quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/412-1-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c93-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3692	Client.exe
912	Client.exe
4316	Client.exe
1072	Client.exe
3336	Client.exe
4184	Client.exe
4804	Client.exe
1480	Client.exe
3624	Client.exe
3336	Client.exe
1540	Client.exe
3160	Client.exe
1692	Client.exe
1172	Client.exe
2956	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3996	PING.EXE
3580	PING.EXE
1240	PING.EXE
2892	PING.EXE
3328	PING.EXE
1468	PING.EXE
5116	PING.EXE
4100	PING.EXE
4660	PING.EXE
216	PING.EXE
2172	PING.EXE
4504	PING.EXE
3036	PING.EXE
4460	PING.EXE
1520	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4504	PING.EXE
3036	PING.EXE
216	PING.EXE
4460	PING.EXE
1468	PING.EXE
1240	PING.EXE
3328	PING.EXE
4100	PING.EXE
2172	PING.EXE
4660	PING.EXE
3580	PING.EXE
1520	PING.EXE
2892	PING.EXE
5116	PING.EXE
3996	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4296	schtasks.exe
5080	schtasks.exe
3896	schtasks.exe
3384	schtasks.exe
4548	schtasks.exe
3724	schtasks.exe
2552	schtasks.exe
4904	schtasks.exe
3268	schtasks.exe
4128	schtasks.exe
4716	schtasks.exe
4452	schtasks.exe
1648	schtasks.exe
2440	schtasks.exe
912	schtasks.exe
4336	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	Client-built.exe
Token: SeDebugPrivilege	3692	Client.exe
Token: SeDebugPrivilege	912	Client.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	1072	Client.exe
Token: SeDebugPrivilege	3336	Client.exe
Token: SeDebugPrivilege	4184	Client.exe
Token: SeDebugPrivilege	4804	Client.exe
Token: SeDebugPrivilege	1480	Client.exe
Token: SeDebugPrivilege	3624	Client.exe
Token: SeDebugPrivilege	3336	Client.exe
Token: SeDebugPrivilege	1540	Client.exe
Token: SeDebugPrivilege	3160	Client.exe
Token: SeDebugPrivilege	1172	Client.exe
Token: SeDebugPrivilege	2956	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1072	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4452	412	Client-built.exe	83
PID 412 wrote to memory of 4452	412	Client-built.exe	83
PID 412 wrote to memory of 3692	412	Client-built.exe	85
PID 412 wrote to memory of 3692	412	Client-built.exe	85
PID 3692 wrote to memory of 3724	3692	Client.exe	86
PID 3692 wrote to memory of 3724	3692	Client.exe	86
PID 3692 wrote to memory of 3752	3692	Client.exe	88
PID 3692 wrote to memory of 3752	3692	Client.exe	88
PID 3752 wrote to memory of 5116	3752	cmd.exe	90
PID 3752 wrote to memory of 5116	3752	cmd.exe	90
PID 3752 wrote to memory of 4100	3752	cmd.exe	91
PID 3752 wrote to memory of 4100	3752	cmd.exe	91
PID 3752 wrote to memory of 912	3752	cmd.exe	99
PID 3752 wrote to memory of 912	3752	cmd.exe	99
PID 912 wrote to memory of 4296	912	Client.exe	100
PID 912 wrote to memory of 4296	912	Client.exe	100
PID 912 wrote to memory of 5100	912	Client.exe	102
PID 912 wrote to memory of 5100	912	Client.exe	102
PID 5100 wrote to memory of 1968	5100	cmd.exe	105
PID 5100 wrote to memory of 1968	5100	cmd.exe	105
PID 5100 wrote to memory of 4504	5100	cmd.exe	106
PID 5100 wrote to memory of 4504	5100	cmd.exe	106
PID 5100 wrote to memory of 4316	5100	cmd.exe	113
PID 5100 wrote to memory of 4316	5100	cmd.exe	113
PID 4316 wrote to memory of 1648	4316	Client.exe	114
PID 4316 wrote to memory of 1648	4316	Client.exe	114
PID 4316 wrote to memory of 2696	4316	Client.exe	117
PID 4316 wrote to memory of 2696	4316	Client.exe	117
PID 2696 wrote to memory of 216	2696	cmd.exe	119
PID 2696 wrote to memory of 216	2696	cmd.exe	119
PID 2696 wrote to memory of 4660	2696	cmd.exe	120
PID 2696 wrote to memory of 4660	2696	cmd.exe	120
PID 2696 wrote to memory of 1072	2696	cmd.exe	124
PID 2696 wrote to memory of 1072	2696	cmd.exe	124
PID 1072 wrote to memory of 2440	1072	Client.exe	125
PID 1072 wrote to memory of 2440	1072	Client.exe	125
PID 1072 wrote to memory of 4924	1072	Client.exe	129
PID 1072 wrote to memory of 4924	1072	Client.exe	129
PID 4924 wrote to memory of 2780	4924	cmd.exe	131
PID 4924 wrote to memory of 2780	4924	cmd.exe	131
PID 4924 wrote to memory of 3036	4924	cmd.exe	132
PID 4924 wrote to memory of 3036	4924	cmd.exe	132
PID 4924 wrote to memory of 3336	4924	cmd.exe	134
PID 4924 wrote to memory of 3336	4924	cmd.exe	134
PID 3336 wrote to memory of 2552	3336	Client.exe	135
PID 3336 wrote to memory of 2552	3336	Client.exe	135
PID 3336 wrote to memory of 3772	3336	Client.exe	138
PID 3336 wrote to memory of 3772	3336	Client.exe	138
PID 3772 wrote to memory of 3328	3772	cmd.exe	140
PID 3772 wrote to memory of 3328	3772	cmd.exe	140
PID 3772 wrote to memory of 3996	3772	cmd.exe	141
PID 3772 wrote to memory of 3996	3772	cmd.exe	141
PID 3772 wrote to memory of 4184	3772	cmd.exe	143
PID 3772 wrote to memory of 4184	3772	cmd.exe	143
PID 4184 wrote to memory of 912	4184	Client.exe	144
PID 4184 wrote to memory of 912	4184	Client.exe	144
PID 4184 wrote to memory of 4820	4184	Client.exe	146
PID 4184 wrote to memory of 4820	4184	Client.exe	146
PID 4820 wrote to memory of 392	4820	cmd.exe	149
PID 4820 wrote to memory of 392	4820	cmd.exe	149
PID 4820 wrote to memory of 3580	4820	cmd.exe	150
PID 4820 wrote to memory of 3580	4820	cmd.exe	150
PID 4820 wrote to memory of 4804	4820	cmd.exe	152
PID 4820 wrote to memory of 4804	4820	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4452
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5116
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4100
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1968
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4504
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat" "
        15⤵
        
        PID:4404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:216
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat" "
        17⤵
        
        PID:3568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat" "
        19⤵
        
        PID:512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat" "
        21⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat" "
        23⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat" "
        25⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Li3juIFYobtN.bat" "
        27⤵
        
        PID:4212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat" "
        29⤵
        
        PID:3688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat" "
        31⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat

Filesize
207B

MD5
ac386dd330765a36d868ec8f5cf41ae5

SHA1
0dffdc0632ba2921dc9a026cace8e11555780314

SHA256
c88ec5c28f0c5e89bf3f4a9b0388e78fc4a0f5996daf6f3106b3f445220ba69e

SHA512
3abda2bd5f4d5228424e5fe4de3749614646d5e6e675afe3a2b6728ca4465b6319ec9b05e364f11a36a2ef6743c15ac861991d0975f35c9fec0cf5088e0ae755

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat

Filesize
207B

MD5
9c0545e11ddcf396a61be3b115b8de9b

SHA1
3bc31bcd5aec2ce10c26d1c81925cce5ea09d4ee

SHA256
fa4908ab61a3077cf39c65509fe06fce69ee1650d9cf74e3f1b9c2ab72c415b2

SHA512
7d56de1867682276f128abd5225213efc8ed96e7f1aeeae448fbe0a61ab8379fe994f46212a9cee8e1543bbf4469e2946f642ee12b8d67175b5e60bf9859666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat

Filesize
207B

MD5
eaad5864c17eaa5c71afcee81b55dc27

SHA1
a0ee90b3357ecb7efeb8d627f7a832f0519434c5

SHA256
7045669e1f69c663ecab023d28fcff73412d51249250711f1d8c722a40bc1309

SHA512
02509a03b86aeb2fdf40b052927c74b1e60d0c4f4bcf996441f23f04d120ec6beffdf31d0124927bfa671cde4a49e978e51a697716dcd4a30dc1eab2dc842f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat

Filesize
207B

MD5
e2fea06854189fb603b9e1ea9803c846

SHA1
3c3057d87f4dadfbd1d9d76dfd6f059278392935

SHA256
791f3639f81c3420ac385b3a428533afae5576ec8cf10d2bdb05ec8044a80705

SHA512
125e793ece5bf1c6737be8792be0dbfa8a47e437888c0fa5bca18ea721c044fe3b6d08f02880bcb7a2015bb16422eeba84bd7530360c7e8b311bef1a00723464

Download Submit
C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat

Filesize
207B

MD5
83300664108d681e3a82dd913ccfdf6a

SHA1
bd4473c6eddfcec5bbe51901ae22e05d9c280862

SHA256
0f7f4337b2364a1b389e09aa4e84c6b5a74b862e2d713c9792546b4053819643

SHA512
f3d9696476b49a225faeb12b07c64c0c1f5954efcb317e786f19aae33721888f318849f106dd7eb6eb3e3db45a787a3c2976ff987345fc8799f4bec28d3bc57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat

Filesize
207B

MD5
6dd7e5ae49690e9e6560437e6c7a648d

SHA1
9b18bf417e0f30d63e2bd123b885ee73ff397cfb

SHA256
2ec8a707ebe68f3d4d71994e3a4a4ab0bce1977b2e845b8edf052d406479c7cc

SHA512
b7e40c2f597a89e85a2e3bdb57b0001c47edd64c8749077030af8a3e73bc39c8a2cbee351b6e50a68ee302339456c62280f8ab50a59f3a68ba53d18c9243e936

Download Submit
C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat

Filesize
207B

MD5
76d306b8ad5c6d9e1279f13a2efa7fd7

SHA1
b3ace7ef1c503750af6de1c153421c332a2e1abb

SHA256
d54bfc50491c5ed7c165629afeb5fed45e3712e9b4e074a1ad3ed47b73d87617

SHA512
e4c57835247a453468291369d3431f93302fd9792d63d194efe00da67cabc8897d7cd393875057772aad8cabadd5645cf9f93b67b659efcb61e2f285b2c9ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat

Filesize
207B

MD5
3b5ff3829b8753d7e04cf129fef32635

SHA1
40f79b0004164f64131fef229b1b8dbcbfda368a

SHA256
7d077013a6e93a3c4430f8a3a8cf3a9e5ce028820a6e850fccc655c7ded03c6c

SHA512
b3fff4b493adfaee973a7da938046cb5481bfa4c1171e9be0c06c2e616e829f8a118774c144c5bfbe4f42f052d30687596d7515bf5f5e03da138f8cdc13509fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat

Filesize
207B

MD5
4c068844c8f5e96652586d52e8735f13

SHA1
ee8d55b140fa254cdf89b322e63c103dc73053ca

SHA256
2b098e5e81103eefbaa18280120325f1e6ce82974d4b80542c94de4bf67ff669

SHA512
7707d17a5799db230811d635c3eddb57b68b9e92385c80ba8bb73b15c68538eddb45883487ae510fca903b061f7f70c55758b414730ec25150abb6961b822f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat

Filesize
207B

MD5
61ffb47f4992305c958f3377b0976d43

SHA1
5d15011943d600d270515f6c209424832fa59b54

SHA256
f8e5dbff504000bc8ee65eebdca04e1a3d658da89cfa75d4313349b9113e8b74

SHA512
f633d3105e45a4b519c6e6e84b368f5ccaa5ccdd9fa6033fb767b18c122d23f4563bc9233f87f71a2491a7f349a6a93c20a68c0042af5fe75cd8dca8053ca8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat

Filesize
207B

MD5
adf57f3400fea775759c743cc3a6da78

SHA1
9b0b38ffb70585259953cc71102299add61592b3

SHA256
531a273f7cf8631c106da8dffa739816831306f0cc8be6b86d3a8ef0c47afe05

SHA512
2923ce96590689ccdd5336a816850192eca132debfaccefb62aa667da2a8b7af773f7adaea2f37a3d2ee4ea5599cf3948626059d921ce66983f31aabac16c5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat

Filesize
207B

MD5
102a4c1a55a675e3f0df134301f0a8cf

SHA1
4339cb35ae13d60dbf0a472f880968ebdce404b9

SHA256
fd39ba8ea2161a1ff0044cb1fde074f16ae7becd10a79ba192c4ccd7dda9cae0

SHA512
fffaaee254fc5d68f34355ca6a40fdf5f777fd53449b4814bfbcb60599977a80101654d0ff586b5938dbf24a1dba5ac6db96cdaf8340978824cb2b7071a9ab30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat

Filesize
207B

MD5
054f8ac6ecf7281b55f8a1f90c9f8712

SHA1
0cc203e0f27fddbbe55297ce5aff94c0b2e26420

SHA256
58992f0ce6df598bb3957341675b4b694e9d1aecc6a19ba0b70a1e56b2d6fe64

SHA512
57f8896e441d966147de23a748f9643b3b8d4843535c10453246565d883a6d6e0d82e9f8679bcf485c485ed240b2bb84799003668c7590e9105e1b6db633867a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat

Filesize
207B

MD5
c31ae425d4dbc9a593e91a962fd945ac

SHA1
964e3404675a72e0a66db128e56db17cb4f1394e

SHA256
59d7c939f1b172054fa5e82a9714c8ebe6879ce1fcf8f88f5916b5f46e87db0c

SHA512
7c32c7eb339b36ebce887eb521dd8df5aaef912369e75041228230800b8192043835eb68b2db872f98c9c8255665044238f15f69c32dee5344075c4d43e59145

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/412-9-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/412-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/412-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

Filesize
8KB

Download
memory/412-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/3692-12-0x000000001BA50000-0x000000001BAA0000-memory.dmp

Filesize
320KB

Download
memory/3692-10-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/3692-11-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/3692-18-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/3692-13-0x000000001C2F0000-0x000000001C3A2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads