quasar | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
Size

3.1MB
MD5

e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1

e996894168f0d4e852162d1290250dfa986310f8
SHA256

e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512

5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
SSDEEP

49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Dystopian-62863.portmap.host:62863

Mutex

e1de8f9b-5a7a-4798-a6fb-c03591ef3442

Attributes

encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SubStart
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1620-1-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b99-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3684	Client.exe
244	Client.exe
3964	Client.exe
3376	Client.exe
2312	Client.exe
2904	Client.exe
2884	Client.exe
2992	Client.exe
3096	Client.exe
5048	Client.exe
1320	Client.exe
3580	Client.exe
3684	Client.exe
1952	Client.exe
2676	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2688	PING.EXE
392	PING.EXE
5004	PING.EXE
2152	PING.EXE
3232	PING.EXE
3544	PING.EXE
4180	PING.EXE
2420	PING.EXE
2148	PING.EXE
4892	PING.EXE
1320	PING.EXE
376	PING.EXE
1392	PING.EXE
1280	PING.EXE
1912	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
392	PING.EXE
4180	PING.EXE
2420	PING.EXE
4892	PING.EXE
5004	PING.EXE
376	PING.EXE
1392	PING.EXE
2148	PING.EXE
2152	PING.EXE
2688	PING.EXE
1912	PING.EXE
1320	PING.EXE
1280	PING.EXE
3232	PING.EXE
3544	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
440	schtasks.exe
3724	schtasks.exe
3944	schtasks.exe
372	schtasks.exe
1788	schtasks.exe
4512	schtasks.exe
1340	schtasks.exe
1704	schtasks.exe
2448	schtasks.exe
4336	schtasks.exe
1280	schtasks.exe
436	schtasks.exe
2608	schtasks.exe
3936	schtasks.exe
1500	schtasks.exe
2392	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
Token: SeDebugPrivilege	3684	Client.exe
Token: SeDebugPrivilege	244	Client.exe
Token: SeDebugPrivilege	3964	Client.exe
Token: SeDebugPrivilege	3376	Client.exe
Token: SeDebugPrivilege	2312	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	2884	Client.exe
Token: SeDebugPrivilege	2992	Client.exe
Token: SeDebugPrivilege	3096	Client.exe
Token: SeDebugPrivilege	5048	Client.exe
Token: SeDebugPrivilege	1320	Client.exe
Token: SeDebugPrivilege	3580	Client.exe
Token: SeDebugPrivilege	3684	Client.exe
Token: SeDebugPrivilege	1952	Client.exe
Token: SeDebugPrivilege	2676	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 372	1620	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe	82
PID 1620 wrote to memory of 372	1620	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe	82
PID 1620 wrote to memory of 3684	1620	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe	84
PID 1620 wrote to memory of 3684	1620	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe	84
PID 3684 wrote to memory of 1788	3684	Client.exe	85
PID 3684 wrote to memory of 1788	3684	Client.exe	85
PID 3684 wrote to memory of 3604	3684	Client.exe	87
PID 3684 wrote to memory of 3604	3684	Client.exe	87
PID 3604 wrote to memory of 2688	3604	cmd.exe	89
PID 3604 wrote to memory of 2688	3604	cmd.exe	89
PID 3604 wrote to memory of 392	3604	cmd.exe	90
PID 3604 wrote to memory of 392	3604	cmd.exe	90
PID 3604 wrote to memory of 244	3604	cmd.exe	93
PID 3604 wrote to memory of 244	3604	cmd.exe	93
PID 244 wrote to memory of 4512	244	Client.exe	96
PID 244 wrote to memory of 4512	244	Client.exe	96
PID 244 wrote to memory of 2152	244	Client.exe	98
PID 244 wrote to memory of 2152	244	Client.exe	98
PID 2152 wrote to memory of 2156	2152	cmd.exe	100
PID 2152 wrote to memory of 2156	2152	cmd.exe	100
PID 2152 wrote to memory of 5004	2152	cmd.exe	101
PID 2152 wrote to memory of 5004	2152	cmd.exe	101
PID 2152 wrote to memory of 3964	2152	cmd.exe	105
PID 2152 wrote to memory of 3964	2152	cmd.exe	105
PID 3964 wrote to memory of 436	3964	Client.exe	106
PID 3964 wrote to memory of 436	3964	Client.exe	106
PID 3964 wrote to memory of 4684	3964	Client.exe	108
PID 3964 wrote to memory of 4684	3964	Client.exe	108
PID 4684 wrote to memory of 1488	4684	cmd.exe	110
PID 4684 wrote to memory of 1488	4684	cmd.exe	110
PID 4684 wrote to memory of 4180	4684	cmd.exe	111
PID 4684 wrote to memory of 4180	4684	cmd.exe	111
PID 4684 wrote to memory of 3376	4684	cmd.exe	113
PID 4684 wrote to memory of 3376	4684	cmd.exe	113
PID 3376 wrote to memory of 2608	3376	Client.exe	114
PID 3376 wrote to memory of 2608	3376	Client.exe	114
PID 3376 wrote to memory of 4520	3376	Client.exe	116
PID 3376 wrote to memory of 4520	3376	Client.exe	116
PID 4520 wrote to memory of 4784	4520	cmd.exe	119
PID 4520 wrote to memory of 4784	4520	cmd.exe	119
PID 4520 wrote to memory of 1320	4520	cmd.exe	120
PID 4520 wrote to memory of 1320	4520	cmd.exe	120
PID 4520 wrote to memory of 2312	4520	cmd.exe	121
PID 4520 wrote to memory of 2312	4520	cmd.exe	121
PID 2312 wrote to memory of 1340	2312	Client.exe	122
PID 2312 wrote to memory of 1340	2312	Client.exe	122
PID 2312 wrote to memory of 4472	2312	Client.exe	124
PID 2312 wrote to memory of 4472	2312	Client.exe	124
PID 4472 wrote to memory of 2740	4472	cmd.exe	126
PID 4472 wrote to memory of 2740	4472	cmd.exe	126
PID 4472 wrote to memory of 2420	4472	cmd.exe	127
PID 4472 wrote to memory of 2420	4472	cmd.exe	127
PID 4472 wrote to memory of 2904	4472	cmd.exe	128
PID 4472 wrote to memory of 2904	4472	cmd.exe	128
PID 2904 wrote to memory of 440	2904	Client.exe	129
PID 2904 wrote to memory of 440	2904	Client.exe	129
PID 2904 wrote to memory of 2832	2904	Client.exe	131
PID 2904 wrote to memory of 2832	2904	Client.exe	131
PID 2832 wrote to memory of 3716	2832	cmd.exe	133
PID 2832 wrote to memory of 3716	2832	cmd.exe	133
PID 2832 wrote to memory of 1280	2832	cmd.exe	134
PID 2832 wrote to memory of 1280	2832	cmd.exe	134
PID 2832 wrote to memory of 2884	2832	cmd.exe	135
PID 2832 wrote to memory of 2884	2832	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe
"C:\Users\Admin\AppData\Local\Temp\e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:372
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOPMmVVKkHGI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2688
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:392
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fowky3zyT0ME.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2156
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5004
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NssScOllySKe.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUS3ltgCaus1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jdUvEhYZj51o.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4tzWIHrZRl2.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s25wdub9TbQZ.bat" "
        15⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FG1CRlBi8wC7.bat" "
        17⤵
        
        PID:4568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcAh7mjzbyaF.bat" "
        19⤵
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiMuaR1GJb3s.bat" "
        21⤵
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3232
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6nWS38GdU5aE.bat" "
        23⤵
        
        PID:740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKUGDX673LIQ.bat" "
        25⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fRotW4dpmHaN.bat" "
        27⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4lJnvAZyo2B.bat" "
        29⤵
        
        PID:1844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ENYA3WHGxsyw.bat" "
        31⤵
        
        PID:4864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nWS38GdU5aE.bat

Filesize
207B

MD5
ae7ebfb9a7c5b347a842e0ddb51932cc

SHA1
c0595e60973d8262b3d18c6427009c9eb744f737

SHA256
3eb0245f5228efe7a400cddef28efb4f5a81ef0c81ae183aaf3a813955cc8867

SHA512
f46987fe4872567fe675657f588f42e8dfb05a6e1aa9fb704a497c8f74bdd5d6615e499fd9a812169447afabd25795f446075efab7d95e48bde7bdda2c3b2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUS3ltgCaus1.bat

Filesize
207B

MD5
45b7da1a5c5a622ad43fe752a74f6d77

SHA1
c47bac24c4655e473b96d80e3481f770ca934180

SHA256
b7ecd81146324ee2695b29802e1374e9d7f75b97924e8706a81757e4f3ddf9c0

SHA512
0e47e31f9e436f825a7289d1d64981d04aeaccc5b25a01707e36657d609d40a01042053e69f2815e7f15349cd5496c63f3aa31e3d93f92359b307be9f123268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENYA3WHGxsyw.bat

Filesize
207B

MD5
fa21eae06acc6c21a6346494b9f2b115

SHA1
f8f44103291c0a599d71774911b77a10312ebafc

SHA256
95245ac620ea6437c2d306d77f8efec204de4438e3770c69ce8168393089371f

SHA512
92d8b9800fa6acd2f55a61047c739f1fa699d92b21ff06a177c6cdc3f0bc4be59f5613597f309635a62b5048b819dc688ca1c991fa1818bfce999059d62c29c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiMuaR1GJb3s.bat

Filesize
207B

MD5
9648571e9317c71c84fc3f5e968fb88e

SHA1
04a826ef1b2c9a6b6964ec92e7dc224653f3356e

SHA256
1118c0fcfca4e3d857fb4404cf4439acf6459cc68116fb41f2b9199ee4f4fbc5

SHA512
9bf6578abd463a57e3f6084e4e03aa8b6fc49bd1136041e55c66f6bbf3f84f91d87bf76446105e06dffa7951ef3ff2a80b65768b89130be0bea50fab5cfbd79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4lJnvAZyo2B.bat

Filesize
207B

MD5
0c9ca64bb487a3b45a9b72faea000eaf

SHA1
f4237339d2f742ef70b7bd9ea7a4fa26d3bf86f1

SHA256
4fc509f50f35ae95fba696cdb4d6743b57500c09f870891225bf9d513823d88f

SHA512
94392c8ade8454200d1597702f166f454d033e034a01352b442eaa06e0a8282b76253e6bc8fb2e8c54ea690d35b5856863a80d2ec027499eadb8eea43869e5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FG1CRlBi8wC7.bat

Filesize
207B

MD5
6f3de590bc733abe407f0e8e799fd199

SHA1
6af952d910e2e31ff76d80fe39678cf45b1326a8

SHA256
74816be9d62d8c5f6502227cf556d49aac8bb28a8669a9275b88119a816f406f

SHA512
42ff9294d64b3f27d36915392a8843e9c0c76e15389d617f3686f009e5c8582bde5fda25544f17422896f7693433fd3d71eed09ab193e14c23672ba798d29a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKUGDX673LIQ.bat

Filesize
207B

MD5
ccf051292a76a89bed5cc3dbba33efa7

SHA1
d1f13f4ce0c77df7338aa7470194f1e532510381

SHA256
89b02e36b04c5ab8d5ad578746ed3a3df893dfc1970502491d3cdefbed8c68b1

SHA512
2735e21715f30edb3cb7678ded2b5ea5a2f8a3dbec813d34b38ea6335539f30f0225818e75dff8a0c7e61d2ef83322b1055f2f17cf6ec378b1b3bf18897e9cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOPMmVVKkHGI.bat

Filesize
207B

MD5
e54cc1813bdec967c0eb69b2071eb8ac

SHA1
dd51f1d25f3d8de8779de73051d9b6af872add8f

SHA256
b751364903792ee7f9cc1af2f7dc893ea274332ec4ba563aa9e92159b30a175f

SHA512
02761bf9956b8140c9e675045ddf1c15a49e45332f637b128cada0c682c17280954c88ae1ade5f4973e35d4559d72f253cbd1a61e51cf0e023edd3a810fd6d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAh7mjzbyaF.bat

Filesize
207B

MD5
0e007cf1230f6df58ad19f0835b3bf75

SHA1
efd7249bc6b1e497c1b6053a3497d235a54131b1

SHA256
335749b871e566c7aa641fb0d585bd74f22b87ca3f4ff326ac4fe0a85ca8b229

SHA512
abb6d10a2e527408330b929b1197573c19976479ff91b713bf69fa87147a15f4a3665cce1a4755311b1aeec6f4fdd97ca67d416794bcf44903a2449652893f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NssScOllySKe.bat

Filesize
207B

MD5
0a0ef84b9edcf98428f807fc77fc77eb

SHA1
a0f50e8f2f4a613cbb4683f15fae494893f5c2f0

SHA256
3ff98ae197a911c20617e7a2def973074f4f17a99ffa63ef69bf43d15650dc97

SHA512
cbbeaa4745aaeb7bb01892856ebf06791c17bedfa8b6d6be70fafca115982f828b3feb24d74975692a4ecd20680d2fe16d53c1701241b8ca1981dc09c4bd44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4tzWIHrZRl2.bat

Filesize
207B

MD5
e81e72210122e54e19f1a5b169d2f6f2

SHA1
734dad4ceeea7b5a746bc17c1d025c9664892712

SHA256
354338675b49d9f44ef947e0e4564bab0a76dc46dcf7a7f9db444be0a89808cb

SHA512
6fa5c5975a01b8f8e3d21afa99c1b3368d7d46df68c8ddc04345219dcf3fb6d1858b78dee3d224af926f0d608c210f10406ed2bf2e2858cedc987ae8e79d85d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fRotW4dpmHaN.bat

Filesize
207B

MD5
54c602bc1d9472cb7fb7b1b28b978f64

SHA1
838588db0e5644d8556d2b78ce0e643dad8a277c

SHA256
f1cf644fe4721da9d31445d5d70cdb610ff549a9e194b56300d1d5fc86f21739

SHA512
722f5e85e399f22112a402859be917300af1b1c196554cf05cda8b6e8155ff20c01fe8f903d17040f8a4828fc8e8c156f9d35375645c6b1a54ea931f0a8caeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowky3zyT0ME.bat

Filesize
207B

MD5
6bdd55746cf711eef82b34aba4e4e98b

SHA1
e7bbddf38a365383bafe9e47df075690c9e98139

SHA256
4c18b078f73fadb243c960cee1f0af0499fe3cf100356704932b24117b3911d2

SHA512
b7056761044830eca140403dd5f2f4e80da02e2963d8144b4542e01c8fb67d399d70469ca1c098b467bb27a54cc3716fa741fdbcb116f0bfec85b77b9b5c7ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdUvEhYZj51o.bat

Filesize
207B

MD5
026c37b63e13fe810c827809a09ff04d

SHA1
52c384a48ae167d148081aa912aad31e1cf92b7c

SHA256
5c02dd712625cc44806a5e036fc8e7e5c89e3a5cbc1acc3fe1198afa329a37e6

SHA512
63798f0c63f892e24d7376516c209a0a6561a25f9db7d302d50801222a20670ee34265a359162734e682da1002e19da95a0136db03d16167c21d91c1c4e93324

Download Submit
C:\Users\Admin\AppData\Local\Temp\s25wdub9TbQZ.bat

Filesize
207B

MD5
a2a5b3c9d5454c3c93a68d7c57664fdb

SHA1
49ca87af399ee71fa7bec3ba6af1689c185bb564

SHA256
1b60bb81c78f17cd2df80bf983343a4fa53f420c29afd33eb08552d2a6b51b73

SHA512
0dbea92aa75d6a64fbaeaa4ab760894023f9f11758d23712ad61eaaa168856aa0636e07e818d597f764529910eebd8c820eb2f8672d15b2aa4a39500a5378cfb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e9a138d8c5ab2cccc8bf9976f66d30c8

SHA1
e996894168f0d4e852162d1290250dfa986310f8

SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

Download Submit
memory/1620-0-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

Filesize
8KB

Download
memory/1620-10-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-2-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-1-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/3684-18-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3684-13-0x000000001BC60000-0x000000001BD12000-memory.dmp

Filesize
712KB

Download
memory/3684-12-0x00000000025B0000-0x0000000002600000-memory.dmp

Filesize
320KB

Download
memory/3684-11-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3684-9-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads