quasar | 655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 11:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
Size

3.1MB
MD5

ee86735f1427e86dcbba39339cecfe15
SHA1

cd492443264bdae1f0a5e5f16e57af3d1819a3ec
SHA256

655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995
SHA512

59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1
SSDEEP

49152:2v9t62XlaSFNWPjljiFa2RoUYI8IRJ6ibR3LoGdeoYtTHHB72eh2NT:2v/62XlaSFNWPjljiFXRoUYI8IRJ6c

Score

10^/10

quasar qussa discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Qussa

ggergejhijseih.myvnc.com:47820

Mutex

5910e19f-3073-4c42-a174-513d316126e7

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1912-1-0x0000000000670000-0x0000000000994000-memory.dmp	family_quasar
behavioral2/files/0x0010000000023baa-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
8	Client.exe
3300	Client.exe
1716	Client.exe
3384	Client.exe
4976	Client.exe
1932	Client.exe
1512	Client.exe
4508	Client.exe
4048	Client.exe
4944	Client.exe
1536	Client.exe
4028	Client.exe
336	Client.exe
224	Client.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2564	PING.EXE
1272	PING.EXE
1620	PING.EXE
716	PING.EXE
2288	PING.EXE
2132	PING.EXE
3068	PING.EXE
4864	PING.EXE
4308	PING.EXE
1988	PING.EXE
2988	PING.EXE
3172	PING.EXE
4864	PING.EXE
2704	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2288	PING.EXE
3172	PING.EXE
2704	PING.EXE
4864	PING.EXE
3068	PING.EXE
2988	PING.EXE
4864	PING.EXE
1988	PING.EXE
1620	PING.EXE
1272	PING.EXE
716	PING.EXE
4308	PING.EXE
2132	PING.EXE
2564	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3744	schtasks.exe
3684	schtasks.exe
3304	schtasks.exe
1984	schtasks.exe
1156	schtasks.exe
392	schtasks.exe
2012	schtasks.exe
4320	schtasks.exe
3236	schtasks.exe
2732	schtasks.exe
2456	schtasks.exe
1932	schtasks.exe
4712	schtasks.exe
4484	schtasks.exe
1540	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
Token: SeDebugPrivilege	8	Client.exe
Token: SeDebugPrivilege	3300	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	3384	Client.exe
Token: SeDebugPrivilege	4976	Client.exe
Token: SeDebugPrivilege	1932	Client.exe
Token: SeDebugPrivilege	1512	Client.exe
Token: SeDebugPrivilege	4508	Client.exe
Token: SeDebugPrivilege	4048	Client.exe
Token: SeDebugPrivilege	4944	Client.exe
Token: SeDebugPrivilege	1536	Client.exe
Token: SeDebugPrivilege	4028	Client.exe
Token: SeDebugPrivilege	336	Client.exe
Token: SeDebugPrivilege	224	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3744	1912	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe	83
PID 1912 wrote to memory of 3744	1912	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe	83
PID 1912 wrote to memory of 8	1912	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe	85
PID 1912 wrote to memory of 8	1912	655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe	85
PID 8 wrote to memory of 1984	8	Client.exe	86
PID 8 wrote to memory of 1984	8	Client.exe	86
PID 8 wrote to memory of 1604	8	Client.exe	88
PID 8 wrote to memory of 1604	8	Client.exe	88
PID 1604 wrote to memory of 2044	1604	cmd.exe	90
PID 1604 wrote to memory of 2044	1604	cmd.exe	90
PID 1604 wrote to memory of 2564	1604	cmd.exe	91
PID 1604 wrote to memory of 2564	1604	cmd.exe	91
PID 1604 wrote to memory of 3300	1604	cmd.exe	97
PID 1604 wrote to memory of 3300	1604	cmd.exe	97
PID 3300 wrote to memory of 3684	3300	Client.exe	98
PID 3300 wrote to memory of 3684	3300	Client.exe	98
PID 3300 wrote to memory of 3084	3300	Client.exe	101
PID 3300 wrote to memory of 3084	3300	Client.exe	101
PID 3084 wrote to memory of 5012	3084	cmd.exe	103
PID 3084 wrote to memory of 5012	3084	cmd.exe	103
PID 3084 wrote to memory of 1272	3084	cmd.exe	104
PID 3084 wrote to memory of 1272	3084	cmd.exe	104
PID 3084 wrote to memory of 1716	3084	cmd.exe	112
PID 3084 wrote to memory of 1716	3084	cmd.exe	112
PID 1716 wrote to memory of 3304	1716	Client.exe	113
PID 1716 wrote to memory of 3304	1716	Client.exe	113
PID 1716 wrote to memory of 892	1716	Client.exe	116
PID 1716 wrote to memory of 892	1716	Client.exe	116
PID 892 wrote to memory of 2132	892	cmd.exe	118
PID 892 wrote to memory of 2132	892	cmd.exe	118
PID 892 wrote to memory of 716	892	cmd.exe	119
PID 892 wrote to memory of 716	892	cmd.exe	119
PID 892 wrote to memory of 3384	892	cmd.exe	124
PID 892 wrote to memory of 3384	892	cmd.exe	124
PID 3384 wrote to memory of 1156	3384	Client.exe	125
PID 3384 wrote to memory of 1156	3384	Client.exe	125
PID 3384 wrote to memory of 2968	3384	Client.exe	128
PID 3384 wrote to memory of 2968	3384	Client.exe	128
PID 2968 wrote to memory of 1960	2968	cmd.exe	130
PID 2968 wrote to memory of 1960	2968	cmd.exe	130
PID 2968 wrote to memory of 4864	2968	cmd.exe	131
PID 2968 wrote to memory of 4864	2968	cmd.exe	131
PID 2968 wrote to memory of 4976	2968	cmd.exe	133
PID 2968 wrote to memory of 4976	2968	cmd.exe	133
PID 4976 wrote to memory of 3236	4976	Client.exe	134
PID 4976 wrote to memory of 3236	4976	Client.exe	134
PID 4976 wrote to memory of 868	4976	Client.exe	137
PID 4976 wrote to memory of 868	4976	Client.exe	137
PID 868 wrote to memory of 1604	868	cmd.exe	139
PID 868 wrote to memory of 1604	868	cmd.exe	139
PID 868 wrote to memory of 2288	868	cmd.exe	140
PID 868 wrote to memory of 2288	868	cmd.exe	140
PID 868 wrote to memory of 1932	868	cmd.exe	141
PID 868 wrote to memory of 1932	868	cmd.exe	141
PID 1932 wrote to memory of 2732	1932	Client.exe	142
PID 1932 wrote to memory of 2732	1932	Client.exe	142
PID 1932 wrote to memory of 2128	1932	Client.exe	145
PID 1932 wrote to memory of 2128	1932	Client.exe	145
PID 2128 wrote to memory of 1676	2128	cmd.exe	147
PID 2128 wrote to memory of 1676	2128	cmd.exe	147
PID 2128 wrote to memory of 4308	2128	cmd.exe	148
PID 2128 wrote to memory of 4308	2128	cmd.exe	148
PID 2128 wrote to memory of 1512	2128	cmd.exe	151
PID 2128 wrote to memory of 1512	2128	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe
"C:\Users\Admin\AppData\Local\Temp\655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3744
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEdmDMassNbe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2044
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2564
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQ70NGDnOG1U.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5012
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqTHoU6SljCZ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:716
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C70rthx2CKWK.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N5D15h8pNk1M.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nh0TNZZ9kzgz.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4308
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZvfAiio0cU7Z.bat" "
        15⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n05O2wVhQaR3.bat" "
        17⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m18q6G9qy8Gp.bat" "
        19⤵
        
        PID:5044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYKo2YFwlub.bat" "
        21⤵
        
        PID:1200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAFKlxhg7FRE.bat" "
        23⤵
        
        PID:3556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2988
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaubglrYyZkA.bat" "
        25⤵
        
        PID:4348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sVkmpdE6PZE3.bat" "
        27⤵
        
        PID:3216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ETKmNnQAsoMP.bat" "
        29⤵
        
        PID:3604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ70NGDnOG1U.bat

Filesize
196B

MD5
0eaf1e7561e85108a1759b4ff4b4e72a

SHA1
dbb07015987d7511bcd497f8ac7e162d72b56a02

SHA256
e3b3428e55dfa36bbd6a828fa1614af42a0276f6d725c04048af3b84bd90e8aa

SHA512
2b7c67fc370501770775989a6a7f0a09413d6016aa6c32e87fffc4b1f506c330b52296d96292e2fa1d737cc5f795422d4d1c2cc2d2c723247c210b9d811dddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70rthx2CKWK.bat

Filesize
196B

MD5
4f404c1e7d5a450e92b1d35cdab3d85c

SHA1
f58b52c1acb6569b735a6af59749a733d2210292

SHA256
56e236d7c90356d8edf93d44fe1fd54e14a14a2837119bf9084f4018d35a0a12

SHA512
6002faa049dc08e629bbc4316aa0f8691a408fdef9e5bb5906a36225615b24db69c5f68813a1475ce010e3ca6853fda5e78bbdbb5d4ce7d2cd606bda5a42223e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETKmNnQAsoMP.bat

Filesize
196B

MD5
d74ac4a6a44365233e44186e3adf70f3

SHA1
01eeff0d489a56697311419798de58166d5c71be

SHA256
83d7f47eb4e6984f1ad6bc01f875f18765b87938745635acabd003084ee46b15

SHA512
537578007a4a131e9fb63aeb7d66adf9e41e0fada17c6b4806ac8d34154d55a15e53715337c3495f56b863448c3bef38068c0553f1a81c24a9e300628456cde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IaubglrYyZkA.bat

Filesize
196B

MD5
5845c9f538b7576a46cbc82520fb3bfa

SHA1
8dd29c2b7ffedc32227ca8da5fbbfa50545245b8

SHA256
abb421c97741cb04d89da8421179dcd72fa30b51b7968e466c952c1cb50e3db1

SHA512
6261d60d7cdda728c6084b80034289a6b9d60a3e56b96a49c4ee5584512be2779c24c847163ef279ec04ca7c4342f3c284b5977b9c42e657ad54ea1f739d404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\N5D15h8pNk1M.bat

Filesize
196B

MD5
c9bbd675c7c8a1009486eb0f08f8422c

SHA1
21f228d276268b35de699462f3b80da139cd7a4d

SHA256
29d607b27e557b4b2d6e5760111784dc9ce852845ae33b39e5c4bbeb5d5bb59c

SHA512
bfbf17c5bbefba0f0873593e7b1a6ac059289292cf3409513b4334885941f05a5e7c2ecd9f8ea32b7cb7b1abcc4d1beefa239f33be4393d5842a01573b3d6460

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAFKlxhg7FRE.bat

Filesize
196B

MD5
3ef8c14bdcc13dd0787844255a5de09e

SHA1
3632d2471ca9014de318bfd1f1dadd6e38bb342f

SHA256
18e98da3b49ad5da9a2133726f188283827b59a7662836c34f52e997664c59a1

SHA512
7b6001a208fdf7b5687f6922f85b6d5a4eb853e416ad673f900135228334ca01e13f54e2703e6926a67c0ebdcf2a2460c88254cdafb3d2058aa0a9c86b05231a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nh0TNZZ9kzgz.bat

Filesize
196B

MD5
2981145efc6524307187bc663e3aaea0

SHA1
a6c15d4fa3a737874c83c009a238ba6c307a4de7

SHA256
670540c4f8a4a67b3d111540e07485a8a45a69b560395d6e8a58a3a4f7fa935f

SHA512
0a586c284c915290f709bcaf12b636e8f8aac2bbdb2ee0c3fcc6b173a576101a03dc7ad73d0ac43e81379431f0b879457b119fe2fbfa1ad005188c23cd5cd8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEdmDMassNbe.bat

Filesize
196B

MD5
ca84f7213e806a956fa3144bdde47d8d

SHA1
b9a98a977a1441e4ac57259fa98da62f25103f5e

SHA256
6dccb4cb1bbeab50dab051ecb5bc6c6d74f56ae98f0e5fa4f087e92e601983a2

SHA512
2b216f5f1299c69111306a84d8d95c05e8eb118e4715ba8dc312c6fda23575323186419cc9864127018c455ad6d8aaf155f41fed5ba193cb3ecc8cf155de6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZvfAiio0cU7Z.bat

Filesize
196B

MD5
0b882d08b0457142052f5acf5c4124e0

SHA1
20be79fe40e662f951151ab48e151eb2297cc538

SHA256
5d1c68a1ba0c923034c6267fea18b9b01964f42c9ca95317fab0942986a9fd45

SHA512
2732c9e5bff81337d6b9cc024f3fb8d10efdd5738000b0cabcc2a6e1e7de48bc1cdf457485df92db6289e608cbac877b4f684da4d81e4d3fc4b06403bf5a5e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\m18q6G9qy8Gp.bat

Filesize
196B

MD5
002e1ac0fa57699d9b5418aebfbe5b16

SHA1
2762f7567dc27153c530b156a6f1d320e97aa632

SHA256
eaffad463a89fa53d50c688abf6d16f240926ce1f9ce42106e45f180549504f6

SHA512
2e6717bf29803711089c7a2d7e8c1eda207628353c2e18312b3066f470d1e2a893c93e5b2853e712e351fc3336238975eda755552ffad1e0e75f5f436badb709

Download Submit
C:\Users\Admin\AppData\Local\Temp\n05O2wVhQaR3.bat

Filesize
196B

MD5
69d19fcdbcb21894753096b63615f539

SHA1
85f91f204d05490f22cb9cdee316fbe2ffbeacd1

SHA256
e5febd411853459d21581de7b61ca57d919e35dbb77daa1fa5ba386fead439d3

SHA512
71c949af1915441e2a82272ae52e145818b38746136231e476494fa659b262041bdbd62518caa1c9d5585e1af47f1738f9ecb8738b30cafa9c6bb8ba05a596d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVkmpdE6PZE3.bat

Filesize
196B

MD5
6429da4a7111350767fb91eaa4b22051

SHA1
c05c536f71a7a29e88e2b135deae93a5916f690c

SHA256
b2c7e94ed391bcd1cf587e83fdccb4d13359872cb529d965df70b0ee0a52fe42

SHA512
6d7ca307bf606522015e96a3ec25ae6850ed3ed3cf7c3336764ff7b1958ab9c933e49ef09b4023b0a7b9756418e2f3397419c39a821f9de851a85d3d45406abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMYKo2YFwlub.bat

Filesize
196B

MD5
69eeaaefab2173a207a229dd87554fd5

SHA1
f1a28f43150cf181229cc2eb73242492303b005b

SHA256
700014a5e6e73db4216f27a2246b7c623d0627453f7da98d33d3b7d48cc245db

SHA512
f6bfd3085dc33c81d6406b62c37ac0921cd3b1ed94982379e80a6f4bfb47efbc5dcd1e7aba76fbbaf91d21737e2849430028ffd86c6ec9ed56a6eb6d7855559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqTHoU6SljCZ.bat

Filesize
196B

MD5
9c809cfac25d062bfb48834085bbaa23

SHA1
261f1aadba095931118a0f0d7315c6255f0d9be9

SHA256
9cd7304364d7986d9097eccafd9f626afcc1434495ae4d32be5b2dbdc63c8537

SHA512
12ac4ec95202016c9c31967706980ef0fb3475dc0e7094e478fcf825df1f0547409e2e9b93451c69e3ee51f36e174f784a1b775ebd28095dff367f53f94902bc

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
ee86735f1427e86dcbba39339cecfe15

SHA1
cd492443264bdae1f0a5e5f16e57af3d1819a3ec

SHA256
655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995

SHA512
59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1

Download Submit
memory/8-12-0x000000001C1E0000-0x000000001C230000-memory.dmp

Filesize
320KB

Download
memory/8-10-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/8-11-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/8-18-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/8-13-0x000000001C2F0000-0x000000001C3A2000-memory.dmp

Filesize
712KB

Download
memory/1912-0-0x00007FFE236D3000-0x00007FFE236D5000-memory.dmp

Filesize
8KB

Download
memory/1912-9-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/1912-2-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/1912-1-0x0000000000670000-0x0000000000994000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads