quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563F7_Client-built.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3628-1-0x0000000000410000-0x0000000000734000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b8c-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4752	Client.exe
3604	Client.exe
5036	Client.exe
1028	Client.exe
2844	Client.exe
2484	Client.exe
1440	Client.exe
4108	Client.exe
860	Client.exe
2324	Client.exe
2996	Client.exe
1244	Client.exe
508	Client.exe
2040	Client.exe
3372	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1344	PING.EXE
1180	PING.EXE
8	PING.EXE
2872	PING.EXE
1904	PING.EXE
3644	PING.EXE
1932	PING.EXE
3784	PING.EXE
2968	PING.EXE
3920	PING.EXE
3176	PING.EXE
4232	PING.EXE
1432	PING.EXE
3492	PING.EXE
4608	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1344	PING.EXE
3492	PING.EXE
3920	PING.EXE
2872	PING.EXE
1180	PING.EXE
1904	PING.EXE
3176	PING.EXE
8	PING.EXE
4232	PING.EXE
3644	PING.EXE
1432	PING.EXE
2968	PING.EXE
1932	PING.EXE
4608	PING.EXE
3784	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
456	schtasks.exe
4036	schtasks.exe
4416	schtasks.exe
5100	schtasks.exe
1532	schtasks.exe
1428	schtasks.exe
508	schtasks.exe
4848	schtasks.exe
2016	schtasks.exe
4860	schtasks.exe
4432	schtasks.exe
4504	schtasks.exe
1840	schtasks.exe
4504	schtasks.exe
3020	schtasks.exe
2476	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	563F7_Client-built.exe
Token: SeDebugPrivilege	4752	Client.exe
Token: SeDebugPrivilege	3604	Client.exe
Token: SeDebugPrivilege	5036	Client.exe
Token: SeDebugPrivilege	1028	Client.exe
Token: SeDebugPrivilege	2844	Client.exe
Token: SeDebugPrivilege	2484	Client.exe
Token: SeDebugPrivilege	1440	Client.exe
Token: SeDebugPrivilege	4108	Client.exe
Token: SeDebugPrivilege	860	Client.exe
Token: SeDebugPrivilege	2324	Client.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	1244	Client.exe
Token: SeDebugPrivilege	508	Client.exe
Token: SeDebugPrivilege	2040	Client.exe
Token: SeDebugPrivilege	3372	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1428	3628	563F7_Client-built.exe	82
PID 3628 wrote to memory of 1428	3628	563F7_Client-built.exe	82
PID 3628 wrote to memory of 4752	3628	563F7_Client-built.exe	84
PID 3628 wrote to memory of 4752	3628	563F7_Client-built.exe	84
PID 4752 wrote to memory of 4504	4752	Client.exe	85
PID 4752 wrote to memory of 4504	4752	Client.exe	85
PID 4752 wrote to memory of 3656	4752	Client.exe	87
PID 4752 wrote to memory of 3656	4752	Client.exe	87
PID 3656 wrote to memory of 1916	3656	cmd.exe	89
PID 3656 wrote to memory of 1916	3656	cmd.exe	89
PID 3656 wrote to memory of 4232	3656	cmd.exe	90
PID 3656 wrote to memory of 4232	3656	cmd.exe	90
PID 3656 wrote to memory of 3604	3656	cmd.exe	95
PID 3656 wrote to memory of 3604	3656	cmd.exe	95
PID 3604 wrote to memory of 508	3604	Client.exe	96
PID 3604 wrote to memory of 508	3604	Client.exe	96
PID 3604 wrote to memory of 8	3604	Client.exe	98
PID 3604 wrote to memory of 8	3604	Client.exe	98
PID 8 wrote to memory of 3308	8	cmd.exe	100
PID 8 wrote to memory of 3308	8	cmd.exe	100
PID 8 wrote to memory of 3644	8	cmd.exe	101
PID 8 wrote to memory of 3644	8	cmd.exe	101
PID 8 wrote to memory of 5036	8	cmd.exe	105
PID 8 wrote to memory of 5036	8	cmd.exe	105
PID 5036 wrote to memory of 5100	5036	Client.exe	106
PID 5036 wrote to memory of 5100	5036	Client.exe	106
PID 5036 wrote to memory of 4456	5036	Client.exe	108
PID 5036 wrote to memory of 4456	5036	Client.exe	108
PID 4456 wrote to memory of 3836	4456	cmd.exe	110
PID 4456 wrote to memory of 3836	4456	cmd.exe	110
PID 4456 wrote to memory of 1432	4456	cmd.exe	111
PID 4456 wrote to memory of 1432	4456	cmd.exe	111
PID 4456 wrote to memory of 1028	4456	cmd.exe	113
PID 4456 wrote to memory of 1028	4456	cmd.exe	113
PID 1028 wrote to memory of 1840	1028	Client.exe	114
PID 1028 wrote to memory of 1840	1028	Client.exe	114
PID 1028 wrote to memory of 4320	1028	Client.exe	116
PID 1028 wrote to memory of 4320	1028	Client.exe	116
PID 4320 wrote to memory of 3612	4320	cmd.exe	118
PID 4320 wrote to memory of 3612	4320	cmd.exe	118
PID 4320 wrote to memory of 1932	4320	cmd.exe	119
PID 4320 wrote to memory of 1932	4320	cmd.exe	119
PID 4320 wrote to memory of 2844	4320	cmd.exe	121
PID 4320 wrote to memory of 2844	4320	cmd.exe	121
PID 2844 wrote to memory of 4504	2844	Client.exe	122
PID 2844 wrote to memory of 4504	2844	Client.exe	122
PID 2844 wrote to memory of 220	2844	Client.exe	124
PID 2844 wrote to memory of 220	2844	Client.exe	124
PID 220 wrote to memory of 4048	220	cmd.exe	126
PID 220 wrote to memory of 4048	220	cmd.exe	126
PID 220 wrote to memory of 1344	220	cmd.exe	127
PID 220 wrote to memory of 1344	220	cmd.exe	127
PID 220 wrote to memory of 2484	220	cmd.exe	128
PID 220 wrote to memory of 2484	220	cmd.exe	128
PID 2484 wrote to memory of 456	2484	Client.exe	129
PID 2484 wrote to memory of 456	2484	Client.exe	129
PID 2484 wrote to memory of 2112	2484	Client.exe	131
PID 2484 wrote to memory of 2112	2484	Client.exe	131
PID 2112 wrote to memory of 2792	2112	cmd.exe	133
PID 2112 wrote to memory of 2792	2112	cmd.exe	133
PID 2112 wrote to memory of 3492	2112	cmd.exe	134
PID 2112 wrote to memory of 3492	2112	cmd.exe	134
PID 2112 wrote to memory of 1440	2112	cmd.exe	135
PID 2112 wrote to memory of 1440	2112	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1428
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1916
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4232
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3308
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat" "
        15⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat" "
        17⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat" "
        19⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat" "
        21⤵
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat" "
        23⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat" "
        25⤵
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat" "
        27⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat" "
        29⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat" "
        31⤵
        
        PID:3084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat

Filesize
207B

MD5
c1c659c956e113b8eaebfcbb2955679a

SHA1
b6dfc79c32cb06df78ed01d8ddd4f33602287c2e

SHA256
293485257a4e26a403e4a88b9a466e78f94dc2e32c69410240fd1a49671d16a9

SHA512
cdf1b897ac3a3ffff6de194a7a87a4962cf69e9b65f76d12292f2bfc1656da45eb90d8e2d9f23a6cbb53491c1abacb9082629306ef975e0cfb11f5282e314b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat

Filesize
207B

MD5
29f9836ab3257a5ec0f57835335464f0

SHA1
87b66ec917d8fce9cafdbf7c440e4f6a9061ff11

SHA256
714613cb2ae8ec6e4c2b283b56b1a712f920f470fd44f2001ec7cc302aecbcc4

SHA512
840d52a6221105ffeb13d18421442e6e1b4caca2ffb5fad6af5646bad5cacb073b20e5a1c31100abed1cb206f1622cb3669e8504d4d76cac4842ca3a6d1f82f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat

Filesize
207B

MD5
545a94b3193964ef5240e3938bd87180

SHA1
5c933ae87276ebff103a56effa5606f225bcad27

SHA256
972b1c38d1ad4f84691bca134e628e615dfd6e11c0558ba2b9f6debcb4fb9a05

SHA512
d63305c14ecde4b33972972d1fc8232f9cf7ce0d0ba48c1677cc350c0abd1a0fb5987ff1d38d49744daf932e40cd1cfcda623553244a0a622577a591a91d795b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat

Filesize
207B

MD5
5eafe89f46ae1b52e84d23c9dd574cae

SHA1
1d08492bcd786823b787d28ca7289cde6153cc7a

SHA256
7c5298ce3267b49e9103cabd9b6f340cb6e91c59d835b0d6254f069752235a4d

SHA512
de94a6cc628ccafa3fcc61eb4196bc8e4d78a724145e5df71562159cb2cd7975b249fdb309744870b0c8e46c3b5387012675693d427f2546d095a721381a95de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat

Filesize
207B

MD5
d985c57c8bab51cb125f4447288fe77d

SHA1
11d35bd955635aefb4a0a12b4ed49e5e28cb7788

SHA256
68b113ce2ffbd29f41ed2d7d4759c23efbbf7b99401ec80b5a6dcc100660c239

SHA512
3147226b8cf30d16ab0a92b23182538ef6a8774d6ff8d54b6eed123b54ad055104ea639f2f10fc0437f144d753dc80c4f758e4a8f1309e2a5b83664b5721a752

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat

Filesize
207B

MD5
01ba09981995f814678cd9d1ae6a67b0

SHA1
b9e67c1a56d9fceec1e64630aa9f3cf7023c2183

SHA256
1fe672b5d71b9b258071ccad2bdfb141e05280b0ca83324a049eb7dbb3400a28

SHA512
224d8939126719f06af779dae68074a104a134af87de72022a9968393724b20cebd23b04b973e6e36346b65f1c376084c3768e5d85e3624033ec124230dc10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat

Filesize
207B

MD5
1e92ae51b85a36eeb6391f730fa9de1e

SHA1
e365499d36683a12973d1575203758dc643b2268

SHA256
4ecc4f230d0f09e5e476561fd47a7b99cb3c82b1a1b961d9766bdbe3030713e1

SHA512
77f6c21879d74cb019768dbf65821004ef9f6f2aba06282c8a23f1caa2332d9654ca96e572276b0682fdbe5fd9ade76f778697eef9103586f242b379192c58bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat

Filesize
207B

MD5
6efb4a6a4391668128d362cd9e8002ff

SHA1
714c64247400880d97df22f55c640b42c8be0b61

SHA256
90218fa074ac2012772dbc2b6027ba6e24ae24293688686b17906fc2754d3d41

SHA512
930b8c0a42666f60e722452b23a8bb2796e02034a7310fbe638f8c304edf8b282d321b22f4412124bb7ad9d45a1b2c89fc6d81dfd3ca0a0c7ee83ed747cab15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat

Filesize
207B

MD5
b45c6542f7956be7029ff4369db525ce

SHA1
a370d631cd2817725c14efbd10bea84d90d1b220

SHA256
6031020effb37bd27d64029b7a94c3756e2726a46a5c2575370a498602c5c69e

SHA512
2bf0ead4dc6a5391dac88fda0ac845a169f5067030b9a11693e7c67c510959f1cf18a08df4da9b1e041c2206adb1881224bdd3c257ae8a72b8e14934a3968cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat

Filesize
207B

MD5
1570d4670645736672a09840037b6f6e

SHA1
cf6c3d5ce9f0f0dba8b99d296b0dfdc077bb0f25

SHA256
e3a1b8077f5174705517a3944df986f8d4a37cb2d5aaf6d76f3bc85db5d87c43

SHA512
876f8b4615b310ec56186ec379db1d98a1f0d81f63f3a108e2aac77d663a5c64a314b0ce51aca3d51cac79493611745e5d8fbcf95cbee6b60b1832aeff43a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat

Filesize
207B

MD5
e4305293840e4de706c2a00c9d228f60

SHA1
5b7ce655d678127481e714f023080744359fd39d

SHA256
5ef3aa33cfbc433360147f607b4067629cd7e08838eca4c5859e0983fdfcf5e8

SHA512
f164fa9baee5b52febfd2d047f392d99fdf614c089c79ad8233682dede47a3c5df2d625d4fac2862dc79ab65be75a4323576bbf4f417cac06cb0233e4dec7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat

Filesize
207B

MD5
b0cbdc06b2cd34df0f71a1cbc544a172

SHA1
1200ca821cf9cff0b0f737bb3249160e285bf4b0

SHA256
def49c50ccd7be01575dfe810eef6ffe29641e3f81b0f71171e4245f08bf5c8d

SHA512
2e8f31ef5f2b674da231f116ffa9e7aebe9cdff1d5cebf9e6e96fd3963ce1010acd6477ce236634b47cd471d69ccb939982327aaef564eb21b82c861a716b10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat

Filesize
207B

MD5
c8f8a20f2ddf8ba2777585e645bd7c16

SHA1
7f4e9044e6c3cae154ce8b221cae6a1381b1e922

SHA256
d0449e59052c19ca61b62f287d51f79781444ec92478755ba81045643592d0f4

SHA512
a1d1b3af007372d83e3c64063afaf31a04af8ad527ea420867952c3970a264348dc0619099e56c562851f2bfbef6121b2d84d6e20c63f6104eecc73b2ccef456

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat

Filesize
207B

MD5
6f2c978d70e1d3938705c4e9a473036a

SHA1
c0e9c1dff81496aba1a4a80cb5771c4811e51166

SHA256
2f58226a5e498c63a6eb47e0a63f46626c51fff0d92a92d070c16be5373bbdf2

SHA512
0eb623436180eeb0b16c8886525926a4324c89a72618e37610cca3bb163083b358bb20650716225744af10d2d878b7718e27cebfe27e192de4e4cb473db09d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat

Filesize
207B

MD5
ae98f4d79eef9493bd8f7d60d24a164a

SHA1
5574bc418dac50e79a100dbca0e4212d8c193718

SHA256
0bbeeb723c47cbd5d2e09c8e711de389551365631cbf47021ba90f9617ff4a25

SHA512
e7a75cb55093d2c3ea8b439037526dc28034d65591d08e0d5a2495854f019ddbd025b051dd23c8e4b1feb880e2335a4f8ce12a22d04514acb51144a4b088e58a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/3628-0-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

Filesize
8KB

Download
memory/3628-10-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3628-2-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3628-1-0x0000000000410000-0x0000000000734000-memory.dmp

Filesize
3.1MB

Download
memory/4752-18-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-13-0x000000001BB30000-0x000000001BBE2000-memory.dmp

Filesize
712KB

Download
memory/4752-12-0x000000001BA20000-0x000000001BA70000-memory.dmp

Filesize
320KB

Download
memory/4752-11-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-9-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads