Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 14:02
Behavioral task
behavioral1
Sample
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
Resource
win7-20240903-en
General
-
Target
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
-
Size
3.1MB
-
MD5
e9a138d8c5ab2cccc8bf9976f66d30c8
-
SHA1
e996894168f0d4e852162d1290250dfa986310f8
-
SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
-
SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
-
SSDEEP
49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm
Malware Config
Extracted
quasar
1.4.1
Office04
Dystopian-62863.portmap.host:62863
e1de8f9b-5a7a-4798-a6fb-c03591ef3442
-
encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SubStart
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 12 IoCs
resource yara_rule behavioral1/memory/2668-1-0x0000000001360000-0x0000000001684000-memory.dmp family_quasar behavioral1/files/0x0008000000015685-6.dat family_quasar behavioral1/memory/2792-9-0x00000000008F0000-0x0000000000C14000-memory.dmp family_quasar behavioral1/memory/1028-23-0x0000000000CB0000-0x0000000000FD4000-memory.dmp family_quasar behavioral1/memory/1980-34-0x00000000000F0000-0x0000000000414000-memory.dmp family_quasar behavioral1/memory/2952-45-0x00000000011C0000-0x00000000014E4000-memory.dmp family_quasar behavioral1/memory/444-56-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/1756-107-0x0000000001310000-0x0000000001634000-memory.dmp family_quasar behavioral1/memory/2216-118-0x0000000000190000-0x00000000004B4000-memory.dmp family_quasar behavioral1/memory/2112-129-0x0000000000E10000-0x0000000001134000-memory.dmp family_quasar behavioral1/memory/1692-151-0x0000000001070000-0x0000000001394000-memory.dmp family_quasar behavioral1/memory/2812-162-0x00000000010B0000-0x00000000013D4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2792 Client.exe 1028 Client.exe 1980 Client.exe 2952 Client.exe 444 Client.exe 1680 Client.exe 1084 Client.exe 2568 Client.exe 2400 Client.exe 1756 Client.exe 2216 Client.exe 2112 Client.exe 1300 Client.exe 1692 Client.exe 2812 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2956 PING.EXE 1724 PING.EXE 1944 PING.EXE 1632 PING.EXE 2280 PING.EXE 1920 PING.EXE 3024 PING.EXE 2604 PING.EXE 1544 PING.EXE 1412 PING.EXE 2280 PING.EXE 3016 PING.EXE 1672 PING.EXE 2764 PING.EXE 636 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1632 PING.EXE 2956 PING.EXE 2280 PING.EXE 1724 PING.EXE 3016 PING.EXE 1672 PING.EXE 2764 PING.EXE 1412 PING.EXE 636 PING.EXE 2604 PING.EXE 1944 PING.EXE 2280 PING.EXE 1544 PING.EXE 1920 PING.EXE 3024 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2124 schtasks.exe 2932 schtasks.exe 2592 schtasks.exe 2820 schtasks.exe 2924 schtasks.exe 544 schtasks.exe 2040 schtasks.exe 1052 schtasks.exe 608 schtasks.exe 3032 schtasks.exe 1236 schtasks.exe 2460 schtasks.exe 2868 schtasks.exe 2136 schtasks.exe 2944 schtasks.exe 2780 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe Token: SeDebugPrivilege 2792 Client.exe Token: SeDebugPrivilege 1028 Client.exe Token: SeDebugPrivilege 1980 Client.exe Token: SeDebugPrivilege 2952 Client.exe Token: SeDebugPrivilege 444 Client.exe Token: SeDebugPrivilege 1680 Client.exe Token: SeDebugPrivilege 1084 Client.exe Token: SeDebugPrivilege 2568 Client.exe Token: SeDebugPrivilege 2400 Client.exe Token: SeDebugPrivilege 1756 Client.exe Token: SeDebugPrivilege 2216 Client.exe Token: SeDebugPrivilege 2112 Client.exe Token: SeDebugPrivilege 1300 Client.exe Token: SeDebugPrivilege 1692 Client.exe Token: SeDebugPrivilege 2812 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2792 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2944 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 30 PID 2668 wrote to memory of 2944 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 30 PID 2668 wrote to memory of 2944 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 30 PID 2668 wrote to memory of 2792 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 32 PID 2668 wrote to memory of 2792 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 32 PID 2668 wrote to memory of 2792 2668 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 32 PID 2792 wrote to memory of 2780 2792 Client.exe 33 PID 2792 wrote to memory of 2780 2792 Client.exe 33 PID 2792 wrote to memory of 2780 2792 Client.exe 33 PID 2792 wrote to memory of 1724 2792 Client.exe 35 PID 2792 wrote to memory of 1724 2792 Client.exe 35 PID 2792 wrote to memory of 1724 2792 Client.exe 35 PID 1724 wrote to memory of 2244 1724 cmd.exe 37 PID 1724 wrote to memory of 2244 1724 cmd.exe 37 PID 1724 wrote to memory of 2244 1724 cmd.exe 37 PID 1724 wrote to memory of 3016 1724 cmd.exe 38 PID 1724 wrote to memory of 3016 1724 cmd.exe 38 PID 1724 wrote to memory of 3016 1724 cmd.exe 38 PID 1724 wrote to memory of 1028 1724 cmd.exe 39 PID 1724 wrote to memory of 1028 1724 cmd.exe 39 PID 1724 wrote to memory of 1028 1724 cmd.exe 39 PID 1028 wrote to memory of 544 1028 Client.exe 40 PID 1028 wrote to memory of 544 1028 Client.exe 40 PID 1028 wrote to memory of 544 1028 Client.exe 40 PID 1028 wrote to memory of 2204 1028 Client.exe 42 PID 1028 wrote to memory of 2204 1028 Client.exe 42 PID 1028 wrote to memory of 2204 1028 Client.exe 42 PID 2204 wrote to memory of 2860 2204 cmd.exe 44 PID 2204 wrote to memory of 2860 2204 cmd.exe 44 PID 2204 wrote to memory of 2860 2204 cmd.exe 44 PID 2204 wrote to memory of 1944 2204 cmd.exe 45 PID 2204 wrote to memory of 1944 2204 cmd.exe 45 PID 2204 wrote to memory of 1944 2204 cmd.exe 45 PID 2204 wrote to memory of 1980 2204 cmd.exe 46 PID 2204 wrote to memory of 1980 2204 cmd.exe 46 PID 2204 wrote to memory of 1980 2204 cmd.exe 46 PID 1980 wrote to memory of 1236 1980 Client.exe 47 PID 1980 wrote to memory of 1236 1980 Client.exe 47 PID 1980 wrote to memory of 1236 1980 Client.exe 47 PID 1980 wrote to memory of 1968 1980 Client.exe 49 PID 1980 wrote to memory of 1968 1980 Client.exe 49 PID 1980 wrote to memory of 1968 1980 Client.exe 49 PID 1968 wrote to memory of 2836 1968 cmd.exe 51 PID 1968 wrote to memory of 2836 1968 cmd.exe 51 PID 1968 wrote to memory of 2836 1968 cmd.exe 51 PID 1968 wrote to memory of 1632 1968 cmd.exe 52 PID 1968 wrote to memory of 1632 1968 cmd.exe 52 PID 1968 wrote to memory of 1632 1968 cmd.exe 52 PID 1968 wrote to memory of 2952 1968 cmd.exe 54 PID 1968 wrote to memory of 2952 1968 cmd.exe 54 PID 1968 wrote to memory of 2952 1968 cmd.exe 54 PID 2952 wrote to memory of 2040 2952 Client.exe 55 PID 2952 wrote to memory of 2040 2952 Client.exe 55 PID 2952 wrote to memory of 2040 2952 Client.exe 55 PID 2952 wrote to memory of 2112 2952 Client.exe 57 PID 2952 wrote to memory of 2112 2952 Client.exe 57 PID 2952 wrote to memory of 2112 2952 Client.exe 57 PID 2112 wrote to memory of 2268 2112 cmd.exe 59 PID 2112 wrote to memory of 2268 2112 cmd.exe 59 PID 2112 wrote to memory of 2268 2112 cmd.exe 59 PID 2112 wrote to memory of 1672 2112 cmd.exe 60 PID 2112 wrote to memory of 1672 2112 cmd.exe 60 PID 2112 wrote to memory of 1672 2112 cmd.exe 60 PID 2112 wrote to memory of 444 2112 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe"C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0B3lboEjDh9u.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:544
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MPVcuUqKXOAE.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1236
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9e3PVvl6cuKo.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1632
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2040
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tIkKYhtgrWzO.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2268
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1052
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\keMXidJn6v4g.bat" "11⤵PID:1340
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1780
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:608
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YLSpI62jUz3i.bat" "13⤵PID:2360
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8WoKtQKJWbYl.bat" "15⤵PID:2712
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\btcu7MTtr0JM.bat" "17⤵PID:532
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yeEPT3gisc2n.bat" "19⤵PID:2860
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1412
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dt7HEW5D70Wx.bat" "21⤵PID:2836
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NGDZSC3qxBcs.bat" "23⤵PID:1204
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2924
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0RkkTMyOdCBm.bat" "25⤵PID:2192
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YX9LYXRFRGpC.bat" "27⤵PID:2524
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SDPpfe5IezzW.bat" "29⤵PID:2152
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2592
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jlNgH244kg3d.bat" "31⤵PID:2576
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5e2759645659618fb3c52d29df4a2b171
SHA1aefafeb567b38a7072aa6b4218f67793561f46a0
SHA256ce43fa10cd27e88e69ce8c59a960f466c7d267c0ebd1b3608b2149499eddabff
SHA5127f6c6cad9541cf2d9c3630c64a0b5ad2b4e8efed34984b6118a33395597ec47c74914b417aae4e1d82cfb1dc67e96ab6708e4318204519690156089ba4e0b958
-
Filesize
207B
MD54c3facc4c7e203129ea5bb6e5ee43bee
SHA15d9811852dfe6e26a2f119ebbb82623d4e73f052
SHA25664f6a8f4626c7e545327dd5b622ab083ce3c55f0614cc65b945e5e6e16c4f971
SHA5128b549476e4e6918910d0c4aa35673ac8435d9bccede04c3e46c63013cd59132f67a6314db55c4ad131e9dba9c859f10d7bc5a66e258088c6241bfddb3f69f24a
-
Filesize
207B
MD5dcd4a76deb3ea76555a0ba2b2a04764f
SHA1f5c84c3111b7be20fa6538505c7b26f9fa957644
SHA2563f6f57e09642c424451c9600d800a1a93558f41c8039fc56824609dfa14cde0f
SHA512444dee53b8e2101f96267db25a37f0be7748eeb2181bd90e73df99559563d312c9d17285445b68b417eb4b2c3e8a9ffeef6bca613b5d5f4c0ef655a0d20ffda4
-
Filesize
207B
MD5eebb665437a6de6a2867677dc14bd270
SHA11720fa43b85c15bc6db7c0d0d36e12cdc5a44775
SHA256be44fc8b604fcbf494e476bfe76e900c4ef58f3c1b153d1563dd460fae376acd
SHA512af61591ae87291684b7838661ca3f27041a6b4667fe31c298c4dfdd6e08a01458044e83f5ac8fdaac3543b13ee524d1324d3140fbde0f104e5acf50b20a2dd42
-
Filesize
207B
MD55157ea01901498f9818134c8b4499a04
SHA1cc1ca792c55b565279d74991d2ed1f81f69f5d42
SHA2560abe65611225c0089dd07fa75b2703b336f873cef423cbcf775e629ea598bef6
SHA5124642f8cbf99bcf1c588d66eeaf903df11c5c363fd0010f702a44db92f70c8b77122f437fe3e49710e16bd6490d181dbbd94d7bd961fad626f6852066b9b0ae2c
-
Filesize
207B
MD5cc44495b36e226524b004c30687ad0b9
SHA10ceb5a1071f4d985c245821bb6a17c03d44f1339
SHA2564eb70b71d8b7c73403d6ba828b743ee5fe4a2fd9839ef7694b282579782bceb9
SHA512118a66f4a7c31e25e9403f8bcb52ec14e4711df768102716ac35a530bb674ddabecc700e31a88ca4fc1b11e38ef19a84b7f8f5b515af3feaba71eab6e1854601
-
Filesize
207B
MD5cbd31cb53e72e2407bb0bfbd28f5647b
SHA1e834c55d4a18d316cf4b6cb25248ca8d0fbbf1ef
SHA25652cd87727201e0ec12da5917f752aca6d769903decbe30c7e86496604bc4b5e0
SHA512931e44ee0b3b2d1a2b75651dd0305075d265362462de8bac601f2fc75f9935ee4df196d7628e57c4c4ec3c7f46e16c5367c60ebc2a043f60b1697146091f8902
-
Filesize
207B
MD5a47eadfa6d0372dd3dbcf38b09703335
SHA16e85008cfe757f65f2ce8c25a52257a0f2cb297a
SHA2567f50cbcd8fb2fd454cb9064f42f7e6f19eebbf701de943d40c5546e503c11200
SHA5120dc09c917160a2830cef9d77f3c7fb62c1aacee2a7c8647a48bcb2cd3c4062690e988d28d7af48e4e761a5724aea9d94484338a5e5428ae14dd379b9027140ef
-
Filesize
207B
MD536ed585324dfaa4e01e8c2447b638f0c
SHA11026562a0134a2cc1c0cba05d89d08c66e6aaea2
SHA2566c593d46b9c43233d1d5ad5aaf2ce32e8d83da38875f43c22c6ea812db718064
SHA512f2441c3e6bce43b8143ed5e4f8bb03ec61146e84904d329c0d1a39c0c8295a6fbb776ed5f6ec85f427d364228ae3de79469b6c01bfd1a973d3045f0c83c51ab7
-
Filesize
207B
MD53e5c5cadfb3a378b9121b5d09b892948
SHA1b006c90d548855fe1e69e22ecb9b42c21214014d
SHA256dbc579c15aa1ddc45dd8e5b516f31199c0c52e8a03f2e3e78d2f028b927a3314
SHA51262521e3587bf60e645455b2aa76cfe0bba7d809270e387497686b3aabed53a9398ecdb0c764cb9bdcb27712511e28f5987e945a091b488db8e8472b9c255e7d2
-
Filesize
207B
MD5df5f6af9b74c48330f4d3bdce044e18f
SHA19a8ef56f83a9042ed628362ae1e8890a64978ced
SHA25618c286fc3974804a2e4051e956b64a161c106daa66351d3262618e31d999387a
SHA51245ceb9b2e96b10164c35f29a9eb661993404136a2b75d0a6dc7c85c72431e00f279325fdd75c3a59a04941375a9fda734a835db01a8df711ac1ee33b061af367
-
Filesize
207B
MD528a40f2c8077f91dbf2cde3ac94e1b3d
SHA18fdad7c8d716ed3c357f5922164d56de687e3488
SHA2567bda7679d13fd30c58df4ef8539550405d9f636cc4189c4dd91d363023c619af
SHA512482a60e8a9c23d799418b2495552859c9035bf556723ff54b37632829d56a52085eb69723998d70ba5d6e7b005445db3b96dadafb0a7d45b08ee524362b37b3b
-
Filesize
207B
MD57a7574eb1f737a1ab6533cc7fb261055
SHA1a9a5f5fc6c027bee6c24735773eda2d9a75976f8
SHA256ef1964c2e62248b48b03dfe8ec0cabcde0aae662edcc29dd8ea4c3c7cd7ce204
SHA51211c5cf3c1ce46b633d310a7bc65072aa7d4e83632cff9b5fe741e35332bdd30ba729142788c9f63994d3c4762f3bf7cbaa7471aee27346a0a428a702185d7219
-
Filesize
207B
MD58227182f185310b74e9632be5f449ccd
SHA1bfd8e5de7d1b43eda8326c2c320b23b2ce63f3f5
SHA2568485127a41f4f4ef248acacefa8f29f3c218e5b84c824429bb74762798579dcb
SHA5124dabc32d9abf8a5e032eadf6c09861f21c1ddca027ce5a7f658250b7d1debadcc8e20f3beaf230c4e338ecd2eaa868469c5d1b43fb1d75a960d8d5bdafc9830d
-
Filesize
207B
MD5a58c4c71d298b60d71cb46732cbd08e5
SHA1b91b62a298818a3779b03f64dd0dfdea3e61878e
SHA25627ee728de95a0e6c30432f18bf454f47aa8aff0aafd8eb6b9f0afc35bd50733b
SHA5121c3644e81369e6d493892c1e452e11125f1b2f08da88af7314e863e883b7002d2d1f20efdf8ec7603cd87b49a13e42fedaa88a0b60603e7fb948a506753fc287
-
Filesize
3.1MB
MD5e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1e996894168f0d4e852162d1290250dfa986310f8
SHA256e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA5125982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc