quasar | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
Size

3.1MB
MD5

4489c3282400ad9e96ea5ca7c28e6369
SHA1

91a2016778cce0e880636d236efca38cf0a7713d
SHA256

cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512

adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0
SSDEEP

49152:fvmI22SsaNYfdPBldt698dBcjH+ixNESEtk/i/LoGdCUTHHB72eh2NT:fvr22SsaNYfdPBldt6+dBcjHTx0D

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

testinghigger-42471.portmap.host:42471

Mutex

7a5f2afa-38ce-4bed-8e42-d1108199a2b3

Attributes

encryption_key
0F8B61E5223AD57FA54A04631691138A0F76FAE4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
wod2
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4392-1-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cc7-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2324	Client.exe
1996	Client.exe
4848	Client.exe
4120	Client.exe
4224	Client.exe
3740	Client.exe
712	Client.exe
1732	Client.exe
2228	Client.exe
4496	Client.exe
4028	Client.exe
3540	Client.exe
2316	Client.exe
3312	Client.exe
5088	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4124	PING.EXE
752	PING.EXE
3356	PING.EXE
3228	PING.EXE
4440	PING.EXE
5108	PING.EXE
4880	PING.EXE
1828	PING.EXE
5060	PING.EXE
4816	PING.EXE
3628	PING.EXE
2104	PING.EXE
4684	PING.EXE
736	PING.EXE
4696	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE
5060	PING.EXE
4816	PING.EXE
5108	PING.EXE
4124	PING.EXE
3228	PING.EXE
3356	PING.EXE
4440	PING.EXE
1828	PING.EXE
2104	PING.EXE
4684	PING.EXE
736	PING.EXE
752	PING.EXE
3628	PING.EXE
4696	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3608	schtasks.exe
844	schtasks.exe
3900	schtasks.exe
448	schtasks.exe
2532	schtasks.exe
4072	schtasks.exe
1108	schtasks.exe
532	schtasks.exe
4300	schtasks.exe
4460	schtasks.exe
3696	schtasks.exe
4728	schtasks.exe
4888	schtasks.exe
3540	schtasks.exe
440	schtasks.exe
3968	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
Token: SeDebugPrivilege	2324	Client.exe
Token: SeDebugPrivilege	1996	Client.exe
Token: SeDebugPrivilege	4848	Client.exe
Token: SeDebugPrivilege	4120	Client.exe
Token: SeDebugPrivilege	4224	Client.exe
Token: SeDebugPrivilege	3740	Client.exe
Token: SeDebugPrivilege	712	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	2228	Client.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeDebugPrivilege	4028	Client.exe
Token: SeDebugPrivilege	3540	Client.exe
Token: SeDebugPrivilege	2316	Client.exe
Token: SeDebugPrivilege	3312	Client.exe
Token: SeDebugPrivilege	5088	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2324	Client.exe
1996	Client.exe
4848	Client.exe
4120	Client.exe
4224	Client.exe
3740	Client.exe
712	Client.exe
1732	Client.exe
2228	Client.exe
4496	Client.exe
4028	Client.exe
3540	Client.exe
2316	Client.exe
3312	Client.exe
5088	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2324	Client.exe
1996	Client.exe
4848	Client.exe
4120	Client.exe
4224	Client.exe
3740	Client.exe
712	Client.exe
1732	Client.exe
2228	Client.exe
4496	Client.exe
4028	Client.exe
3540	Client.exe
2316	Client.exe
3312	Client.exe
5088	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3608	4392	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	83
PID 4392 wrote to memory of 3608	4392	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	83
PID 4392 wrote to memory of 2324	4392	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	85
PID 4392 wrote to memory of 2324	4392	cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe	85
PID 2324 wrote to memory of 2532	2324	Client.exe	86
PID 2324 wrote to memory of 2532	2324	Client.exe	86
PID 2324 wrote to memory of 1296	2324	Client.exe	88
PID 2324 wrote to memory of 1296	2324	Client.exe	88
PID 1296 wrote to memory of 3312	1296	cmd.exe	90
PID 1296 wrote to memory of 3312	1296	cmd.exe	90
PID 1296 wrote to memory of 4124	1296	cmd.exe	91
PID 1296 wrote to memory of 4124	1296	cmd.exe	91
PID 1296 wrote to memory of 1996	1296	cmd.exe	101
PID 1296 wrote to memory of 1996	1296	cmd.exe	101
PID 1996 wrote to memory of 4888	1996	Client.exe	102
PID 1996 wrote to memory of 4888	1996	Client.exe	102
PID 1996 wrote to memory of 2004	1996	Client.exe	105
PID 1996 wrote to memory of 2004	1996	Client.exe	105
PID 2004 wrote to memory of 3772	2004	cmd.exe	107
PID 2004 wrote to memory of 3772	2004	cmd.exe	107
PID 2004 wrote to memory of 5108	2004	cmd.exe	108
PID 2004 wrote to memory of 5108	2004	cmd.exe	108
PID 2004 wrote to memory of 4848	2004	cmd.exe	114
PID 2004 wrote to memory of 4848	2004	cmd.exe	114
PID 4848 wrote to memory of 3540	4848	Client.exe	115
PID 4848 wrote to memory of 3540	4848	Client.exe	115
PID 4848 wrote to memory of 4388	4848	Client.exe	118
PID 4848 wrote to memory of 4388	4848	Client.exe	118
PID 4388 wrote to memory of 380	4388	cmd.exe	120
PID 4388 wrote to memory of 380	4388	cmd.exe	120
PID 4388 wrote to memory of 4880	4388	cmd.exe	121
PID 4388 wrote to memory of 4880	4388	cmd.exe	121
PID 4388 wrote to memory of 4120	4388	cmd.exe	126
PID 4388 wrote to memory of 4120	4388	cmd.exe	126
PID 4120 wrote to memory of 440	4120	Client.exe	127
PID 4120 wrote to memory of 440	4120	Client.exe	127
PID 4120 wrote to memory of 3508	4120	Client.exe	129
PID 4120 wrote to memory of 3508	4120	Client.exe	129
PID 3508 wrote to memory of 1832	3508	cmd.exe	132
PID 3508 wrote to memory of 1832	3508	cmd.exe	132
PID 3508 wrote to memory of 1828	3508	cmd.exe	133
PID 3508 wrote to memory of 1828	3508	cmd.exe	133
PID 3508 wrote to memory of 4224	3508	cmd.exe	135
PID 3508 wrote to memory of 4224	3508	cmd.exe	135
PID 4224 wrote to memory of 844	4224	Client.exe	136
PID 4224 wrote to memory of 844	4224	Client.exe	136
PID 4224 wrote to memory of 112	4224	Client.exe	139
PID 4224 wrote to memory of 112	4224	Client.exe	139
PID 112 wrote to memory of 4704	112	cmd.exe	141
PID 112 wrote to memory of 4704	112	cmd.exe	141
PID 112 wrote to memory of 3228	112	cmd.exe	142
PID 112 wrote to memory of 3228	112	cmd.exe	142
PID 112 wrote to memory of 3740	112	cmd.exe	144
PID 112 wrote to memory of 3740	112	cmd.exe	144
PID 3740 wrote to memory of 532	3740	Client.exe	145
PID 3740 wrote to memory of 532	3740	Client.exe	145
PID 3740 wrote to memory of 1536	3740	Client.exe	148
PID 3740 wrote to memory of 1536	3740	Client.exe	148
PID 1536 wrote to memory of 3044	1536	cmd.exe	150
PID 1536 wrote to memory of 3044	1536	cmd.exe	150
PID 1536 wrote to memory of 2104	1536	cmd.exe	151
PID 1536 wrote to memory of 2104	1536	cmd.exe	151
PID 1536 wrote to memory of 712	1536	cmd.exe	153
PID 1536 wrote to memory of 712	1536	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe
"C:\Users\Admin\AppData\Local\Temp\cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3608
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYYvPZFE4ROA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3312
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4124
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JzTln9S0oG1p.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3772
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5108
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgmfhrxTUcY8.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GNbyx6T2a6py.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3WotHdyzdows.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n4h3S1mPI30i.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUoyU610H26n.bat" "
        15⤵
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v9HDOtNhpPjt.bat" "
        17⤵
        
        PID:3700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCyhYPZrCclg.bat" "
        19⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vlUYOXDUXAur.bat" "
        21⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fHbPMeWZtkP8.bat" "
        23⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcFVwrkbdggl.bat" "
        25⤵
        
        PID:3976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9JjpmlEeFTTe.bat" "
        27⤵
        
        PID:4860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMz90VB7kXxR.bat" "
        29⤵
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\npvYVpgU4Vtn.bat" "
        31⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3WotHdyzdows.bat

Filesize
207B

MD5
a332316a9ea74bec2379670d44b63255

SHA1
a1fcabb079cfda7b046ef11d08804fdb187025cb

SHA256
66a56e14e7a5e28ce364d11779d191d53e7f792e90bc4483543812d4ef433297

SHA512
6d24ad2f75f5639e0844673e4ffd30a3407ca9d2d6938129b01029e1a61d6d1ee26f700cff82a3730e7946640fdc87c6710f186fd981a266b2735b030a36e191

Download Submit
C:\Users\Admin\AppData\Local\Temp\9JjpmlEeFTTe.bat

Filesize
207B

MD5
017bc8b2a578d0dd91d8aeb83ddbf835

SHA1
dfd64b93676e0ce87b6dfd98b76fe353c37a2235

SHA256
79947c63b4525f985b6a17085a4ae4cd0036f7a9c2589e6518188cbe9058ab3c

SHA512
f28cca0964bbd2cf3c8ab168cc539cc36e9abc456b8aae0a5d552cab99842ea12bef8fe56346c0e956604383b1664d7630a44572d930a6472c63fa8cb49ee0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgmfhrxTUcY8.bat

Filesize
207B

MD5
fec47f9a0cbff8d80e77c3c790ded4e9

SHA1
7955fd9e09ce3b53cf8f576231ddf3fb6c04b459

SHA256
a5adffce28c4e2d311aebba389cdc7b3d9074b36b551fb19547975f9d58a72f4

SHA512
d099e76dbb25ca570cd7f8001f0f6ff90995e6e5d98b639e5e77479f980130be5fa5655105d4a70dc008859ffe80c60dccc70fb4eec61e19af26732efa8c2b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMz90VB7kXxR.bat

Filesize
207B

MD5
104ebb5827711bbca41bdfb02d835b5f

SHA1
9f031b37f0bf9085cd6c4905bf94efaebdc3c920

SHA256
d6292f47990d4774ad14e5722050ccf75d8283a348af2c56503f68bc09166d63

SHA512
6b993f0a3f008e1c37cabfa1ec512e10e422c4791c701dd31b9f5b07a4ec88be79a8141dcc4330e40e135de6e24d7ffddeefd30e32eedf9d3e371d7e23eb5a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNbyx6T2a6py.bat

Filesize
207B

MD5
181a57e1161e9f99aa77e753bc2833d0

SHA1
3e6424e04c4e70bae461e1ec71e5d70f855fbf3a

SHA256
f4ad080b3a6eb46f81341fa06b5a4a4e90b18911fa86f6cd8a5e1db05f8eb2a8

SHA512
85300a47849d2a3cfd25ea47952daf44145c609d682531dc0fd8b479e1010ec98aee49174af8d856005b0c5f384fbff228c767501a6756d5b42f357aa7aeb4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JzTln9S0oG1p.bat

Filesize
207B

MD5
68dcb955bb091182a3fbf9ededafcf2b

SHA1
e6a7b6d67a8d2239d4f67e5c3af55d76240fb0de

SHA256
15859eef98739b3aad2bafc1d5a47ba9a9dc004a70d0b8d23c0b2b848d9a12da

SHA512
22ee265c48e5d65478959a57970c09fc28e00fa227c6ed5644018ff3ee7476950c4b88016e1798043b77b3febe14c0cc261cc9770cf81999c2fd2f2f6c611888

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUoyU610H26n.bat

Filesize
207B

MD5
28b3a86c0452508c05b60b9a8788b1b4

SHA1
6aa225f8256dc79c26c1dbcc57499e3c4eb48fae

SHA256
2804ea4fcbefe89496cf3a379dfeab2a367ba1440506b9b8c35d5ad8225b4812

SHA512
ddbd1720568f756a0f712dd8959b453e53c4b357893693ba0b9e72d3b80d8be4d1ad2a7ce15efd74e96257737e8c19e73fedbab6dda0d4fa4d0c3bd43a4aecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCyhYPZrCclg.bat

Filesize
207B

MD5
784a2bfccde2c914bfafe567f5a0cf12

SHA1
70995922ec8bd629fbcc0229aca59cab0683ab53

SHA256
f19075e87f441bf3e6e12c026c968f51664928ac8399410fa3bbc70497d53aaf

SHA512
b2edecfe8ff6ff5729e04ad95eba3fe11ae5d70b6ee92ade7b89e9520391b98b5b0b8be1520d309b1ee133d7bdbac5dc0d25a83054d75e7f53ad603ed03db04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcFVwrkbdggl.bat

Filesize
207B

MD5
9cb8d90858882ae44a99995c85d4682e

SHA1
d2dc71df46232d7fa56920f9d2c3856bc24058ff

SHA256
fb25c53a3872d68ac7b4040ef7f524b9d745ff0eefff437a8cbe79e69ce4d705

SHA512
c2cea060d5beb0fa0cdecf3de9a12cbbf1ba1c363ef17bfeac0bf11c1fc89918c22797406d4bf79f364f2b76a5e9345d8781006c0bf500c545d7fe760c97f276

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHbPMeWZtkP8.bat

Filesize
207B

MD5
3259b8efa27e16d3678eebf5df55f52a

SHA1
f67f22a0e06a874e2c1e3d6622b9679daefb1d7a

SHA256
99e5a1f8917662e46f8404a8bd30c2bae9c9e0b38f705f9fa9ba0ea091815c8f

SHA512
5e7410b7e113aa040786c42464666b3270e23cc72d7dc1408f17da3302721627093f52b8ec6951eb7b948a184796bb7fd71d345b1a543ea35d7cd85579d5bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4h3S1mPI30i.bat

Filesize
207B

MD5
6f4dd881a4c64b7df9df789160b6974f

SHA1
f41456f350a83ee134ad5ff0ce67bf59a353c4ae

SHA256
53d40b9798862271cb8b602113f27fff9da1c476822c7f915344f102ce9d35b3

SHA512
30037a1cb9fbb825359735b92e839f9561f36bd9a96bb1338a410ff15521f12c2e3e77a3120753bc75a4633a0c21d0a2fc7dfa1e3ba4e1d4de0af5a26fe57e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\npvYVpgU4Vtn.bat

Filesize
207B

MD5
fb4c5f95b20b64940b148c62be99e53b

SHA1
c02d518de799fc35eae1401776577b29dd7588a7

SHA256
2f0b7d5ac2c10de4cc76009fe03fe3f7b0e5b900c34fb16df404ea19851e2723

SHA512
6084786b8145d0da8a378d47ce932726c3efadb05efc1c2edbd4f43f9e134c7fa02ac68fd450d66794a7311145dd30770bc8eb00b52da705492acfe914d58e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYYvPZFE4ROA.bat

Filesize
207B

MD5
39f6dee64ed0343a8d29870d6e8a23e0

SHA1
2088f9496bea7a018ad6bcb218f8d7daf2ffa599

SHA256
8a5d40db96712647ccd76ee657144c67d9c30b5752a196b2df63f50edbac5223

SHA512
e8ccc586b8166608c426e11af170e3c75a1e77d9f26a06f77967bbd87792ddd82482830a8374fabee841b736bcc6459334ebb9d214833b636fd1478345a08daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9HDOtNhpPjt.bat

Filesize
207B

MD5
d95c17fd87afcc99f519a48beb3add03

SHA1
512e529ef61fbe10c1cec753c9ce63d297a1be47

SHA256
0ec2d8c6aca2c83cf8bf788b89ddac62736cf5a56dd19bce3c8cc06f4e8054f0

SHA512
eb790fa3078663cb3bda5cc4f5ac6583a0d4db8c676dea312c89dc2ffea56d78fcfd3267d1c0d8997357266521958c56c7449f6935eb0b5e5cfac3395d42bf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlUYOXDUXAur.bat

Filesize
207B

MD5
7716b1c73c2aadafcc5ca2c04bd1a970

SHA1
559b472b8be1c82bd0b83add443f356d8e3a7e7d

SHA256
ed749aa956edc9bbd544107e79f00d2e8985128f9ae9fcc07271b02986c99d2b

SHA512
4430d660bf8e3db383c065dabdf17d3a4035fe52ed327634aacded841dca3b5d0abf8b4ec9d18b5ddc8904a07ed196710f08d375208c3754317a7e01bf23e3ac

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4489c3282400ad9e96ea5ca7c28e6369

SHA1
91a2016778cce0e880636d236efca38cf0a7713d

SHA256
cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77

SHA512
adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

Download Submit
memory/2324-18-0x00007FF887D10000-0x00007FF8887D1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-13-0x000000001CD10000-0x000000001CDC2000-memory.dmp

Filesize
712KB

Download
memory/2324-12-0x000000001CC00000-0x000000001CC50000-memory.dmp

Filesize
320KB

Download
memory/2324-11-0x00007FF887D10000-0x00007FF8887D1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-9-0x00007FF887D10000-0x00007FF8887D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-0-0x00007FF887D13000-0x00007FF887D15000-memory.dmp

Filesize
8KB

Download
memory/4392-10-0x00007FF887D10000-0x00007FF8887D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-2-0x00007FF887D10000-0x00007FF8887D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-1-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads