zogScQ6.bat

Filesize
196B

MD5
50a40b468f3a9df4975ac08aff04d93d

SHA1
718421f2adea81c6dbb66d91effe90e8da49c0e7

SHA256
f7a92a09f94ec07ea21dd75bcefee8b0c18042f9cd17ec4a83a24dd1a780173c

SHA512
4ad2b298a9d4fa07e24f2d2195a0e0558fb0265b655d0a64678d52d326e136296a7faa7115c2d8c811462eb1809b7433777ec592a7a30c536339cf0a0c68bb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycTS0bxjQ2uv.bat

Filesize
196B

MD5
19df1b417a541f9bea6e765e2838ad73

SHA1
53b1a00f689c531d324547ed059b241f5289ac9a

SHA256
ecbdbc8576cd3e7854ff6d4aaf2346c9380f34c7c88f49c31a22451658c7ea00

SHA512
7ea937ffbaa4d22ec3c99f80936cce342c3fb1c8aa9b1e00888c607d7e6e08b58906a5cde57a1ffdbf6e54c3fcf4a830e7c42bed50e8e1b11746d4a6d67c74a7

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
ee86735f1427e86dcbba39339cecfe15

SHA1
cd492443264bdae1f0a5e5f16e57af3d1819a3ec

SHA256
655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

SHA512
59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1

Download Submit
memory/384-34-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/804-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/804-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/804-8-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/868-88-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/1068-45-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/1176-110-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/1592-76-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/1616-99-0x00000000010C0000-0x00000000013E4000-memory.dmp

Filesize
3.1MB

Download
memory/1716-133-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download
memory/2016-21-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-11-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-9-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2016-10-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-122-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/2216-145-0x0000000000F30000-0x0000000001254000-memory.dmp

Filesize
3.1MB

Download
memory/2652-23-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads