quasar | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
Size

3.1MB
MD5

4489c3282400ad9e96ea5ca7c28e6369
SHA1

91a2016778cce0e880636d236efca38cf0a7713d
SHA256

cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512

adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0
SSDEEP

49152:fvmI22SsaNYfdPBldt698dBcjH+ixNESEtk/i/LoGdCUTHHB72eh2NT:fvr22SsaNYfdPBldt6+dBcjHTx0D

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

testinghigger-42471.portmap.host:42471

Mutex

7a5f2afa-38ce-4bed-8e42-d1108199a2b3

Attributes

encryption_key
0F8B61E5223AD57FA54A04631691138A0F76FAE4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
wod2
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2740-1-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/files/0x000b0000000193a8-6.dat	family_quasar
behavioral1/memory/2756-9-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar
behavioral1/memory/3020-23-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/2656-35-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/memory/2516-56-0x0000000000FB0000-0x00000000012D4000-memory.dmp	family_quasar
behavioral1/memory/2452-68-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/2996-80-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/328-91-0x0000000000E30000-0x0000000001154000-memory.dmp	family_quasar
behavioral1/memory/2616-104-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2756	Client.exe
3020	Client.exe
2656	Client.exe
1896	Client.exe
2516	Client.exe
2452	Client.exe
2996	Client.exe
328	Client.exe
2616	Client.exe
1660	Client.exe
1864	Client.exe
1752	Client.exe
2236	Client.exe
2204	Client.exe
2748	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1708	PING.EXE
1028	PING.EXE
952	PING.EXE
876	PING.EXE
1724	PING.EXE
2988	PING.EXE
2832	PING.EXE
1592	PING.EXE
1620	PING.EXE
2276	PING.EXE
2240	PING.EXE
2696	PING.EXE
2260	PING.EXE
2572	PING.EXE
2792	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2988	PING.EXE
1620	PING.EXE
1724	PING.EXE
2832	PING.EXE
2696	PING.EXE
952	PING.EXE
876	PING.EXE
1028	PING.EXE
2792	PING.EXE
1592	PING.EXE
2260	PING.EXE
2276	PING.EXE
1708	PING.EXE
2572	PING.EXE
2240	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2120	schtasks.exe
2668	schtasks.exe
1724	schtasks.exe
2388	schtasks.exe
2644	schtasks.exe
1044	schtasks.exe
2280	schtasks.exe
1592	schtasks.exe
572	schtasks.exe
2676	schtasks.exe
2928	schtasks.exe
2312	schtasks.exe
1056	schtasks.exe
2956	schtasks.exe
944	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
Token: SeDebugPrivilege	2756	Client.exe
Token: SeDebugPrivilege	3020	Client.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	1896	Client.exe
Token: SeDebugPrivilege	2516	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	328	Client.exe
Token: SeDebugPrivilege	2616	Client.exe
Token: SeDebugPrivilege	1660	Client.exe
Token: SeDebugPrivilege	1864	Client.exe
Token: SeDebugPrivilege	1752	Client.exe
Token: SeDebugPrivilege	2236	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	2748	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2756	Client.exe
3020	Client.exe
2656	Client.exe
1896	Client.exe
2516	Client.exe
2452	Client.exe
2996	Client.exe
328	Client.exe
2616	Client.exe
1660	Client.exe
1864	Client.exe
1752	Client.exe
2236	Client.exe
2204	Client.exe
2748	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2756	Client.exe
3020	Client.exe
2656	Client.exe
1896	Client.exe
2516	Client.exe
2452	Client.exe
2996	Client.exe
328	Client.exe
2616	Client.exe
1660	Client.exe
1864	Client.exe
1752	Client.exe
2236	Client.exe
2204	Client.exe
2748	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2756	Client.exe
1896	Client.exe
2204	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2668	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	30
PID 2740 wrote to memory of 2668	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	30
PID 2740 wrote to memory of 2668	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	30
PID 2740 wrote to memory of 2756	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	32
PID 2740 wrote to memory of 2756	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	32
PID 2740 wrote to memory of 2756	2740	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	32
PID 2756 wrote to memory of 2928	2756	Client.exe	33
PID 2756 wrote to memory of 2928	2756	Client.exe	33
PID 2756 wrote to memory of 2928	2756	Client.exe	33
PID 2756 wrote to memory of 2732	2756	Client.exe	35
PID 2756 wrote to memory of 2732	2756	Client.exe	35
PID 2756 wrote to memory of 2732	2756	Client.exe	35
PID 2732 wrote to memory of 2552	2732	cmd.exe	37
PID 2732 wrote to memory of 2552	2732	cmd.exe	37
PID 2732 wrote to memory of 2552	2732	cmd.exe	37
PID 2732 wrote to memory of 2572	2732	cmd.exe	38
PID 2732 wrote to memory of 2572	2732	cmd.exe	38
PID 2732 wrote to memory of 2572	2732	cmd.exe	38
PID 2732 wrote to memory of 3020	2732	cmd.exe	39
PID 2732 wrote to memory of 3020	2732	cmd.exe	39
PID 2732 wrote to memory of 3020	2732	cmd.exe	39
PID 3020 wrote to memory of 1724	3020	Client.exe	40
PID 3020 wrote to memory of 1724	3020	Client.exe	40
PID 3020 wrote to memory of 1724	3020	Client.exe	40
PID 3020 wrote to memory of 2360	3020	Client.exe	42
PID 3020 wrote to memory of 2360	3020	Client.exe	42
PID 3020 wrote to memory of 2360	3020	Client.exe	42
PID 2360 wrote to memory of 2892	2360	cmd.exe	44
PID 2360 wrote to memory of 2892	2360	cmd.exe	44
PID 2360 wrote to memory of 2892	2360	cmd.exe	44
PID 2360 wrote to memory of 1620	2360	cmd.exe	45
PID 2360 wrote to memory of 1620	2360	cmd.exe	45
PID 2360 wrote to memory of 1620	2360	cmd.exe	45
PID 2360 wrote to memory of 2656	2360	cmd.exe	46
PID 2360 wrote to memory of 2656	2360	cmd.exe	46
PID 2360 wrote to memory of 2656	2360	cmd.exe	46
PID 2656 wrote to memory of 2388	2656	Client.exe	47
PID 2656 wrote to memory of 2388	2656	Client.exe	47
PID 2656 wrote to memory of 2388	2656	Client.exe	47
PID 2656 wrote to memory of 332	2656	Client.exe	49
PID 2656 wrote to memory of 332	2656	Client.exe	49
PID 2656 wrote to memory of 332	2656	Client.exe	49
PID 332 wrote to memory of 1760	332	cmd.exe	51
PID 332 wrote to memory of 1760	332	cmd.exe	51
PID 332 wrote to memory of 1760	332	cmd.exe	51
PID 332 wrote to memory of 2276	332	cmd.exe	52
PID 332 wrote to memory of 2276	332	cmd.exe	52
PID 332 wrote to memory of 2276	332	cmd.exe	52
PID 332 wrote to memory of 1896	332	cmd.exe	53
PID 332 wrote to memory of 1896	332	cmd.exe	53
PID 332 wrote to memory of 1896	332	cmd.exe	53
PID 1896 wrote to memory of 2312	1896	Client.exe	54
PID 1896 wrote to memory of 2312	1896	Client.exe	54
PID 1896 wrote to memory of 2312	1896	Client.exe	54
PID 1896 wrote to memory of 408	1896	Client.exe	56
PID 1896 wrote to memory of 408	1896	Client.exe	56
PID 1896 wrote to memory of 408	1896	Client.exe	56
PID 408 wrote to memory of 944	408	cmd.exe	58
PID 408 wrote to memory of 944	408	cmd.exe	58
PID 408 wrote to memory of 944	408	cmd.exe	58
PID 408 wrote to memory of 952	408	cmd.exe	59
PID 408 wrote to memory of 952	408	cmd.exe	59
PID 408 wrote to memory of 952	408	cmd.exe	59
PID 408 wrote to memory of 2516	408	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
"C:\Users\Admin\AppData\Local\Temp\cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2668
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2928
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\GJwVTGzuEggC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2552
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2572
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOPWYvRjrSJR.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2892
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LDu2uW0kwvLg.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KFE9CZpprBcp.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2516
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mImME4bTiS7X.bat" "
        11⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\O12x36ommVR8.bat" "
        13⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wb0YSUNqwPQc.bat" "
        15⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:328
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykO07UvYsi7W.bat" "
        17⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyumGClUeapN.bat" "
        19⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1660
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYSSm2ZoG98c.bat" "
        21⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1864
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgXHITVmivim.bat" "
        23⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1752
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z5VbYEtTn8Sf.bat" "
        25⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\deoBroUAk3Zw.bat" "
        27⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i8SWLV0TJ3Ir.bat" "
        29⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sPitzSvNXTNw.bat" "
        31⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GJwVTGzuEggC.bat

Filesize
207B

MD5
517915a4daa110571cc2a610448dd9b1

SHA1
2bb8fbfc4c3e11ceaad0ef982818cd42368e6a9c

SHA256
e9dc4915e1a4575c76de8e990aa0a0f66ec97ffc9bcc1449bbc846b1fc4e6086

SHA512
814c589ef4193dce820f2d02731f5b36ed72ef8891d63d4cea2612c8de93a2cd7d7fb6db5c05ea6294ad2a265e42e93505b2554ac5e3d3ee7577c77d735063c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyumGClUeapN.bat

Filesize
207B

MD5
4d255f40c992549a4d11a2193de5ff45

SHA1
9f5217a7b9b21b3b23d3e9268c98d015c7a3f43c

SHA256
dfef0f6535e077bc0d02bdfea4f5ee5943fd58b5c97b8a2fe4f73be86780dc2c

SHA512
1987a293973a67afc262b14f65bd7545254e76d42a93b49da516f7f58b3da4a25f90cb64b10143420471a2b2687db384c00d2fc7b1c4cf355ab40e78bd47fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KFE9CZpprBcp.bat

Filesize
207B

MD5
dca51410926febac4ae3701ffea61823

SHA1
9ace61f526bdf5cbac371a32e2ed947114501eb2

SHA256
5ed3f2279ee909d8ddcea03e7079e7556af24ee35989264ca6858de6e04bd208

SHA512
fd8c70dcb4795240796807518a2915256924fd94a8eccd87b63826e08c133e07652fade7abbacb1e886f5e92e0d553c7c6e114e62c63fac9703b14b9a8ba424a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDu2uW0kwvLg.bat

Filesize
207B

MD5
2dab3a2e5c650e4b4fb324b22029e7e4

SHA1
89b116e512fd2a56adb046f10c6de4379a092b4b

SHA256
282eca708f9f64b862034801fa103093047c487a7dad559156d8aa54a574c5f7

SHA512
5552cd564877b53f3c0a650dc9ea24318192e837140ceb6596062805ff469c4aa1ff9dee0d9e1f896590ca459905bbba78590848934850f31ddc56629add1160

Download Submit
C:\Users\Admin\AppData\Local\Temp\O12x36ommVR8.bat

Filesize
207B

MD5
daa49beed11022f767ca10f62406aef1

SHA1
5e8bcd21ce9e871ac4f171b87523ecb7aa965b38

SHA256
18578d6cfdc574b4252236c54b1d4659c6816e5fda7adc8470698a1efa0f2b16

SHA512
265aa8f878cf5bc9e24babe963e3a78426a32399bead84c3280d3b42d5149db46c30fe96d651a06f2ba255ae5a009a0c31dc53c17f142bd6729eae4e85125dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wb0YSUNqwPQc.bat

Filesize
207B

MD5
7417d19dff0a3d62f68b7ceab2862617

SHA1
e9f13556fd41066de83ba0b10e2a54a952ff06a6

SHA256
92acda0de57860641527691104e400d5b323640b63861a2bc7d1b11a7f918763

SHA512
c597fc96d51c8d53abbd5ba86434c41b8378125823aa2307e3cdc9f12ad921edc3d00d7fac45a591f762172f7449714d1452f195797a2d09fa7185a7acfc3678

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z5VbYEtTn8Sf.bat

Filesize
207B

MD5
84634005b622d2acbc4c765f8f559832

SHA1
c1c9e091633ac8559b99591063a386e511c0aada

SHA256
8c8a7bda439c93f1bb5810ea4787cad66037745d335b80ffc958497b36845f67

SHA512
fd25678bbb192aee38760fa9602877bc48f0e544c2a3dd8db963a5affa8a82d8e6b01fd0ab8b8a023ce971ad7851dbbfff19b9a373e9b0285910ab5a820132dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\deoBroUAk3Zw.bat

Filesize
207B

MD5
43a371d1d854ba2565d3500b6803f00d

SHA1
d9a70573a7a8c27bae500d49d679ad3e5ee89366

SHA256
16d626e1fe58f8a9fd7ef2cea47307d2df09d0cc67abe125a0e9acde4980a229

SHA512
bde1e80edbb5d13f57fdfec0e8e06fbc70002638cbe579d5944f686c0e9e19d29e792362a297f25563cf556681e197ae2f36a582296db8b3884225e85c9ef8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8SWLV0TJ3Ir.bat

Filesize
207B

MD5
78ee762a916e5d18d2da046492183431

SHA1
2dbf20b53fbb43eac98016e56053850ba755f233

SHA256
cf38f3891e4042fd198fabb6c96c14bdd9d6cd71ae5f82826af5e7329eda0d44

SHA512
85a2dfda368e7352d020f5ce39696de9e6ee987c91aff28a9524dc1234daa868fa5d35ef7b042b0a194041a731338abe8d9676d5e25f43c6537386b80a647cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mImME4bTiS7X.bat

Filesize
207B

MD5
fbf9bd58e58f1b09727b21d2ab232d54

SHA1
3fe351311efef9ee7486aa3b8bdb247b7656cbb3

SHA256
c9feeb38d78cf6fb65cc65c63500fa3532f575324ceb641b4f5e8bf8fdbe7d01

SHA512
edad9c71d004dd34284efaf5c83c86184621f6209ea2a206db447b4bcfc361b6f0823709496237d4577f21af63eede86df5ac6173e822361bee051e949287663

Download Submit
C:\Users\Admin\AppData\Local\Temp\nOPWYvRjrSJR.bat

Filesize
207B

MD5
046d2e76df70bb3b4c434dd39ca4d3de

SHA1
55e664f21a859e8a0e75f0e1939917604625b250

SHA256
8c3095aa27d1b93dcc686f7d144bb883d21d6962dfd65076d1600bfbc4cc0e1a

SHA512
6a64604309df438ba925b06cd05b89b53a096a68efba9316ab72c1fcd9d787742caebe4e634d13a70d5f2863349910da0bb97f1a540a815106b8c3572b669ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPitzSvNXTNw.bat

Filesize
207B

MD5
7c42a276dd3c2e789283141057b8bbd5

SHA1
10d3270b29d41891fef6fba8f64643aecc8fb53a

SHA256
be328fe8e3fa1dd53e0d1f1dbb46310cabb8973cc6fb37bdc5f734832a230143

SHA512
5baaadcccecdace5fa9e569dd7f5e839ac2febb69ed650a05e19429edbee8a2d21865faa7cf5ceb82a7213230caba19354e6d38f6e622c8842a9a8ac18780fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgXHITVmivim.bat

Filesize
207B

MD5
76b3b0a57e4553477f2ff532afff88b1

SHA1
71e8c9c44b06cb193e2d58163d969ab372aac55e

SHA256
68ab844ff05a612fa4dc9b4edf16d2c00c19ed6c5783c0bb6b755af04afac13d

SHA512
b1bf52b624a7485a104539dadca5d87098a68d4c6a3069e49e4792061662b5bae09aeabe7a00b1514691f212d1d3646066be235349f28aa1b3dfc55f2b494d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYSSm2ZoG98c.bat

Filesize
207B

MD5
dd199fdab85181282dbd5ee8f7bb9c17

SHA1
252b87bae06405ef3d24df49d53e7100e2726844

SHA256
1e58e989f0b83c5ccdb8921138e115b8360e634adc1983e46e1533190ba207a8

SHA512
e3aa094cd0498f936436e883958fbd61a679e92d44b605fcd1fc9f558bd4d3bac133364dfcc6990341f083a3f9c34e0cabf9f75b28020905416e1ba1d43eaf47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykO07UvYsi7W.bat

Filesize
207B

MD5
1d2130d09187262cd5ad00817a4abf4c

SHA1
7cfe3d12b3f01745720b010a7381e7da9c574a80

SHA256
af8ac73aa2b33b7487a36bec370ddc9cccdd0729d11b43b569c220d9e96beefe

SHA512
e7b2b8288df1ffa7d355f4d6877c89699312568b08c7d81a0606c7439c3f35ad4e499b3e27c16eb1efed378420917de9ad14958c584a77a0ea0178ecc2be0567

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4489c3282400ad9e96ea5ca7c28e6369

SHA1
91a2016778cce0e880636d236efca38cf0a7713d

SHA256
cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

SHA512
adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

Download Submit
memory/328-91-0x0000000000E30000-0x0000000001154000-memory.dmp

Filesize
3.1MB

Download
memory/2452-68-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/2516-56-0x0000000000FB0000-0x00000000012D4000-memory.dmp

Filesize
3.1MB

Download
memory/2616-104-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2656-35-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/2740-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2740-8-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-1-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/2756-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-9-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/2996-80-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/3020-23-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads