quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563F7_Client-built.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2892-1-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d81-6.dat	family_quasar
behavioral1/memory/2656-8-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/2920-23-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/memory/2976-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp	family_quasar
behavioral1/memory/1044-55-0x0000000000F40000-0x0000000001264000-memory.dmp	family_quasar
behavioral1/memory/1612-76-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/2196-87-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/860-98-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/1568-129-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
behavioral1/memory/316-140-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2656	Client.exe
2920	Client.exe
2976	Client.exe
2476	Client.exe
1044	Client.exe
316	Client.exe
1612	Client.exe
2196	Client.exe
860	Client.exe
1948	Client.exe
1496	Client.exe
1568	Client.exe
316	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
892	PING.EXE
2480	PING.EXE
2604	PING.EXE
1572	PING.EXE
1144	PING.EXE
2608	PING.EXE
2460	PING.EXE
1524	PING.EXE
1440	PING.EXE
488	PING.EXE
1208	PING.EXE
696	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2460	PING.EXE
892	PING.EXE
1524	PING.EXE
2480	PING.EXE
1440	PING.EXE
488	PING.EXE
1572	PING.EXE
1208	PING.EXE
696	PING.EXE
2608	PING.EXE
1144	PING.EXE
2604	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe
1368	schtasks.exe
2788	schtasks.exe
2768	schtasks.exe
2636	schtasks.exe
2504	schtasks.exe
2068	schtasks.exe
1764	schtasks.exe
2388	schtasks.exe
448	schtasks.exe
2320	schtasks.exe
588	schtasks.exe
584	schtasks.exe
2940	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	563F7_Client-built.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	2920	Client.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	2476	Client.exe
Token: SeDebugPrivilege	1044	Client.exe
Token: SeDebugPrivilege	316	Client.exe
Token: SeDebugPrivilege	1612	Client.exe
Token: SeDebugPrivilege	2196	Client.exe
Token: SeDebugPrivilege	860	Client.exe
Token: SeDebugPrivilege	1948	Client.exe
Token: SeDebugPrivilege	1496	Client.exe
Token: SeDebugPrivilege	1568	Client.exe
Token: SeDebugPrivilege	316	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2656	Client.exe
2920	Client.exe
2976	Client.exe
2476	Client.exe
1044	Client.exe
316	Client.exe
1612	Client.exe
2196	Client.exe
860	Client.exe
1948	Client.exe
1496	Client.exe
1568	Client.exe
316	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2768	2892	563F7_Client-built.exe	30
PID 2892 wrote to memory of 2768	2892	563F7_Client-built.exe	30
PID 2892 wrote to memory of 2768	2892	563F7_Client-built.exe	30
PID 2892 wrote to memory of 2656	2892	563F7_Client-built.exe	32
PID 2892 wrote to memory of 2656	2892	563F7_Client-built.exe	32
PID 2892 wrote to memory of 2656	2892	563F7_Client-built.exe	32
PID 2656 wrote to memory of 2636	2656	Client.exe	33
PID 2656 wrote to memory of 2636	2656	Client.exe	33
PID 2656 wrote to memory of 2636	2656	Client.exe	33
PID 2656 wrote to memory of 380	2656	Client.exe	35
PID 2656 wrote to memory of 380	2656	Client.exe	35
PID 2656 wrote to memory of 380	2656	Client.exe	35
PID 380 wrote to memory of 1084	380	cmd.exe	37
PID 380 wrote to memory of 1084	380	cmd.exe	37
PID 380 wrote to memory of 1084	380	cmd.exe	37
PID 380 wrote to memory of 696	380	cmd.exe	38
PID 380 wrote to memory of 696	380	cmd.exe	38
PID 380 wrote to memory of 696	380	cmd.exe	38
PID 380 wrote to memory of 2920	380	cmd.exe	39
PID 380 wrote to memory of 2920	380	cmd.exe	39
PID 380 wrote to memory of 2920	380	cmd.exe	39
PID 2920 wrote to memory of 2068	2920	Client.exe	40
PID 2920 wrote to memory of 2068	2920	Client.exe	40
PID 2920 wrote to memory of 2068	2920	Client.exe	40
PID 2920 wrote to memory of 2932	2920	Client.exe	42
PID 2920 wrote to memory of 2932	2920	Client.exe	42
PID 2920 wrote to memory of 2932	2920	Client.exe	42
PID 2932 wrote to memory of 860	2932	cmd.exe	44
PID 2932 wrote to memory of 860	2932	cmd.exe	44
PID 2932 wrote to memory of 860	2932	cmd.exe	44
PID 2932 wrote to memory of 2608	2932	cmd.exe	45
PID 2932 wrote to memory of 2608	2932	cmd.exe	45
PID 2932 wrote to memory of 2608	2932	cmd.exe	45
PID 2932 wrote to memory of 2976	2932	cmd.exe	46
PID 2932 wrote to memory of 2976	2932	cmd.exe	46
PID 2932 wrote to memory of 2976	2932	cmd.exe	46
PID 2976 wrote to memory of 1764	2976	Client.exe	47
PID 2976 wrote to memory of 1764	2976	Client.exe	47
PID 2976 wrote to memory of 1764	2976	Client.exe	47
PID 2976 wrote to memory of 1412	2976	Client.exe	50
PID 2976 wrote to memory of 1412	2976	Client.exe	50
PID 2976 wrote to memory of 1412	2976	Client.exe	50
PID 1412 wrote to memory of 2316	1412	cmd.exe	52
PID 1412 wrote to memory of 2316	1412	cmd.exe	52
PID 1412 wrote to memory of 2316	1412	cmd.exe	52
PID 1412 wrote to memory of 2460	1412	cmd.exe	53
PID 1412 wrote to memory of 2460	1412	cmd.exe	53
PID 1412 wrote to memory of 2460	1412	cmd.exe	53
PID 1412 wrote to memory of 2476	1412	cmd.exe	54
PID 1412 wrote to memory of 2476	1412	cmd.exe	54
PID 1412 wrote to memory of 2476	1412	cmd.exe	54
PID 2476 wrote to memory of 2216	2476	Client.exe	55
PID 2476 wrote to memory of 2216	2476	Client.exe	55
PID 2476 wrote to memory of 2216	2476	Client.exe	55
PID 2476 wrote to memory of 1660	2476	Client.exe	57
PID 2476 wrote to memory of 1660	2476	Client.exe	57
PID 2476 wrote to memory of 1660	2476	Client.exe	57
PID 1660 wrote to memory of 448	1660	cmd.exe	59
PID 1660 wrote to memory of 448	1660	cmd.exe	59
PID 1660 wrote to memory of 448	1660	cmd.exe	59
PID 1660 wrote to memory of 1144	1660	cmd.exe	60
PID 1660 wrote to memory of 1144	1660	cmd.exe	60
PID 1660 wrote to memory of 1144	1660	cmd.exe	60
PID 1660 wrote to memory of 1044	1660	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2768
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1084
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:696
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:860
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat" "
        11⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat" "
        13⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat" "
        15⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat" "
        17⤵
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat" "
        19⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat" "
        21⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat" "
        23⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat" "
        25⤵
        
        PID:588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat

Filesize
207B

MD5
1268422f71b0285c97f5561d7e20015e

SHA1
29860f5226d4e8c4f47f4c47078ee6b123a1c356

SHA256
77a204900b947d8b7bc2236cf6769b64e6b3523ed96e82028168ba2881862a95

SHA512
f5702ca0d6c1f04bf567d3182be43c412d2c076311f81becc7cd7c6954a7e1a79afa1f003abed75fcbf543551ac07c8afc52540cde703881bd941f55ffc015a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat

Filesize
207B

MD5
3fcc4c7b97a7e8636933d33d18c427f6

SHA1
fd9a1a59beebbec0152ae92d043747f8bbe759fc

SHA256
e136ea4a9f9bcddfdd9c1e3cbd0ccbb61996091af64312cbe9cd2408fc648a10

SHA512
deef925b93a0605f5f6e956e799060b5c2968a0ea52f56adaf981bf53704f206376da470f1cbfa534dfeb6d17f25f0684a1403c5d9a8e2fff161fd0a68041011

Download Submit
C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat

Filesize
207B

MD5
901363ed00eee4d98fa458b28bba7fd1

SHA1
7b179ac262728ba6fcf7075637ad7c00dbedc651

SHA256
045f908912e84c716b96a386115f65da5e9de0e21e6a82e2a1f5a1fc5a0c7255

SHA512
042de58fde6e2a0d3e0bda0440930fc4ad45464196ef81964d20dd2d54f08aca4be11133b074298044136e3f42a5e6f2e301bedd7fa69cc104c8685b38515d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat

Filesize
207B

MD5
023712e9ed6707eabfb57a4251e0ed55

SHA1
fba77b934ed799dfdde306e0eb07fbe11c748856

SHA256
0d543fbe86d430eae93cc2df3bcdad12777a1c6c2a743b533d83f66bc26de277

SHA512
69a9176a968e5b9533893063d6a63a713128d31832a5891c1436e7dcea0ff4855490e64ce9f7335bbbd132cb42f9fb2a0baed817910d77100dd8b14f711ca070

Download Submit
C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat

Filesize
207B

MD5
f56fcd1b95b1093235ec899018457205

SHA1
6cf99e9b63495aa1048556a9c2c314da10c9c048

SHA256
aae4fdb7f2beb28c9e74f331fbbbed2b3a16ff145f30b004acbb94a0d9535195

SHA512
a6427b519026f16bcb5ac4289e04bbd73266195cc63e9851eae0a8c0ff93cce22ab3c5e00af8ab007b5c8ad58e903272bfa2b0ae77398bda6b0b4ec49827f6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat

Filesize
207B

MD5
a8140d804789365848d9901e3bd15c7b

SHA1
3d59cee0a64d190c7fc5968a5127924b80b5b32e

SHA256
172f6d0a8c0baeed36cdfbd1d2601a22f31df68588cdc4a2207c98d40e5e39f1

SHA512
a1fca1524515db29230c22396c892e8efb7caefe0e923fa7fbe7034d7ed48559cf0cddf200041a22b407ee7657d76658384365f891a48a3a378707ee6859da2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat

Filesize
207B

MD5
8be077034dda2949b6bd80a639993dfa

SHA1
b4d429b2c2cfe3cd56511300d916937b8cff8098

SHA256
92aa798f48c678c4ce3fd884443504f4f5d1cff4d0087e6e9a22d57d3a7c0d96

SHA512
30e0fcbac61056f0182d7d44db2ace7e10513df07aab541cf94daa9fd7f46bb115cf0101047008fce2f0aeafc51a9d2374a7c475a565e676eba2016fb7743393

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat

Filesize
207B

MD5
c08653ccff5ce73b4eaeb2293dedc6a8

SHA1
eaf7453efcd9b800807123e4bebdbbd6fa951a50

SHA256
3bd4457d47946e2ee7dadc34173a13af230a3445d3e4054749a42b645b137277

SHA512
1a5b188a592a25bc68c5250307302aa28ba78389f4f70fd25e22f5976b69efbf194da43cb1858d5b34932f9c4b0ab15b399c792d41260611304edb0b83b84be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat

Filesize
207B

MD5
2dcbd8255bbd5948ffafd59a499a989c

SHA1
fdd461dbcde8d6aae5fa469177f159be250ef0a7

SHA256
9b17fef4e805a77acd8fb709d32711da6a7e1b25aea87b2f2770697ccdc6a968

SHA512
568e9c383c1c1a5969adca94708ffd4c5e7d0914aea450d611966ef0008b23dbf01404faf48531b039d93adedfc9cb53503b41e442fa14e0490405e81ffeefb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat

Filesize
207B

MD5
63eca2793cb6c38adec88dd511600f31

SHA1
57b985b67e1daff211b99f1c511a36b10aa47bab

SHA256
e094722ccddef7f61fdb0917c8d7addea727f67f03b9f312b6b52eeb0b96f09f

SHA512
848e5ad5dced853293c578d361b84d668d57f4895a917575a398ecab01b39ec24e8d881b30b59452c8bd783882c07c6311bf8523195a873c6f2a1e72b35d16fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat

Filesize
207B

MD5
2677900c75c891f4b50917f9463a37e6

SHA1
f9f5bcd66f7516c98637d0d8335c3c5c0d0d0ba7

SHA256
6c66f83efeac06aa4ce0762c74099555fc0eb2cc9a6ebfeb24fa68d57824c348

SHA512
7914a01d4aa0b6e1cf796a79b5062a7bb36faeac0e18f776ad0108812445f8addc78b4e2d4e256b2f53f0ef5fbacf4868d306be3f5ebcbcb4a35f43ae305c811

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat

Filesize
207B

MD5
8325889681de641980d32a7df4120150

SHA1
5d4fe08c3dbbbeb29c00f5cce3936d08b1ea5d62

SHA256
448b187cceb8da1f643091bede885084a2f933fee5d905950517f822338774c1

SHA512
ae192c5852c34e24bc9075e952855094ed5df769e4ef8da1da19c47bf46a350aa1b6d13a37380b2fbe66d825831eb665760dc33b2f4d402c46b1548a95ef87fe

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/316-140-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/860-98-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/1044-55-0x0000000000F40000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/1568-129-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/1612-76-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/2196-87-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/2656-8-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2656-11-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-9-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-20-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/2892-1-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2920-23-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/2976-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads