Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 14:02
Behavioral task
behavioral1
Sample
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
Resource
win7-20240903-en
General
-
Target
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
-
Size
3.1MB
-
MD5
e9a138d8c5ab2cccc8bf9976f66d30c8
-
SHA1
e996894168f0d4e852162d1290250dfa986310f8
-
SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
-
SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
-
SSDEEP
49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm
Malware Config
Extracted
quasar
1.4.1
Office04
Dystopian-62863.portmap.host:62863
e1de8f9b-5a7a-4798-a6fb-c03591ef3442
-
encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SubStart
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2992-1-0x00000000001D0000-0x00000000004F4000-memory.dmp family_quasar behavioral2/files/0x000a000000023c8c-6.dat family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 4984 Client.exe 3832 Client.exe 5040 Client.exe 1140 Client.exe 216 Client.exe 4532 Client.exe 3328 Client.exe 2404 Client.exe 2100 Client.exe 4760 Client.exe 4632 Client.exe 2076 Client.exe 5028 Client.exe 3192 Client.exe 4260 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4412 PING.EXE 4708 PING.EXE 2448 PING.EXE 4572 PING.EXE 3996 PING.EXE 2752 PING.EXE 1556 PING.EXE 4848 PING.EXE 1916 PING.EXE 4648 PING.EXE 1680 PING.EXE 1244 PING.EXE 5016 PING.EXE 1648 PING.EXE 2520 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2752 PING.EXE 1556 PING.EXE 4708 PING.EXE 4848 PING.EXE 1916 PING.EXE 3996 PING.EXE 4648 PING.EXE 1680 PING.EXE 4412 PING.EXE 2448 PING.EXE 1648 PING.EXE 2520 PING.EXE 4572 PING.EXE 1244 PING.EXE 5016 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4528 schtasks.exe 4908 schtasks.exe 1180 schtasks.exe 2496 schtasks.exe 2640 schtasks.exe 3004 schtasks.exe 3868 schtasks.exe 4456 schtasks.exe 4980 schtasks.exe 5040 schtasks.exe 3764 schtasks.exe 4296 schtasks.exe 4588 schtasks.exe 4660 schtasks.exe 2724 schtasks.exe 3580 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2992 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe Token: SeDebugPrivilege 4984 Client.exe Token: SeDebugPrivilege 3832 Client.exe Token: SeDebugPrivilege 5040 Client.exe Token: SeDebugPrivilege 1140 Client.exe Token: SeDebugPrivilege 216 Client.exe Token: SeDebugPrivilege 4532 Client.exe Token: SeDebugPrivilege 3328 Client.exe Token: SeDebugPrivilege 2404 Client.exe Token: SeDebugPrivilege 2100 Client.exe Token: SeDebugPrivilege 4760 Client.exe Token: SeDebugPrivilege 4632 Client.exe Token: SeDebugPrivilege 2076 Client.exe Token: SeDebugPrivilege 5028 Client.exe Token: SeDebugPrivilege 3192 Client.exe Token: SeDebugPrivilege 4260 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4984 Client.exe 3328 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2724 2992 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 83 PID 2992 wrote to memory of 2724 2992 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 83 PID 2992 wrote to memory of 4984 2992 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 85 PID 2992 wrote to memory of 4984 2992 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe 85 PID 4984 wrote to memory of 4528 4984 Client.exe 86 PID 4984 wrote to memory of 4528 4984 Client.exe 86 PID 4984 wrote to memory of 2028 4984 Client.exe 89 PID 4984 wrote to memory of 2028 4984 Client.exe 89 PID 2028 wrote to memory of 864 2028 cmd.exe 91 PID 2028 wrote to memory of 864 2028 cmd.exe 91 PID 2028 wrote to memory of 1680 2028 cmd.exe 92 PID 2028 wrote to memory of 1680 2028 cmd.exe 92 PID 2028 wrote to memory of 3832 2028 cmd.exe 94 PID 2028 wrote to memory of 3832 2028 cmd.exe 94 PID 3832 wrote to memory of 3868 3832 Client.exe 95 PID 3832 wrote to memory of 3868 3832 Client.exe 95 PID 3832 wrote to memory of 4600 3832 Client.exe 98 PID 3832 wrote to memory of 4600 3832 Client.exe 98 PID 4600 wrote to memory of 4160 4600 cmd.exe 100 PID 4600 wrote to memory of 4160 4600 cmd.exe 100 PID 4600 wrote to memory of 4412 4600 cmd.exe 101 PID 4600 wrote to memory of 4412 4600 cmd.exe 101 PID 4600 wrote to memory of 5040 4600 cmd.exe 102 PID 4600 wrote to memory of 5040 4600 cmd.exe 102 PID 5040 wrote to memory of 4296 5040 Client.exe 103 PID 5040 wrote to memory of 4296 5040 Client.exe 103 PID 5040 wrote to memory of 5100 5040 Client.exe 105 PID 5040 wrote to memory of 5100 5040 Client.exe 105 PID 5100 wrote to memory of 1968 5100 cmd.exe 108 PID 5100 wrote to memory of 1968 5100 cmd.exe 108 PID 5100 wrote to memory of 4708 5100 cmd.exe 109 PID 5100 wrote to memory of 4708 5100 cmd.exe 109 PID 5100 wrote to memory of 1140 5100 cmd.exe 114 PID 5100 wrote to memory of 1140 5100 cmd.exe 114 PID 1140 wrote to memory of 3580 1140 Client.exe 115 PID 1140 wrote to memory of 3580 1140 Client.exe 115 PID 1140 wrote to memory of 3504 1140 Client.exe 118 PID 1140 wrote to memory of 3504 1140 Client.exe 118 PID 3504 wrote to memory of 3368 3504 cmd.exe 120 PID 3504 wrote to memory of 3368 3504 cmd.exe 120 PID 3504 wrote to memory of 4572 3504 cmd.exe 121 PID 3504 wrote to memory of 4572 3504 cmd.exe 121 PID 3504 wrote to memory of 216 3504 cmd.exe 123 PID 3504 wrote to memory of 216 3504 cmd.exe 123 PID 216 wrote to memory of 4456 216 Client.exe 124 PID 216 wrote to memory of 4456 216 Client.exe 124 PID 216 wrote to memory of 1908 216 Client.exe 127 PID 216 wrote to memory of 1908 216 Client.exe 127 PID 1908 wrote to memory of 4508 1908 cmd.exe 129 PID 1908 wrote to memory of 4508 1908 cmd.exe 129 PID 1908 wrote to memory of 1244 1908 cmd.exe 130 PID 1908 wrote to memory of 1244 1908 cmd.exe 130 PID 1908 wrote to memory of 4532 1908 cmd.exe 131 PID 1908 wrote to memory of 4532 1908 cmd.exe 131 PID 4532 wrote to memory of 4908 4532 Client.exe 132 PID 4532 wrote to memory of 4908 4532 Client.exe 132 PID 4532 wrote to memory of 868 4532 Client.exe 135 PID 4532 wrote to memory of 868 4532 Client.exe 135 PID 868 wrote to memory of 2020 868 cmd.exe 137 PID 868 wrote to memory of 2020 868 cmd.exe 137 PID 868 wrote to memory of 5016 868 cmd.exe 138 PID 868 wrote to memory of 5016 868 cmd.exe 138 PID 868 wrote to memory of 3328 868 cmd.exe 140 PID 868 wrote to memory of 3328 868 cmd.exe 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe"C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5plwWPcBPv9D.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuAuV1MSLyG3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4412
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\unoH6kwpODsF.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqrVvdJR4Qof.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nsq77EYgJfPi.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4508
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1244
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M0wuW6vYZKcd.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LioIaXT7zHDb.bat" "15⤵PID:432
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fM1PMSY3nA7U.bat" "17⤵PID:1564
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2gKHraMBgSzi.bat" "19⤵PID:3160
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebKNVOxsGwPM.bat" "21⤵PID:3568
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oXJEElHSDuw4.bat" "23⤵PID:5084
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JD1nXEeQQmSI.bat" "25⤵PID:4444
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1916
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2NnXHS6gsva.bat" "27⤵PID:1548
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3996
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUlk80GD8p9B.bat" "29⤵PID:4268
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2520
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKRcuIP4PKyH.bat" "31⤵PID:3384
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD56dd89927ccf76a8c542febe46f93ab4c
SHA1891a1c1dcc58b7ac2f391d3b3b2b3ee36fee646b
SHA256f9ff0a61946bb9fff2a9e998a488edd63c3fefcc5117037d0c5653a8c20cee0d
SHA5124286e133ccdd0ab151ffbbe4b5721dff7fd0e80b4b85eb480e7c5e22bfddd4d8b4c601a86780ed898916b314da65b50453ba3db0a2f5cd7335c811857be0965b
-
Filesize
207B
MD5eafb3eb73b15031bb3ffb6eb35b430f3
SHA1333af30125b20542e3998be9b4e5c8ac44bce162
SHA256947b91bc4edb147f328bfadf00eef1c05ce5076e03e1186c4c5638812901b772
SHA5129269a76e018ee6d884ebc509943c1be62bd701ad7c67160a07984bbddd96c56127e4032c94a607d37beb2482246c43c17e11c35cc1db023c875c90560f4ae353
-
Filesize
207B
MD5812553ac7e62ca20e95d92c583c40c0e
SHA173cdcfdf0d2ab348bee2574d295caa2f2c83a24d
SHA256d640cb48a4d6c521e8b8456a51a59ec6f0b41c323a489a5fe589f6de9bb7e44c
SHA512c8c0c5eeef33574151a6c389f74d77fdb74a249a6c8187489f59d8b1f586ae2e352d252bc0a4345789d008ddbb5b4e84ad39ca0d6637975c2ef159fa4d063554
-
Filesize
207B
MD5851082cbf36e41f5e3d071ff14898e9f
SHA144d36386999db0bc591147ed8fd0ba3072b7b14c
SHA256920bc2d46ae2e1523fde12d7e4a6b71442e6a86b2560d72ac8f19e4731949502
SHA5120657bf16e82d701a757feb184ff4105cd26a92fdbbb21f1389d861ad1d26c129ee95e74e9a4eff4457c4e41cb6ba548f95070cb9fbbcde1c7c96dca8ed68b80f
-
Filesize
207B
MD589bbf31ed8cee409aea542939c5f55e0
SHA11cdafe9b253e67c03fc807792a0683b5fff017fd
SHA25606430b56e71ffa9e49cc5c7a504b0286f1c659f7b7e0e64b0bfc0b4107dbc6a9
SHA51236a044cec2100b2164680d3923e8aec4ad551c811dad0f98e904f9831916a12cc1608573d291865ebd27350b43be69efc80fa97112b7b5f497fd173f4b470712
-
Filesize
207B
MD55a841d1abef9c5ae8e9b61d44915258f
SHA1164bc126381041651b67a69f2c1b91e6097848e5
SHA2569f803234a522aff62332042dea78eefad525b3999dd3c7fd08d2e9e4b647aacf
SHA512a0688b1b423319ab9a93499dbc820010beabe8b9ea6bc4fec6bcef07a4fbf70f06065f1d5a3d2a7a1863d935ab1de1771f705865af9b996aa80de16bb436a995
-
Filesize
207B
MD5a2537f928a35cfdfdd4312ab340d17c4
SHA17ebdc35ae9a4d067915c9238222bf8a28403c0dd
SHA25635b73971aa2b97fb9805378de35c03262de73b71d53b60aa255d38d6289e305c
SHA5129270fddf3e221c3523ce613b3627c9de026857c49204016a38f3311846a9b4e841eb9926aa3210a94c695d84b8d3178d5ed874e3c905596b6719a8b68d66c97c
-
Filesize
207B
MD59b9d9a1ca206492dbf87a303d3e23328
SHA18afc964e92ba937560a93d62732a4acc1d8ffc1a
SHA256e94c7eeda90b5168a1b9541713e5f124a7ff4c6b088e7ed618c2f75832f7352a
SHA5125e650e7aafd1ae0e9f7c7676fce30e7e035a604f1b88606e64924faff891002048c61d998dcf14e10f2aacd9455997962fee27c7a750ce8c87f3bd2b96f2e1ec
-
Filesize
207B
MD5bb8f7a37136ebaa1133799e0169b1671
SHA18fab629c0143c9a479aaf84c6e276d8acc4bd09f
SHA256db84c1f1b4974e31517d1527628a645e16595784a106b1d8b1ef1454ce69e212
SHA512b5826ee410d8acd475e102c947e0366c30991c324c1cae94850976509691d8d75f88d7b9593237443154dee7fd83c59bd2bf70f8f48a3d11f6f3b3f8b9192cf7
-
Filesize
207B
MD569f976a34b63b5c161b0f32b585c7346
SHA1f1aba0c314e0d1f3463d33d0096ba924ac828e87
SHA2563e6238bc516d6c20228139cb7a00d91c4e901195cb3d09863e8365cea23e60bf
SHA51238d83a5e830b1cf3746478ea84b2841e9470c07a52aa792d7ef3fe5d4be0f43bedc510d7cd53370bb77cc7af6c2111e8761bf2afc1df8a4481649f918ab25553
-
Filesize
207B
MD5f3397a75749513caf9395d07c4495321
SHA1c6530969b083cb1cb60dc61ba497139b1336c029
SHA25633c61deb225a69c5f25ea1eb447e2d37875b3c0c81934a969f96c4003d175966
SHA512ca220e5bc5e34b1b9a7e450527d835cbc20b4e9e1c86fd604de6e1d93da6583fdad40dfd1ec4973b2bf6bee925551eb39173ee0313afde57d58721aa6fd7e626
-
Filesize
207B
MD59bda966700e165dcdef30870a8260043
SHA11b1849e9f4a7e0f061a19d45924a394b7d4a7cc5
SHA256ea382e1c667dd5499b25125b40dd3d3eaa9d1813c1aef1f53bdce68d4adef87e
SHA512adb4a5ead9e3a2602e72dcfc46d9eb38435c564aad09a751f7d618325a2a12e1f7bbe7e42919ed3ecfb1a18b67e7129511cae0f74704ad82216d03ca44916763
-
Filesize
207B
MD5c705a637ad5c344eba19d8e9627f3c5a
SHA10dac154ae8bbc7d6220649d907b42043093592be
SHA256eceb8403f37a7c6afa2b270fd080f1a521825798ac62a22dadd887f9b139fc6b
SHA512b87b85809e740ff73d7e2515f890b1ae2fe5bbb6bc2271558b6f3b9650a980ecb782fcb565c76308de5c1a750486c21c3e301d370f530d95907cfdc3a56081ff
-
Filesize
207B
MD5ff070cf25e9ed0aa92fbe4f5e5b1abd4
SHA19c9a15a943c4eb58dfa359097e12959973f5bc47
SHA256bcf79bda2faa0c82b04bf48adb9e6aa81359b9f922db789f3a332af5eff1f8a0
SHA51247317ae61a99e23eee4259a049513703715fd50505983b64508a4f8134cda687866c86b6b1e0d2e799d0f33d8fb7dcb537573145fda8568a69a4d0c354abb5cc
-
Filesize
207B
MD55cdffb9c34be560a6916b227c862d56a
SHA1f864e284c04abdb1b41d27af9eedddf31c079227
SHA256831eb9073fa93b1aae966bc4e772c70667fa0ee938833d85f7e28e9da57a7441
SHA51233e3fa06db9221cc49eb55889d63e343ce42a017546f510b76461a3e213cb2789c56a22f296faf270d01f1dece73ae5122af7e3d1dd5cb0b05c382b21eb67351
-
Filesize
3.1MB
MD5e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1e996894168f0d4e852162d1290250dfa986310f8
SHA256e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA5125982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc