quasar | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Size

3.1MB
MD5

fa5f99ff110280efe85f4663cfb3d6b8
SHA1

ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512

a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e
SSDEEP

49152:evkt62XlaSFNWPjljiFa2RoUYIYiaJpFZwk/zLoGdWr1THHB72eh2NT:ev462XlaSFNWPjljiFXRoUYIlaj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

havocc.ddns.net:4782

Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes

encryption_key
CB213225C623A8CB39D3E1628CD4D7E7D686A7F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3196-1-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c94-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
4532	Client.exe
4392	Client.exe
1516	Client.exe
100	Client.exe
2156	Client.exe
1732	Client.exe
4016	Client.exe
2492	Client.exe
3844	Client.exe
3404	Client.exe
4368	Client.exe
3324	Client.exe
640	Client.exe
3468	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2076	PING.EXE
4896	PING.EXE
3736	PING.EXE
1804	PING.EXE
3068	PING.EXE
4040	PING.EXE
4972	PING.EXE
516	PING.EXE
4252	PING.EXE
1376	PING.EXE
2904	PING.EXE
2188	PING.EXE
4748	PING.EXE
4392	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3068	PING.EXE
2188	PING.EXE
1804	PING.EXE
2076	PING.EXE
1376	PING.EXE
4748	PING.EXE
4896	PING.EXE
4972	PING.EXE
516	PING.EXE
4252	PING.EXE
3736	PING.EXE
4040	PING.EXE
4392	PING.EXE
2904	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3612	schtasks.exe
2832	schtasks.exe
224	schtasks.exe
2868	schtasks.exe
4908	schtasks.exe
4596	schtasks.exe
2220	schtasks.exe
1376	schtasks.exe
4472	schtasks.exe
2732	schtasks.exe
3196	schtasks.exe
4276	schtasks.exe
4012	schtasks.exe
3788	schtasks.exe
3272	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
Token: SeDebugPrivilege	4532	Client.exe
Token: SeDebugPrivilege	4392	Client.exe
Token: SeDebugPrivilege	1516	Client.exe
Token: SeDebugPrivilege	100	Client.exe
Token: SeDebugPrivilege	2156	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	4016	Client.exe
Token: SeDebugPrivilege	2492	Client.exe
Token: SeDebugPrivilege	3844	Client.exe
Token: SeDebugPrivilege	3404	Client.exe
Token: SeDebugPrivilege	4368	Client.exe
Token: SeDebugPrivilege	3324	Client.exe
Token: SeDebugPrivilege	640	Client.exe
Token: SeDebugPrivilege	3468	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4532	Client.exe
3844	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 3612	3196	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	83
PID 3196 wrote to memory of 3612	3196	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	83
PID 3196 wrote to memory of 4532	3196	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	85
PID 3196 wrote to memory of 4532	3196	5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe	85
PID 4532 wrote to memory of 2220	4532	Client.exe	86
PID 4532 wrote to memory of 2220	4532	Client.exe	86
PID 4532 wrote to memory of 2892	4532	Client.exe	89
PID 4532 wrote to memory of 2892	4532	Client.exe	89
PID 2892 wrote to memory of 1476	2892	cmd.exe	91
PID 2892 wrote to memory of 1476	2892	cmd.exe	91
PID 2892 wrote to memory of 4040	2892	cmd.exe	92
PID 2892 wrote to memory of 4040	2892	cmd.exe	92
PID 2892 wrote to memory of 4392	2892	cmd.exe	94
PID 2892 wrote to memory of 4392	2892	cmd.exe	94
PID 4392 wrote to memory of 2832	4392	Client.exe	95
PID 4392 wrote to memory of 2832	4392	Client.exe	95
PID 4392 wrote to memory of 3144	4392	Client.exe	98
PID 4392 wrote to memory of 3144	4392	Client.exe	98
PID 3144 wrote to memory of 2416	3144	cmd.exe	100
PID 3144 wrote to memory of 2416	3144	cmd.exe	100
PID 3144 wrote to memory of 2904	3144	cmd.exe	101
PID 3144 wrote to memory of 2904	3144	cmd.exe	101
PID 3144 wrote to memory of 1516	3144	cmd.exe	103
PID 3144 wrote to memory of 1516	3144	cmd.exe	103
PID 1516 wrote to memory of 1376	1516	Client.exe	104
PID 1516 wrote to memory of 1376	1516	Client.exe	104
PID 1516 wrote to memory of 4784	1516	Client.exe	107
PID 1516 wrote to memory of 4784	1516	Client.exe	107
PID 4784 wrote to memory of 3164	4784	cmd.exe	109
PID 4784 wrote to memory of 3164	4784	cmd.exe	109
PID 4784 wrote to memory of 4896	4784	cmd.exe	110
PID 4784 wrote to memory of 4896	4784	cmd.exe	110
PID 4784 wrote to memory of 100	4784	cmd.exe	127
PID 4784 wrote to memory of 100	4784	cmd.exe	127
PID 100 wrote to memory of 3196	100	Client.exe	128
PID 100 wrote to memory of 3196	100	Client.exe	128
PID 100 wrote to memory of 2076	100	Client.exe	131
PID 100 wrote to memory of 2076	100	Client.exe	131
PID 2076 wrote to memory of 4828	2076	cmd.exe	133
PID 2076 wrote to memory of 4828	2076	cmd.exe	133
PID 2076 wrote to memory of 4972	2076	cmd.exe	134
PID 2076 wrote to memory of 4972	2076	cmd.exe	134
PID 2076 wrote to memory of 2156	2076	cmd.exe	136
PID 2076 wrote to memory of 2156	2076	cmd.exe	136
PID 2156 wrote to memory of 4012	2156	Client.exe	137
PID 2156 wrote to memory of 4012	2156	Client.exe	137
PID 2156 wrote to memory of 4272	2156	Client.exe	140
PID 2156 wrote to memory of 4272	2156	Client.exe	140
PID 4272 wrote to memory of 3968	4272	cmd.exe	142
PID 4272 wrote to memory of 3968	4272	cmd.exe	142
PID 4272 wrote to memory of 4392	4272	cmd.exe	143
PID 4272 wrote to memory of 4392	4272	cmd.exe	143
PID 4272 wrote to memory of 1732	4272	cmd.exe	144
PID 4272 wrote to memory of 1732	4272	cmd.exe	144
PID 1732 wrote to memory of 224	1732	Client.exe	145
PID 1732 wrote to memory of 224	1732	Client.exe	145
PID 1732 wrote to memory of 2904	1732	Client.exe	147
PID 1732 wrote to memory of 2904	1732	Client.exe	147
PID 2904 wrote to memory of 1928	2904	cmd.exe	150
PID 2904 wrote to memory of 1928	2904	cmd.exe	150
PID 2904 wrote to memory of 516	2904	cmd.exe	151
PID 2904 wrote to memory of 516	2904	cmd.exe	151
PID 2904 wrote to memory of 4016	2904	cmd.exe	153
PID 2904 wrote to memory of 4016	2904	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3612
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1476
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4040
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2416
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat" "
        15⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat" "
        17⤵
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat" "
        19⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat" "
        21⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat" "
        23⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat" "
        25⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat" "
        27⤵
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat" "
        29⤵
        
        PID:5068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat

Filesize
207B

MD5
8a193172c5c0b9969b7af8989b6118a8

SHA1
0490846b8d5b58a2fa393de9985df4a87dd57d7b

SHA256
9fb4a03acdad4fc249aa6bf90f03bd99446fc1011c5858792f9618f2a07253a6

SHA512
f709096ac9ceaa6f11d7c278f323b02d085578d2fa4befdaa183f2f95c6dcd046a3fab267c97f71c549625dc903c6076d2136ee57ea7a5a40df20cf1cdc86832

Download Submit
C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat

Filesize
207B

MD5
9cc0d941b596afed1f5c6b7e739ce3ee

SHA1
33d6f783866b9783bdd551b77ddc3c7a3329c0dd

SHA256
7721b13e47de0fb9548f55e3551dfe500f473bd7a8a32bc0baa3dd398a60bea1

SHA512
b389460556aac3b70a28216d7b0379b0ed898de9cb1f4bb6fd797452bea38402d1429aa68c0d1dde23a7d2604e30be02c5a2c22f866f84e2abef2a152605ef18

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat

Filesize
207B

MD5
3805cca89884987ee135d533fc2f97aa

SHA1
8bf5b5ae7935bd0b97b708f04afb2544c9427f45

SHA256
194a6749e4b9ba8bfb57db695cb5709e85e24d1fa7a6ab01e4485083fbf21f3a

SHA512
355487dae6ae70c34ea92b3a65175839f8c81927d22f2fa5bc882548f56294b22be81b6655c767ddcc06d4f03e11c166283998003195eaf0021588f13c4237cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat

Filesize
207B

MD5
b906dbc84570e73337746ac8f7bcaee3

SHA1
f900509d11115b340a6d787371982808d1ce641f

SHA256
97b2b2618da0d3f265a66621ff18e1950a020e890d29044d0779bd56a1b87155

SHA512
caf995d8de81d49a09eaf2d35a049400c9bb42e9ef19dcf929c2eb0d538f4e1404bf331e7f6ed09ff2f799ed486c409d1fea9293e9fac765ba7d2c816af76242

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat

Filesize
207B

MD5
2fe18d90b07816ace656f79cdf20394b

SHA1
d8d55fc84c8b26efeab20cd872e1595366a90231

SHA256
cd5820ce7dc6a5341cab1b4581f32e61fe93ebe6e37b86a94c4e8eb4899237d0

SHA512
34c41f7c1c624497cd36c0955f382943b2bd1331a18589e765cbf750fb83cca874351c8ea73ff6d5788f33d7a60cc40d49ccd64ff8b7833268b4568a1a83099b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat

Filesize
207B

MD5
a5f807224d4a9f5c12281818d0772a04

SHA1
62e9be343e7c434efa71c1d2f159f68acdb06401

SHA256
98860e1179cd581e4499df1b4434b578bb6661e0da1bea01867723af649bb60c

SHA512
219ce28c188052c3234b4c97f266826882f6c020b1db76c28621993e5b1b36400994e2eecbf06d1dd8e125f2dbf75bbe9d62302dbf5d884db4322869d0e8f809

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat

Filesize
207B

MD5
8b4fa3ed132dc225b1b2ccf2e63f5ef1

SHA1
1262fcb41b1dc124ae5e22b5d87464dc5a720d79

SHA256
84b5d44e7b29805c74b8f582607c72b5af953612986fe69c0af283cb7281fb90

SHA512
4a0797862ee464b2f028736666091ffbd126ce80572e894d4f3bc21bdfd91f235681090028a26885df43e25d40cd594b1b652c915d5c5d5575a608b4ab2d252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat

Filesize
207B

MD5
1427dbe19f9dcd5eae60cc7b3c4a2ff3

SHA1
5dea284ad210f33993c50ab2ef30dedf3bba7359

SHA256
17646bfbaaeee7e7a836cd21804488f86270d4f9686cd69ce7a6bcd96d766681

SHA512
dfda3bf3d72ff32c142da73ec3f61ed51b5c4067e93826390ae25f236d03d7058e0c01c17eb818f34229fffecf1115448b24717dc1420c67a498b3ac17a17c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat

Filesize
207B

MD5
7728461a7542e5b4f3a4d145bbba7c13

SHA1
1e6d592f841cff0a1c05c8d35a5b454a3adc1c3c

SHA256
b2709b9d89de932ba836de6be0913d71798afbbdda328f1b2726a097c477b7e7

SHA512
ed722e0b038aeacc17dbd9e364d23075a9415fb2a5ac5041b9612b7a4dcd2b132425d24d459b1942dd2763f65176b01c14356189feaaf039788a5ee2c794ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat

Filesize
207B

MD5
c6c1a39b692edbd324fccd5a9e9c43c5

SHA1
7ce04961bcc6f194616ca8e64b455b0567f86925

SHA256
f0975fe3aad93e571390c09b713f9d46f633b325537289542b846ceb79dec6f5

SHA512
2656f7eab7b9845f06f6e5e92d4bc2a5a10241951101501fd447cf53fadca89153af36b8d348704c759fd0b4731f372c840cb7ef642ccdbc71803728f4cac04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat

Filesize
207B

MD5
944e3f55b77218ab1cc5baa3dfdae67e

SHA1
758e1e95636cffe6423fc7193ed865ffc5661609

SHA256
7a7491a4b934a8fdcda295a301b4140df1ee2efbae7aae5ced6b55a869cb712b

SHA512
51221a7b48169ca63cbaac774e72952b0fdc53ac3e3aec659e3764195ce524107bd71fd04244ce2fc90eddba36659f9f91bfa562547c63df3a254a8fe9d10ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat

Filesize
207B

MD5
be6c7da4c90a5ef0c7480a8a9fbbc1b6

SHA1
dc57c041aa0d061a894cfd792a46423cea92877e

SHA256
915867a60e7d1f81f5dd828fbb1aee8ad96ae7a32151f173f2819999b3683de5

SHA512
93eb3fe66306471a0c12c2e2ad168a0278603fd832d9f17b48816e37127ea0b0878ba5c23a0f79d395afb271f3da71cb5f1439a81d9b11be266f1935c02d64fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat

Filesize
207B

MD5
f26b96353835b800992581edb6a6711d

SHA1
9f72544006041150307c8bd7ad2e0793efafce1b

SHA256
34c549bffb9facbdb2fb97cb62dde39f43acd04edfdf1f595f432853dfbdddef

SHA512
a44ee7a1a88f0a22ea6a1af7e7ca4e3f25c37d4932205b3cccf355a2de96cbddfdfe6557958ddb7c1b6e2b054042e11cbc3fdfd5571f250cc7eafda5de90e1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat

Filesize
207B

MD5
370874cdd7450758e2c85e49bd42298d

SHA1
e2659476c72c2595eb8b13ef8d9ed19204414a45

SHA256
f2a098f1a169527798e4cfc463f359bf7704f138467929e0dc4566626b26e3ea

SHA512
3bce54b15c9523b7ea2f82e413503b3cf0deb0c6c55187f557b713e0fc373f3c43d2c617ae928a0dab85d4bdd48cc6cbb883695038e27accb23387805446b730

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
fa5f99ff110280efe85f4663cfb3d6b8

SHA1
ad2d6d8006aee090a4ad5f08ec3425c6353c07d1

SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

SHA512
a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

Download Submit
memory/3196-9-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-2-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-1-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/3196-0-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp

Filesize
8KB

Download
memory/4532-13-0x000000001D6B0000-0x000000001D762000-memory.dmp

Filesize
712KB

Download
memory/4532-12-0x000000001D5A0000-0x000000001D5F0000-memory.dmp

Filesize
320KB

Download
memory/4532-11-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-10-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-18-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads