quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563F7_Client-built.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/964-1-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b8d-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2652	Client.exe
2624	Client.exe
3060	Client.exe
2244	Client.exe
1228	Client.exe
5084	Client.exe
1960	Client.exe
4440	Client.exe
2296	Client.exe
1100	Client.exe
4408	Client.exe
740	Client.exe
3744	Client.exe
232	Client.exe
1300	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3744	PING.EXE
4432	PING.EXE
632	PING.EXE
1972	PING.EXE
2072	PING.EXE
4632	PING.EXE
4620	PING.EXE
1340	PING.EXE
3288	PING.EXE
1412	PING.EXE
844	PING.EXE
3780	PING.EXE
1860	PING.EXE
1740	PING.EXE
2084	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3288	PING.EXE
3744	PING.EXE
2072	PING.EXE
632	PING.EXE
3780	PING.EXE
4632	PING.EXE
1412	PING.EXE
1860	PING.EXE
4620	PING.EXE
1740	PING.EXE
1340	PING.EXE
1972	PING.EXE
2084	PING.EXE
844	PING.EXE
4432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1432	schtasks.exe
2308	schtasks.exe
5096	schtasks.exe
2568	schtasks.exe
3436	schtasks.exe
2808	schtasks.exe
5004	schtasks.exe
4484	schtasks.exe
4820	schtasks.exe
1048	schtasks.exe
3068	schtasks.exe
1032	schtasks.exe
1632	schtasks.exe
4396	schtasks.exe
1892	schtasks.exe
556	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	563F7_Client-built.exe
Token: SeDebugPrivilege	2652	Client.exe
Token: SeDebugPrivilege	2624	Client.exe
Token: SeDebugPrivilege	3060	Client.exe
Token: SeDebugPrivilege	2244	Client.exe
Token: SeDebugPrivilege	1228	Client.exe
Token: SeDebugPrivilege	5084	Client.exe
Token: SeDebugPrivilege	1960	Client.exe
Token: SeDebugPrivilege	4440	Client.exe
Token: SeDebugPrivilege	2296	Client.exe
Token: SeDebugPrivilege	1100	Client.exe
Token: SeDebugPrivilege	4408	Client.exe
Token: SeDebugPrivilege	740	Client.exe
Token: SeDebugPrivilege	3744	Client.exe
Token: SeDebugPrivilege	232	Client.exe
Token: SeDebugPrivilege	1300	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3436	964	563F7_Client-built.exe	82
PID 964 wrote to memory of 3436	964	563F7_Client-built.exe	82
PID 964 wrote to memory of 2652	964	563F7_Client-built.exe	84
PID 964 wrote to memory of 2652	964	563F7_Client-built.exe	84
PID 2652 wrote to memory of 1432	2652	Client.exe	85
PID 2652 wrote to memory of 1432	2652	Client.exe	85
PID 2652 wrote to memory of 3988	2652	Client.exe	87
PID 2652 wrote to memory of 3988	2652	Client.exe	87
PID 3988 wrote to memory of 2148	3988	cmd.exe	89
PID 3988 wrote to memory of 2148	3988	cmd.exe	89
PID 3988 wrote to memory of 1340	3988	cmd.exe	90
PID 3988 wrote to memory of 1340	3988	cmd.exe	90
PID 3988 wrote to memory of 2624	3988	cmd.exe	91
PID 3988 wrote to memory of 2624	3988	cmd.exe	91
PID 2624 wrote to memory of 2308	2624	Client.exe	92
PID 2624 wrote to memory of 2308	2624	Client.exe	92
PID 2624 wrote to memory of 368	2624	Client.exe	94
PID 2624 wrote to memory of 368	2624	Client.exe	94
PID 368 wrote to memory of 4500	368	cmd.exe	96
PID 368 wrote to memory of 4500	368	cmd.exe	96
PID 368 wrote to memory of 632	368	cmd.exe	97
PID 368 wrote to memory of 632	368	cmd.exe	97
PID 368 wrote to memory of 3060	368	cmd.exe	105
PID 368 wrote to memory of 3060	368	cmd.exe	105
PID 3060 wrote to memory of 4820	3060	Client.exe	106
PID 3060 wrote to memory of 4820	3060	Client.exe	106
PID 3060 wrote to memory of 3064	3060	Client.exe	108
PID 3060 wrote to memory of 3064	3060	Client.exe	108
PID 3064 wrote to memory of 4108	3064	cmd.exe	110
PID 3064 wrote to memory of 4108	3064	cmd.exe	110
PID 3064 wrote to memory of 3780	3064	cmd.exe	111
PID 3064 wrote to memory of 3780	3064	cmd.exe	111
PID 3064 wrote to memory of 2244	3064	cmd.exe	113
PID 3064 wrote to memory of 2244	3064	cmd.exe	113
PID 2244 wrote to memory of 2808	2244	Client.exe	114
PID 2244 wrote to memory of 2808	2244	Client.exe	114
PID 2244 wrote to memory of 3640	2244	Client.exe	116
PID 2244 wrote to memory of 3640	2244	Client.exe	116
PID 3640 wrote to memory of 224	3640	cmd.exe	119
PID 3640 wrote to memory of 224	3640	cmd.exe	119
PID 3640 wrote to memory of 3288	3640	cmd.exe	120
PID 3640 wrote to memory of 3288	3640	cmd.exe	120
PID 3640 wrote to memory of 1228	3640	cmd.exe	121
PID 3640 wrote to memory of 1228	3640	cmd.exe	121
PID 1228 wrote to memory of 1892	1228	Client.exe	122
PID 1228 wrote to memory of 1892	1228	Client.exe	122
PID 1228 wrote to memory of 1600	1228	Client.exe	124
PID 1228 wrote to memory of 1600	1228	Client.exe	124
PID 1600 wrote to memory of 4580	1600	cmd.exe	126
PID 1600 wrote to memory of 4580	1600	cmd.exe	126
PID 1600 wrote to memory of 1972	1600	cmd.exe	127
PID 1600 wrote to memory of 1972	1600	cmd.exe	127
PID 1600 wrote to memory of 5084	1600	cmd.exe	128
PID 1600 wrote to memory of 5084	1600	cmd.exe	128
PID 5084 wrote to memory of 5004	5084	Client.exe	129
PID 5084 wrote to memory of 5004	5084	Client.exe	129
PID 5084 wrote to memory of 4040	5084	Client.exe	131
PID 5084 wrote to memory of 4040	5084	Client.exe	131
PID 4040 wrote to memory of 1684	4040	cmd.exe	133
PID 4040 wrote to memory of 1684	4040	cmd.exe	133
PID 4040 wrote to memory of 3744	4040	cmd.exe	134
PID 4040 wrote to memory of 3744	4040	cmd.exe	134
PID 4040 wrote to memory of 1960	4040	cmd.exe	135
PID 4040 wrote to memory of 1960	4040	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3436
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GNi90Bp4kRMR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2148
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1340
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Fl0hg9r5KIA.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4500
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmCm4iGFKDe5.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibD3VjnE9s53.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kjE7rv8JlY8n.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkUc9ZcnVdJj.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gdGH6xnaeoFj.bat" "
        15⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHcXFqA1oHsI.bat" "
        17⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAwDQEyLke5x.bat" "
        19⤵
        
        PID:696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkStATpdcZge.bat" "
        21⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ttx4rOMoeGUN.bat" "
        23⤵
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqfGSel4e4hQ.bat" "
        25⤵
        
        PID:1700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNvV0KzLAiX3.bat" "
        27⤵
        
        PID:3988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgnZucRluzRH.bat" "
        29⤵
        
        PID:4920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\thECtKAm37yk.bat" "
        31⤵
        
        PID:3768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Fl0hg9r5KIA.bat

Filesize
207B

MD5
1782270d735302425cdc7e4acbec3ab9

SHA1
20af3cae665a67c27ce5d034f31c02eb9a54c037

SHA256
b8b0e34750e387b113362c846763e80a27c1c1ca24e1352e8c9bc9c3006293d1

SHA512
0362f7b1711befaf500fdb29804165983e29c43191d18d4fa8d708c068f440d359f7b4dafe82d215f023947c66c50fa454bc3a6d97a6791415d46aa52d612320

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkUc9ZcnVdJj.bat

Filesize
207B

MD5
9d5a969f84555db095c2714fdffa9465

SHA1
f16d0d64f39b78d7402ee96e77b935a46adb60af

SHA256
a954eb4e577fa422963fe8c7d5b6485509412b15d9e6bbb0128cd14a4b335934

SHA512
02886efa7f429491d1acbb15fe0f71bf6493a61dcaf43600315a89763bdd1e91c498633a64ede75bf77e20223895d358f0ded6745232ce7bb50543ccc3e34813

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNi90Bp4kRMR.bat

Filesize
207B

MD5
d5b55281090d91a983041f0852de995f

SHA1
9fec69e6003e60ade5bea59409a5d42ca2f267cf

SHA256
eab418616042948426f484d27ad5cccf7cf30fe9e09637778489c2ff1b71f0d2

SHA512
9587c8dfd82b975d68e39de8ec07052eb5732cf657d8b4cec882d94d5d6e276d03d1dcca8e4fb9223c6df412feaa0fb1d8d84cc19fb141f153c6848ee17f1888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkStATpdcZge.bat

Filesize
207B

MD5
419f818ad1ee2a246d77349e4d3710d1

SHA1
ecb678886faedd8b529cec23d5081d32e0035771

SHA256
1183c16b3f3ac245422b8924999d239225d4f3511c3479584c1e2a7898924ffa

SHA512
8ad41d3cfebba924467d79fe42c8ea6a8a81c60e9244de82b37659b191899ad75a482555acc0eb83d9490b3ff1d53753149c4c8f93926b02ef3d9b27d8fa5270

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqfGSel4e4hQ.bat

Filesize
207B

MD5
9210f3482dfd1a6dc5e48464b637543a

SHA1
2d182dcc04ef02e006a5925024a90bdad286dfd2

SHA256
77e37ad2d1f41ad91cd906271620dc932339d0eee371c62db7f215bb8db34f9f

SHA512
8d48d96c7a42d957e6aea51ab23acbb3d7515a66e7ba123b2a8e12ba29116f44fa3ef871e0bf55bd0f6d4a929680602b7c1476c20ff5be75f999ed4c6d504ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHcXFqA1oHsI.bat

Filesize
207B

MD5
86cf708e8a9c5b5890950c2e09e41293

SHA1
1446913b0a1137c2f10347fbefca7598c3d6bbfa

SHA256
76a03b24678c2aae78162ab642a57bd79669128b3bf086fccfbf4ae1023df10c

SHA512
d403616385c35d73fd24c78d40bcf507636030f9ca2d6582dbbaaf4b6f49d5c11548d74c9a2f1436ef9ff233d85844ea9ab8f591df21fdc456fa52dcb8caf706

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZNvV0KzLAiX3.bat

Filesize
207B

MD5
f70eed94128ee582d0cd4d4e7bcdb3dc

SHA1
a448f9061f156bf94925562d2ab839fff0cef946

SHA256
989f30c88e239531e20457206206ffff7dd9db803e814e7806e871cc99835482

SHA512
d7c422067ef7c9472c67a6272743b095421438d68e013d6d5665650117f5d096142bf8603879b25c007d4973f8f8709ff5bbf3f30c31d318b671e25b9d171739

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdGH6xnaeoFj.bat

Filesize
207B

MD5
51141db8bd443d4447baacaa81187049

SHA1
6574f426a310ad0d0615e068bebf6a4f9521afa0

SHA256
0bc64499e7e5e96a8b3563acdadf6dc049075671240c74e945cfb29c5136bf27

SHA512
704f1991b64d28f3a7985a464fc1ed8d2a3ca4da9e505d70bac172f688d291d47be645c267a6066abbe3ac0bc97f3679d2612c7f43cafecd9c3f4b1f6ea6bbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibD3VjnE9s53.bat

Filesize
207B

MD5
3fcbcfbe74b40cb236f97884d4d1cb64

SHA1
93068a03b855294cd53c199de7b09521642e896e

SHA256
07aaf777a4ba6e7e2468b59fd4f063239b139032c86176bd15006a3b1bde7f1b

SHA512
4570b541b4eca86ced973095a3b16a4cd0b44d56c843ba9a7edc12ef51b9717e751399b080b39c2e5a5c92fdd066687bc346dd031d17879442f1629ee25bcff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjE7rv8JlY8n.bat

Filesize
207B

MD5
fe757ad57977ea2780b275754fb7dae6

SHA1
7995d158ee5b04dcce75dff98370af52138c55f1

SHA256
8fe2c0c551fd063fd63d143873aee5da0870ec8201870e904b6389eb12492312

SHA512
ca210e050fb9284b559dcaeac308292774647cd5394a5b8127c6286382739aad902410872e35a85d26ddc76df4aabc86f9bb149541b2ee39ddcdcdcf17d764f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAwDQEyLke5x.bat

Filesize
207B

MD5
c40ea480aad8055a295aaebf6c9b2ce0

SHA1
fd07b08204309aef649bb9e1d7075b9025934916

SHA256
f3b930a28afcbc3ed05aca10ff1753369a84e67d9b015a8d1122abc8b3afda29

SHA512
56f0a6b8535948fdfc3d88c5c4d7734d0eb1a1879b62aa778d423572e3f46bbb2465674d8d4d0301291ff0da2ab67be4776926f9de77cd43f6e9b69e2380535c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgnZucRluzRH.bat

Filesize
207B

MD5
d18b48ebee2150986d6149e287cf87c4

SHA1
45bb8d511751379d902b4d2ea5ab8d4cb6680b0a

SHA256
0e2494b651e97ff907cf544c1a6b3fe68ea426e586ddfdac5b2468b7f8a50e52

SHA512
dcae6657908b07d2dd01ac14db32b63818b379e76404eb19e9a07346a45c836d790d7df4a4f2bf0c9fede5731ab6aba8401fc4d31a26011a0908ba042188886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmCm4iGFKDe5.bat

Filesize
207B

MD5
b46fb483367c07e882ac21eebc04b387

SHA1
4cf4bd1ad37f799e155e5a558fe5d55e6826fd75

SHA256
22e43092fcdc7257de5d8ef3ff21b5e19a659e80552731e120a317939fa114b9

SHA512
6a41dfa45df33d1dc75eb74754c62fe624f9a7469f84144eaaf69e9c85ffeb5bd7bdbe4b052afc3e167ffedcc284a9e38d50bd809befbf1719cb07a513a4a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\thECtKAm37yk.bat

Filesize
207B

MD5
b5f05ef2454e9e671a0bb5727c622853

SHA1
2dd1b32837b69cf297b99ad277da6979cd31d588

SHA256
9e794c70e7b1461dc6d7deddc4b7cee068154bf8c54dd54e67b16274b82d8c86

SHA512
e0609d3fd0720cf8db63fc3d19de0a31d527730f3d452306ae44264f3f454c50561fce5eff862539e6edc4692954052502ae45dd9d902b043cef20f31966c98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttx4rOMoeGUN.bat

Filesize
207B

MD5
e4cc2b9e4f7858c66e9ae4ddc8d9a60b

SHA1
960be7504b8f7f8cb9599830371fc07145a70c8e

SHA256
20db73a882e7ed8ee9e462f4221f527d99873e9d6a1292aa45cf97b907948fa4

SHA512
e75ed5a4e9287b318154ee5efce6eaba5295a5dce0214ff37c17950021f9f681c00a94d64c887ef2c4f99947c31456d603cc900bd94fc05e9282306ff8c654b2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/964-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

Filesize
8KB

Download
memory/964-9-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/964-2-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/964-1-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/2652-12-0x0000000002F40000-0x0000000002F90000-memory.dmp

Filesize
320KB

Download
memory/2652-18-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/2652-13-0x000000001C240000-0x000000001C2F2000-memory.dmp

Filesize
712KB

Download
memory/2652-11-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/2652-10-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads