quasar | 655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

ee86735f1427e86dcbba39339cecfe15
SHA1

cd492443264bdae1f0a5e5f16e57af3d1819a3ec
SHA256

655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995
SHA512

59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1
SSDEEP

49152:2v9t62XlaSFNWPjljiFa2RoUYI8IRJ6ibR3LoGdeoYtTHHB72eh2NT:2v/62XlaSFNWPjljiFXRoUYI8IRJ6c

Score

10^/10

quasar qussa discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Qussa

ggergejhijseih.myvnc.com:47820

Mutex

5910e19f-3073-4c42-a174-513d316126e7

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5088-1-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b97-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2092	Client.exe
3508	Client.exe
2580	Client.exe
4840	Client.exe
4228	Client.exe
2044	Client.exe
2212	Client.exe
4312	Client.exe
3552	Client.exe
4388	Client.exe
4520	Client.exe
3600	Client.exe
4692	Client.exe
2408	Client.exe
4760	Client.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
688	PING.EXE
888	PING.EXE
3228	PING.EXE
4384	PING.EXE
644	PING.EXE
3148	PING.EXE
4992	PING.EXE
4416	PING.EXE
4640	PING.EXE
5068	PING.EXE
1392	PING.EXE
4188	PING.EXE
3324	PING.EXE
3428	PING.EXE
4212	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4416	PING.EXE
4640	PING.EXE
1392	PING.EXE
4188	PING.EXE
3228	PING.EXE
4384	PING.EXE
3148	PING.EXE
4212	PING.EXE
688	PING.EXE
644	PING.EXE
3324	PING.EXE
5068	PING.EXE
888	PING.EXE
3428	PING.EXE
4992	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4964	schtasks.exe
4032	schtasks.exe
2624	schtasks.exe
4620	schtasks.exe
2568	schtasks.exe
4936	schtasks.exe
316	schtasks.exe
2088	schtasks.exe
2444	schtasks.exe
1256	schtasks.exe
2256	schtasks.exe
4012	schtasks.exe
3044	schtasks.exe
2960	schtasks.exe
4456	schtasks.exe
4056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	Client-built.exe
Token: SeDebugPrivilege	2092	Client.exe
Token: SeDebugPrivilege	3508	Client.exe
Token: SeDebugPrivilege	2580	Client.exe
Token: SeDebugPrivilege	4840	Client.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeDebugPrivilege	2044	Client.exe
Token: SeDebugPrivilege	2212	Client.exe
Token: SeDebugPrivilege	4312	Client.exe
Token: SeDebugPrivilege	3552	Client.exe
Token: SeDebugPrivilege	4388	Client.exe
Token: SeDebugPrivilege	4520	Client.exe
Token: SeDebugPrivilege	3600	Client.exe
Token: SeDebugPrivilege	4692	Client.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	4760	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2256	5088	Client-built.exe	84
PID 5088 wrote to memory of 2256	5088	Client-built.exe	84
PID 5088 wrote to memory of 2092	5088	Client-built.exe	86
PID 5088 wrote to memory of 2092	5088	Client-built.exe	86
PID 2092 wrote to memory of 4012	2092	Client.exe	87
PID 2092 wrote to memory of 4012	2092	Client.exe	87
PID 2092 wrote to memory of 3644	2092	Client.exe	89
PID 2092 wrote to memory of 3644	2092	Client.exe	89
PID 3644 wrote to memory of 4968	3644	cmd.exe	91
PID 3644 wrote to memory of 4968	3644	cmd.exe	91
PID 3644 wrote to memory of 688	3644	cmd.exe	92
PID 3644 wrote to memory of 688	3644	cmd.exe	92
PID 3644 wrote to memory of 3508	3644	cmd.exe	95
PID 3644 wrote to memory of 3508	3644	cmd.exe	95
PID 3508 wrote to memory of 2088	3508	Client.exe	100
PID 3508 wrote to memory of 2088	3508	Client.exe	100
PID 3508 wrote to memory of 5064	3508	Client.exe	103
PID 3508 wrote to memory of 5064	3508	Client.exe	103
PID 5064 wrote to memory of 1696	5064	cmd.exe	105
PID 5064 wrote to memory of 1696	5064	cmd.exe	105
PID 5064 wrote to memory of 4188	5064	cmd.exe	106
PID 5064 wrote to memory of 4188	5064	cmd.exe	106
PID 5064 wrote to memory of 2580	5064	cmd.exe	114
PID 5064 wrote to memory of 2580	5064	cmd.exe	114
PID 2580 wrote to memory of 3044	2580	Client.exe	115
PID 2580 wrote to memory of 3044	2580	Client.exe	115
PID 2580 wrote to memory of 1912	2580	Client.exe	118
PID 2580 wrote to memory of 1912	2580	Client.exe	118
PID 1912 wrote to memory of 4208	1912	cmd.exe	120
PID 1912 wrote to memory of 4208	1912	cmd.exe	120
PID 1912 wrote to memory of 3228	1912	cmd.exe	121
PID 1912 wrote to memory of 3228	1912	cmd.exe	121
PID 1912 wrote to memory of 4840	1912	cmd.exe	126
PID 1912 wrote to memory of 4840	1912	cmd.exe	126
PID 4840 wrote to memory of 4964	4840	Client.exe	127
PID 4840 wrote to memory of 4964	4840	Client.exe	127
PID 4840 wrote to memory of 212	4840	Client.exe	130
PID 4840 wrote to memory of 212	4840	Client.exe	130
PID 212 wrote to memory of 4968	212	cmd.exe	132
PID 212 wrote to memory of 4968	212	cmd.exe	132
PID 212 wrote to memory of 4384	212	cmd.exe	133
PID 212 wrote to memory of 4384	212	cmd.exe	133
PID 212 wrote to memory of 4228	212	cmd.exe	135
PID 212 wrote to memory of 4228	212	cmd.exe	135
PID 4228 wrote to memory of 4032	4228	Client.exe	136
PID 4228 wrote to memory of 4032	4228	Client.exe	136
PID 4228 wrote to memory of 624	4228	Client.exe	139
PID 4228 wrote to memory of 624	4228	Client.exe	139
PID 624 wrote to memory of 1160	624	cmd.exe	141
PID 624 wrote to memory of 1160	624	cmd.exe	141
PID 624 wrote to memory of 644	624	cmd.exe	142
PID 624 wrote to memory of 644	624	cmd.exe	142
PID 624 wrote to memory of 2044	624	cmd.exe	144
PID 624 wrote to memory of 2044	624	cmd.exe	144
PID 2044 wrote to memory of 2960	2044	Client.exe	145
PID 2044 wrote to memory of 2960	2044	Client.exe	145
PID 2044 wrote to memory of 2040	2044	Client.exe	148
PID 2044 wrote to memory of 2040	2044	Client.exe	148
PID 2040 wrote to memory of 3264	2040	cmd.exe	150
PID 2040 wrote to memory of 3264	2040	cmd.exe	150
PID 2040 wrote to memory of 3324	2040	cmd.exe	151
PID 2040 wrote to memory of 3324	2040	cmd.exe	151
PID 2040 wrote to memory of 2212	2040	cmd.exe	153
PID 2040 wrote to memory of 2212	2040	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2256
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G4UNrqOnltm7.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4968
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:688
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaxx3PtGCXXw.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1696
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4188
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkKA4QROd8Dx.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3228
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WdlWt5HsyGJG.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4384
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOTWcu8Mg3Qg.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:644
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jORZKfniNINu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3324
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ni7wrUk3Hl5G.bat" "
        15⤵
        
        PID:3480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3148
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIpwkyvlKjDf.bat" "
        17⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:888
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8w5EuqAd403h.bat" "
        19⤵
        
        PID:4760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4416
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xjXG8O88Dor4.bat" "
        21⤵
        
        PID:4284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSRREcZ0THNF.bat" "
        23⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5068
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vNJoxl1mSHye.bat" "
        25⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3428
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UfvywAnhHNns.bat" "
        27⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nDiLDJFi7au0.bat" "
        29⤵
        
        PID:964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81a6nPRqKlsZ.bat" "
        31⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\81a6nPRqKlsZ.bat

Filesize
196B

MD5
0b3af1d83c9be4cfa67c2f688f0f6ad0

SHA1
1e4b03dc7c01c7437a1c5cbfe83fd2e014d0c727

SHA256
736fd923b8f25a538f172ac0c0eadf2dfeaefd98a86d51a8e26c55164874ab68

SHA512
56e2cbd2bb20ac3efeacf6dcb7e36dbccdc7545d46ef74ce52bb7f94f06fdfff0265d66fc192008dead791c2ff9d71629f1e400a78c3de15776f890916760414

Download Submit
C:\Users\Admin\AppData\Local\Temp\8w5EuqAd403h.bat

Filesize
196B

MD5
9462c565ad9c95e645b7a5690846b0cb

SHA1
159cb7f997c41726316ae297501cd31de3a5613d

SHA256
323be936d47877c04923028f35098320ab101909f5325cfed93abaf73d5aa838

SHA512
31bf8d1bfebeec021b66d630ede9b0f38b16e65c8e9752bd34c600b320ad78477cb42deb058d9e9828f1a89022a88650b3b87f44c0221cd2f13e3e2fe0cd6ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSRREcZ0THNF.bat

Filesize
196B

MD5
ceca69a71cb179066b99c022768de499

SHA1
7c6caa41b33e9900429cdcf6857363f338ef13ef

SHA256
0af9a9dfb7bb8f3ccf85ec1641a5088ec419554851746e73d8d34ed9441dc85f

SHA512
5b9f002504d80d70055eba97f570001543afd94ef7ebc49b5d040a4d3cb7dab6e235d8e0ab40eb99b2e9813b741fcc8859b689fc3a3ecbb6f9ddf089450fea3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G4UNrqOnltm7.bat

Filesize
196B

MD5
73fbff28be014f2921e46864fc80c11a

SHA1
0fa7a9b4536b5913ea081fa1eb931665edae8e8e

SHA256
1775875e377c26626c43a19664ee15220fc607b1bc253e9aeb75349417fb5d2b

SHA512
b6927e73c661fb636f67500feb8b6429cdbc31a2cb911c3f8bce1df0789797a2d9c55c9d411c86b385ee54ae953ffb953496caa4bbfbf45bbc1e706488aabf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkKA4QROd8Dx.bat

Filesize
196B

MD5
de0a0c429e04bde57c77154df56d14f1

SHA1
d30aa1aea45934aa95768c6cb6871a91bb013dc5

SHA256
3ffe5e25a7b87d890f20f91d2e84560d07a50abb6675365705fd7374cadc2f8c

SHA512
05d1621ec4878cdb59284340c406aadd062cd2b7579d6bcee598bf30b3375a50c4611149c1eb5b3a2039883f237fb3943727aac6e554e7de407432d4681d8390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ni7wrUk3Hl5G.bat

Filesize
196B

MD5
ce58b17c3780dc159c300a15fd388b34

SHA1
9f83bd481a592ca9c929ac8cc42c50dddf24fb7b

SHA256
62a49f847ef633639b945c54a47475bd61109bf34b66be0a9e5042b4d07a7225

SHA512
a0283df7dbb0d444ebc75c23c87e2730e49a7c3f2c77d81ff84b7170da80bec63cc679c58390ee3a12474ab77e1fb9b7ce111f9f746713f395bf9415f3a8c771

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfvywAnhHNns.bat

Filesize
196B

MD5
f070e83234038bc53b5446e5923733bd

SHA1
805135ab2132f92484b204e38070bcda628e44a8

SHA256
008c731a618759637c4279b44c8cc129d1995e7bf1303417da62e79c4bdbd52d

SHA512
e33bb7d93455e4240949bd62cdeeca6e06aed5b487fbff503c972d41d71f59ecbcff3cd34371483e9e1ae21332a1c82a641dbc4876aabde6aa21948a3c47439d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WdlWt5HsyGJG.bat

Filesize
196B

MD5
4cd75adbd5e98bbcc725b124d09f286d

SHA1
845412313cb18dbe37266a71da8d0cd29a6b00de

SHA256
3e19f6138d3c73ba6b2f422b0b19f6ef47f9c99ab402e7aa781b5020ba264b4d

SHA512
48ccc02065fa1c6db619b2f4408e363abb63c3ac371a0b914e5cab25a5c6156f285dac6da19cdabc5a683800de0a67f53062d490cf2e8736da13ee848ea7c81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIpwkyvlKjDf.bat

Filesize
196B

MD5
f965510659bac677295d765b042068a5

SHA1
ba5201d726ea91c98b46e69e6ddcc0002aa9e3dc

SHA256
22e935233ce6022f94c8f3c1e5965a6326b4d0059cf192619003d43f7e2a5c71

SHA512
c6452c54de9a4f31ba83123612bbf1c3e5b1b5eb61f2047249b47edaf2fca7708a6b2d51c79030a20a7975d1f26e3dbb8354cd93143fce9f4a80d7cd0117aec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jORZKfniNINu.bat

Filesize
196B

MD5
5007ea18f4f2fa61a434f6adc0574115

SHA1
69b276f62a36f06402cf0a3f86231056d25c767d

SHA256
d388686a04e20eb4ffe849b79e8ed560d5823837b8cf9f6f6bd1277340523ac8

SHA512
d386d3c8f5dbed3620055897730a289d38bace76d5798c71bd92724c635004943579d8ed3e636cf5e4d1bd9ffd2687b9e8b616b69669e984d3d40e252feeb7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDiLDJFi7au0.bat

Filesize
196B

MD5
5861d35330bbb0f597a0f69ebce23151

SHA1
0e2389c0f506972812f898fd59929831bf7a8079

SHA256
c6c8201444cfea5af2d24a58f1c22dd570cf804eb043fb40d2b1b1f00f764ef1

SHA512
a1eb673287d38736e59e68f90be4ab2a84dd36d2784ffe5e1f73a858b6d7f7c3e7edf270d01964ea3509204823c624b21de136d5f0af1237dc89debdb9ecdafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOTWcu8Mg3Qg.bat

Filesize
196B

MD5
0ee4b1205f2a7350eece57e52cd778fa

SHA1
b86ee88aa59cd4bac1f7f41a610aa9dde1829845

SHA256
4833316dcc828247fac2ba274cddc36528a875712ca5af03e703622c081a1d07

SHA512
1a0de61242b2c6acbd4c1a45a9ea5a25010f7df2ee0955dd38c20230c383db9c6ef086298139937e825f80d5d346a5f8ee4c3f200d9f1ad4356bb9268bd14f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vNJoxl1mSHye.bat

Filesize
196B

MD5
0ecd280e6c67716ac55a96b0cfec51e8

SHA1
5e9bc733239424d065d9ececbc3ba944ffd87b66

SHA256
1923c8fcc178bec192e1f73e7fc23134f9325d73dadf325c540ccfe8f12993ec

SHA512
1fd8617527cf7b62644d58bbd10a0594d871dbe8ea06ce09515892c21ea9abfec83c1cf522a9a5e42b2c717f0cf19baeb880815bade3a0d814715d148810007e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjXG8O88Dor4.bat

Filesize
196B

MD5
3bba18e37e485f2dcc29a99b6a106d7e

SHA1
a65bd68fac2f28ed1e2ef97422415a9cfac71be2

SHA256
9e2e150c19530c682f6c55113b8f4bd5d7f22eea955dd5489833f568fccae3c2

SHA512
ef6cf46009d4292f443a8b33d04929b707f14f7749d6381aa1d6184c689d5c293b9aceb16ede566aa3da6bbdf66a48a98a8935d013427719718867400809d750

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaxx3PtGCXXw.bat

Filesize
196B

MD5
5f3b4f8f5475e8634615aac4f6151587

SHA1
7762e45f81430ca2fa74d229b6263444f6f8d5d7

SHA256
54a19fb17ed3134d3986f9ae2e46bd859da94aca4e40f80ba30bb2f71e68540f

SHA512
c7b7ad7ab98dc858855f7fcff11ef83e90e561a2f8c646387037d8c26fd937f491b7ba2c52aa5f9e4efaafe8c9b7384d13e3c0f5aab6fd4001cb9d99d4384dc1

Download Submit
C:\Windows\system32\SubDir\Client.exe

Filesize
3.1MB

MD5
ee86735f1427e86dcbba39339cecfe15

SHA1
cd492443264bdae1f0a5e5f16e57af3d1819a3ec

SHA256
655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

SHA512
59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1

Download Submit
memory/2092-18-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/2092-13-0x000000001C0E0000-0x000000001C192000-memory.dmp

Filesize
712KB

Download
memory/2092-12-0x000000001BFD0000-0x000000001C020000-memory.dmp

Filesize
320KB

Download
memory/2092-11-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/2092-10-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/5088-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

Filesize
8KB

Download
memory/5088-9-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/5088-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/5088-1-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads