quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1920-1-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016cf6-6.dat	family_quasar
behavioral1/memory/3024-8-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/1992-23-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/memory/2452-64-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/1980-75-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/memory/2240-86-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/2612-98-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2232-139-0x0000000000E90000-0x00000000011B4000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
3024	Client.exe
1992	Client.exe
1524	Client.exe
2092	Client.exe
3016	Client.exe
2452	Client.exe
1980	Client.exe
2240	Client.exe
2612	Client.exe
1232	Client.exe
2372	Client.exe
2020	Client.exe
2232	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2268	PING.EXE
2016	PING.EXE
3064	PING.EXE
2632	PING.EXE
1504	PING.EXE
1048	PING.EXE
1684	PING.EXE
568	PING.EXE
820	PING.EXE
2792	PING.EXE
1868	PING.EXE
2080	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
820	PING.EXE
3064	PING.EXE
2632	PING.EXE
2792	PING.EXE
1048	PING.EXE
2268	PING.EXE
1684	PING.EXE
568	PING.EXE
1868	PING.EXE
2016	PING.EXE
1504	PING.EXE
2080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
2624	schtasks.exe
580	schtasks.exe
2200	schtasks.exe
912	schtasks.exe
3048	schtasks.exe
2796	schtasks.exe
2280	schtasks.exe
2884	schtasks.exe
1868	schtasks.exe
1672	schtasks.exe
1728	schtasks.exe
3052	schtasks.exe
1928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Token: SeDebugPrivilege	3024	Client.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	1524	Client.exe
Token: SeDebugPrivilege	2092	Client.exe
Token: SeDebugPrivilege	3016	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	1980	Client.exe
Token: SeDebugPrivilege	2240	Client.exe
Token: SeDebugPrivilege	2612	Client.exe
Token: SeDebugPrivilege	1232	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	2232	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3024	Client.exe
1992	Client.exe
1524	Client.exe
2092	Client.exe
3016	Client.exe
2452	Client.exe
1980	Client.exe
2240	Client.exe
2612	Client.exe
1232	Client.exe
2372	Client.exe
2020	Client.exe
2232	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3052	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 1920 wrote to memory of 3052	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 1920 wrote to memory of 3052	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	30
PID 1920 wrote to memory of 3024	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 1920 wrote to memory of 3024	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 1920 wrote to memory of 3024	1920	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	32
PID 3024 wrote to memory of 2200	3024	Client.exe	33
PID 3024 wrote to memory of 2200	3024	Client.exe	33
PID 3024 wrote to memory of 2200	3024	Client.exe	33
PID 3024 wrote to memory of 1736	3024	Client.exe	35
PID 3024 wrote to memory of 1736	3024	Client.exe	35
PID 3024 wrote to memory of 1736	3024	Client.exe	35
PID 1736 wrote to memory of 2624	1736	cmd.exe	37
PID 1736 wrote to memory of 2624	1736	cmd.exe	37
PID 1736 wrote to memory of 2624	1736	cmd.exe	37
PID 1736 wrote to memory of 1048	1736	cmd.exe	38
PID 1736 wrote to memory of 1048	1736	cmd.exe	38
PID 1736 wrote to memory of 1048	1736	cmd.exe	38
PID 1736 wrote to memory of 1992	1736	cmd.exe	40
PID 1736 wrote to memory of 1992	1736	cmd.exe	40
PID 1736 wrote to memory of 1992	1736	cmd.exe	40
PID 1992 wrote to memory of 1672	1992	Client.exe	41
PID 1992 wrote to memory of 1672	1992	Client.exe	41
PID 1992 wrote to memory of 1672	1992	Client.exe	41
PID 1992 wrote to memory of 676	1992	Client.exe	43
PID 1992 wrote to memory of 676	1992	Client.exe	43
PID 1992 wrote to memory of 676	1992	Client.exe	43
PID 676 wrote to memory of 2968	676	cmd.exe	45
PID 676 wrote to memory of 2968	676	cmd.exe	45
PID 676 wrote to memory of 2968	676	cmd.exe	45
PID 676 wrote to memory of 2268	676	cmd.exe	46
PID 676 wrote to memory of 2268	676	cmd.exe	46
PID 676 wrote to memory of 2268	676	cmd.exe	46
PID 676 wrote to memory of 1524	676	cmd.exe	47
PID 676 wrote to memory of 1524	676	cmd.exe	47
PID 676 wrote to memory of 1524	676	cmd.exe	47
PID 1524 wrote to memory of 2884	1524	Client.exe	48
PID 1524 wrote to memory of 2884	1524	Client.exe	48
PID 1524 wrote to memory of 2884	1524	Client.exe	48
PID 1524 wrote to memory of 1824	1524	Client.exe	50
PID 1524 wrote to memory of 1824	1524	Client.exe	50
PID 1524 wrote to memory of 1824	1524	Client.exe	50
PID 1824 wrote to memory of 2076	1824	cmd.exe	52
PID 1824 wrote to memory of 2076	1824	cmd.exe	52
PID 1824 wrote to memory of 2076	1824	cmd.exe	52
PID 1824 wrote to memory of 1684	1824	cmd.exe	53
PID 1824 wrote to memory of 1684	1824	cmd.exe	53
PID 1824 wrote to memory of 1684	1824	cmd.exe	53
PID 1824 wrote to memory of 2092	1824	cmd.exe	54
PID 1824 wrote to memory of 2092	1824	cmd.exe	54
PID 1824 wrote to memory of 2092	1824	cmd.exe	54
PID 2092 wrote to memory of 1928	2092	Client.exe	55
PID 2092 wrote to memory of 1928	2092	Client.exe	55
PID 2092 wrote to memory of 1928	2092	Client.exe	55
PID 2092 wrote to memory of 1696	2092	Client.exe	57
PID 2092 wrote to memory of 1696	2092	Client.exe	57
PID 2092 wrote to memory of 1696	2092	Client.exe	57
PID 1696 wrote to memory of 2296	1696	cmd.exe	59
PID 1696 wrote to memory of 2296	1696	cmd.exe	59
PID 1696 wrote to memory of 2296	1696	cmd.exe	59
PID 1696 wrote to memory of 568	1696	cmd.exe	60
PID 1696 wrote to memory of 568	1696	cmd.exe	60
PID 1696 wrote to memory of 568	1696	cmd.exe	60
PID 1696 wrote to memory of 3016	1696	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2200
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2624
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1048
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2968
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat" "
        11⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat" "
        13⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat" "
        15⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat" "
        17⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat" "
        19⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat" "
        21⤵
        
        PID:324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat" "
        23⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat" "
        25⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat

Filesize
207B

MD5
869f08e32031f75121ef5bea1a5f47dc

SHA1
2daa72bf42a33706ad782c3e7c02a2967f12e812

SHA256
97f87e86dfc6da3373b9380f4d84a74efe5037113e4dad38d2d0f0260a438a5d

SHA512
376b8004da677e4823c64626298a6f4f0650aca183c212b5e83703b9a93c441c282d62dadd5e2c6228b0ad3ce56ac1de46889b9cfa70363b2dd3f30c346ce87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat

Filesize
207B

MD5
e2794245a796bfd648fe482bc9922e4a

SHA1
9ffae589448c4431bef780504d2a9ec90a46454e

SHA256
e18aa937e913ea7dfed4834d787d8e6314957817dd108fcdb22ae518beb33233

SHA512
ce55987ed93facf5b15a4ae48862d0ebb5c9f8e723e8ab3198f0130bba3555ee56d503f04cd9217724f115487f419997eec2391decf5ac3682b9fac743529a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat

Filesize
207B

MD5
72e4decdd25f3b2e5d30f4c9b2c4cdbb

SHA1
4ce9d814c019bbcf6ccd21c5e348477c7c003a95

SHA256
1251f3574ad810be0e5c445a24e309bb61b42ace6a9dbab7743eab182e3666ec

SHA512
c6263c064ce8916f63d1eb85d885a0bfd1cfcb39ad19bef285d3a0390b826a27bf887a2738f81c3d589765528d5fbce2a53981b2b4cd93da5fa7f110b9f1cfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat

Filesize
207B

MD5
825b80a29cfb8e44199221877ff4dc5c

SHA1
9c0b8825caede309204350c1400a8c0b1f2558d6

SHA256
5be94294b929119f6ad2b9f82c9eda9178a1e155ba9b76bdecdabf109c9d8d7a

SHA512
9b86dfe8321b174c43270bc21b50dbd50b99ff7422d570e869c615ee07bded18bcb4742d2af18620b71233a3e0bd4217da7960af1575ace0a201050aab34ce65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat

Filesize
207B

MD5
cb88e3144dfa2ebbb8ecec4e7225a896

SHA1
0d3e34a670e751d2734b16eac509fdcbf5322bc3

SHA256
09b7c9d520239400481d149fe3dbfa161f7e5f153591019adfae6c5fe03b8c8e

SHA512
746f988d2a74900ed8af768a59cc40a03ac6d645a49a4d844343c9e917c6196d17c62bc97dabda7ac815c9a9be7da979136dc72ac504063538a4f46d4a67ad93

Download Submit
C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat

Filesize
207B

MD5
7bc14e4e18e53ddf8c09c2d5473da45c

SHA1
8fd6a964c4e870ecba0d367ae61440ee6e464572

SHA256
a7954291fe7ecf6f4cc6d19770a96f2b8afa1c6ad9c9ec8d09244d603871de29

SHA512
c35ab1b4d41e31386d3d6a101698d46cfc0cfd171e611a8bdc2f5a4dcaae4bc6d44697036c0c024de24425c7931181cc72b5c733cf347b8209245db6a4154321

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat

Filesize
207B

MD5
ea0858f74f48f04b9a8e8cc1d7afa492

SHA1
c0754bbca0349025057f6115d95965289d175791

SHA256
7e84ce70544e5891fc41205f1c1738da4e315a4f56a0496724ec48d2cc6079a5

SHA512
f78f15cf62fd10d0389357e1a5e9523305f389915fd7f5b25014b070cf1462e99999a167a4fa94649161dd11252e7ee8de23f77b546f7add8bf3731aabd8efe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat

Filesize
207B

MD5
5159bdea8a3793d8f6cd463e933af60e

SHA1
bf3defe61f52bc9f8bcb8c26882745e4d163018c

SHA256
cd1c5c379abd77a8332ea002c456e8e9e6ad83cde2474f77c4b6fbc44a60c6dd

SHA512
4a0101f6e94d3bc55803fabc8515c5b69f5772b4243ee2a78ee084fbc439468a19b868fe4c3cb6bbea1e93a49c0c074d8f1f3df6cc0462d01b58604929d817c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat

Filesize
207B

MD5
9747add7cdec457494a6426ec7edcdb3

SHA1
923a39b9603fdcd01d28a792fa0ece93710353e8

SHA256
e04f7694db9ae871e747634525570c9e6cb60f5ac36ade15204d3cd34044c1fe

SHA512
8788bc02cf555013e874f9c0e4ede38381612dd30494d8a4ce97bcfae7bef5e37945064b508ffa7f987ba9003df6fda2ca2f33860f128849d3c1e3f52856e8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat

Filesize
207B

MD5
ae4abafc05bcfa53a95a3f22408be2ed

SHA1
24308680a9c0d0379cc40293b9707054d498542b

SHA256
35f42f48a39cb580671e5d7a99d74fcd4c7be0dabcccb307c8b6f8c0548b9684

SHA512
0a16d847d4e938310efb3c7641be906a8c5317c16e71738e4a60d93c69425d80ca118830c26dcd4b6c62938aab7218436a26e2e4e4b5cf429a9c16222bdadb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat

Filesize
207B

MD5
f8d60dd83cf9493e22241c94fd7a5456

SHA1
25817067ca48e1f5f31bf777d73f3d0f6c76d3f0

SHA256
8c571a06a9af29ade00f32bb8091622296ce60cbb60c67c9353333c04931a06d

SHA512
8bfb9376229618a40860f616e3f8f1a92dde91431e42f4164c059036f1e4db6c983074f002334b7dea41ad531f7cf2ac3805ac6a66dcfb45582da1c82e40baff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat

Filesize
207B

MD5
ce386a9e7d5456f383423fd6b61c04f2

SHA1
c9f34c8222301150551786812f84368e986b3669

SHA256
d57c8dbf83892e8147943db76d06840e29ed15bad87186afb613a08ad4ab4cb3

SHA512
2fe4b055f466b845688000318d33c586a618aa28dfd042c3ac9ebd8faab5ac195bcbd33a57b821ad20a5c411a5aae1f20f95b0cc53eb48b2c7444696fa26dea8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/1920-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-1-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/1920-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1980-75-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/1992-23-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/2232-139-0x0000000000E90000-0x00000000011B4000-memory.dmp

Filesize
3.1MB

Download
memory/2240-86-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/2452-64-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/2612-98-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/3024-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-8-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/3024-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads