Analysis
-
max time kernel
145s -
max time network
111s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17-12-2024 22:11
General
-
Target
ggff.exe
-
Size
3.1MB
-
MD5
9bcbafeac1f399303090ac7f3a805aa9
-
SHA1
a1d6a496f8468ac6257beeb2eaf5b368f88da1be
-
SHA256
01f708414e049d3c7c030c7fc6f584ac905a4b9eba6377e036e6e54eb14fb2cc
-
SHA512
567c8c02532846277604e310ac95baee0da887676b482f9f00a42564dc92258c1eacdccfdf59f82867ed9a9257504dc646bb2d900fd122dd2881e6fef9275dbd
-
SSDEEP
49152:XvilL26AaNeWgPhlmVqvMQ7XSKZVZe1J6LoGdxoTHHB72eh2NT:XvaL26AaNeWgPhlmVqkQ7XSKZVZ5
Malware Config
Extracted
quasar
1.4.1
Office04
science-attract.gl.at.ply.gg::13548
6ad33fe9-6ed2-45c9-940d-96954b1558e6
-
encryption_key
E040A051368780825E373BF53836EF5E3A5FBF62
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsDefender.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/2872-1-0x0000000000E80000-0x00000000011A4000-memory.dmp family_quasar behavioral1/files/0x00280000000460d0-3.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 3616 Client.exe 3848 Client.exe 4552 Client.exe 2480 Client.exe 2864 Client.exe 4436 Client.exe 2632 Client.exe 232 Client.exe 1760 Client.exe 4632 Client.exe 32 Client.exe 4220 Client.exe 2460 Client.exe 3780 Client.exe 3764 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3708 PING.EXE 2512 PING.EXE 1448 PING.EXE 1016 PING.EXE 4684 PING.EXE 3284 PING.EXE 4116 PING.EXE 1540 PING.EXE 1708 PING.EXE 2184 PING.EXE 4552 PING.EXE 3600 PING.EXE 5084 PING.EXE 980 PING.EXE 3104 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 3284 PING.EXE 3600 PING.EXE 3708 PING.EXE 1016 PING.EXE 4684 PING.EXE 1708 PING.EXE 2184 PING.EXE 980 PING.EXE 4116 PING.EXE 5084 PING.EXE 2512 PING.EXE 1448 PING.EXE 4552 PING.EXE 1540 PING.EXE 3104 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3268 schtasks.exe 1824 schtasks.exe 3912 schtasks.exe 2624 schtasks.exe 4352 schtasks.exe 1416 schtasks.exe 2496 schtasks.exe 3784 schtasks.exe 2844 schtasks.exe 3468 schtasks.exe 4880 schtasks.exe 5092 schtasks.exe 4540 schtasks.exe 2732 schtasks.exe 3880 schtasks.exe 3696 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2872 ggff.exe Token: SeDebugPrivilege 3616 Client.exe Token: SeDebugPrivilege 3848 Client.exe Token: SeDebugPrivilege 4552 Client.exe Token: SeDebugPrivilege 2480 Client.exe Token: SeDebugPrivilege 2864 Client.exe Token: SeDebugPrivilege 4436 Client.exe Token: SeDebugPrivilege 2632 Client.exe Token: SeDebugPrivilege 232 Client.exe Token: SeDebugPrivilege 1760 Client.exe Token: SeDebugPrivilege 4632 Client.exe Token: SeDebugPrivilege 32 Client.exe Token: SeDebugPrivilege 4220 Client.exe Token: SeDebugPrivilege 2460 Client.exe Token: SeDebugPrivilege 3780 Client.exe Token: SeDebugPrivilege 3764 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3468 2872 ggff.exe 81 PID 2872 wrote to memory of 3468 2872 ggff.exe 81 PID 2872 wrote to memory of 3616 2872 ggff.exe 83 PID 2872 wrote to memory of 3616 2872 ggff.exe 83 PID 3616 wrote to memory of 2624 3616 Client.exe 84 PID 3616 wrote to memory of 2624 3616 Client.exe 84 PID 3616 wrote to memory of 2776 3616 Client.exe 86 PID 3616 wrote to memory of 2776 3616 Client.exe 86 PID 2776 wrote to memory of 4160 2776 cmd.exe 88 PID 2776 wrote to memory of 4160 2776 cmd.exe 88 PID 2776 wrote to memory of 3708 2776 cmd.exe 89 PID 2776 wrote to memory of 3708 2776 cmd.exe 89 PID 2776 wrote to memory of 3848 2776 cmd.exe 90 PID 2776 wrote to memory of 3848 2776 cmd.exe 90 PID 3848 wrote to memory of 4880 3848 Client.exe 91 PID 3848 wrote to memory of 4880 3848 Client.exe 91 PID 3848 wrote to memory of 4280 3848 Client.exe 93 PID 3848 wrote to memory of 4280 3848 Client.exe 93 PID 4280 wrote to memory of 4724 4280 cmd.exe 95 PID 4280 wrote to memory of 4724 4280 cmd.exe 95 PID 4280 wrote to memory of 2184 4280 cmd.exe 96 PID 4280 wrote to memory of 2184 4280 cmd.exe 96 PID 4280 wrote to memory of 4552 4280 cmd.exe 97 PID 4280 wrote to memory of 4552 4280 cmd.exe 97 PID 4552 wrote to memory of 3268 4552 Client.exe 98 PID 4552 wrote to memory of 3268 4552 Client.exe 98 PID 4552 wrote to memory of 2056 4552 Client.exe 100 PID 4552 wrote to memory of 2056 4552 Client.exe 100 PID 2056 wrote to memory of 4812 2056 cmd.exe 102 PID 2056 wrote to memory of 4812 2056 cmd.exe 102 PID 2056 wrote to memory of 2512 2056 cmd.exe 103 PID 2056 wrote to memory of 2512 2056 cmd.exe 103 PID 2056 wrote to memory of 2480 2056 cmd.exe 106 PID 2056 wrote to memory of 2480 2056 cmd.exe 106 PID 2480 wrote to memory of 4352 2480 Client.exe 107 PID 2480 wrote to memory of 4352 2480 Client.exe 107 PID 2480 wrote to memory of 1512 2480 Client.exe 109 PID 2480 wrote to memory of 1512 2480 Client.exe 109 PID 1512 wrote to memory of 1716 1512 cmd.exe 111 PID 1512 wrote to memory of 1716 1512 cmd.exe 111 PID 1512 wrote to memory of 1448 1512 cmd.exe 112 PID 1512 wrote to memory of 1448 1512 cmd.exe 112 PID 1512 wrote to memory of 2864 1512 cmd.exe 113 PID 1512 wrote to memory of 2864 1512 cmd.exe 113 PID 2864 wrote to memory of 1824 2864 Client.exe 114 PID 2864 wrote to memory of 1824 2864 Client.exe 114 PID 2864 wrote to memory of 1536 2864 Client.exe 116 PID 2864 wrote to memory of 1536 2864 Client.exe 116 PID 1536 wrote to memory of 4452 1536 cmd.exe 118 PID 1536 wrote to memory of 4452 1536 cmd.exe 118 PID 1536 wrote to memory of 1016 1536 cmd.exe 119 PID 1536 wrote to memory of 1016 1536 cmd.exe 119 PID 1536 wrote to memory of 4436 1536 cmd.exe 120 PID 1536 wrote to memory of 4436 1536 cmd.exe 120 PID 4436 wrote to memory of 1416 4436 Client.exe 121 PID 4436 wrote to memory of 1416 4436 Client.exe 121 PID 4436 wrote to memory of 4148 4436 Client.exe 123 PID 4436 wrote to memory of 4148 4436 Client.exe 123 PID 4148 wrote to memory of 1380 4148 cmd.exe 125 PID 4148 wrote to memory of 1380 4148 cmd.exe 125 PID 4148 wrote to memory of 4684 4148 cmd.exe 126 PID 4148 wrote to memory of 4684 4148 cmd.exe 126 PID 4148 wrote to memory of 2632 4148 cmd.exe 127 PID 4148 wrote to memory of 2632 4148 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ggff.exe"C:\Users\Admin\AppData\Local\Temp\ggff.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3468
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pujezyQtmDdL.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KHjDWqt7oZKJ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4724
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2184
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZJWpaVAzDHO0.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2512
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J6C7hupoBYcn.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzump6dHWFti.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hha15OQCtQqs.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4684
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DAe4E3PYntG.bat" "15⤵PID:4264
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3284
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8HwDmVHaCqU.bat" "17⤵PID:4312
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:980
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92y2xgW0N0lh.bat" "19⤵PID:1784
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTlqwmzg5GQl.bat" "21⤵PID:3160
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4552
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o7yjAdb19Uxv.bat" "23⤵PID:2312
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3600
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CZxyq9wIrCGa.bat" "25⤵PID:2800
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1540
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oySz0lRrALHh.bat" "27⤵PID:2072
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49zUtcDASC7X.bat" "29⤵PID:4672
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3104
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kbn4vJ8ADcLC.bat" "31⤵PID:4160
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3216
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57787ce173dfface746f5a9cf5477883d
SHA14587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA5123a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff
-
Filesize
207B
MD5d2986b84cd8155304ba4864165d9fd36
SHA11894de3351548d0bbeb41f90ab8ce13aba65ebf9
SHA256788f1218ca2e8dcc7a2405d2ff696c0b8f9fb5b7ff2a4b520fbd18161fcfa972
SHA5128b8147fc07c22e44f91ef3b6bf5a6c9eadafe1876adfa5870d6055a7c98f67a54ad0d5ce0044e92a2a02f434787c2c6ffde7db013dbb9810bca35901e63b41cd
-
Filesize
207B
MD5f7a873c237e8f55dba48bceba7626eaf
SHA1671a80b29d15384f84b068d5c28709213cc64f0e
SHA2567fa0803b66cf52af8e8ac3af3b0db38eef9a0fb8622e0e25f091d9157d510840
SHA5126bb1a5e4322f44894c295747a28a24e17d9b85023f6d6dd8791b1c456e4b35a2e8d02cf3287ec5dc717cde543d728ad2cb8b1a24ae624cbacbe10921a05a7ad6
-
Filesize
207B
MD5560c0a2d030e4ecc99d9c6da46f5f15b
SHA18913e94ac16227320c3658bf84ea5d22217f4846
SHA25676b93519bc3789ca914adec0e3df5bfebe1784baf25aef5a4a65dd69f6f33b81
SHA5122f087a7da6e1182c365c89e9b7bc8a76a8f4e300c20bb11dc1f3c4e01e3b85b8b476dd469e837757df38754be0dc871f78d015310c5986458d452d9b8f12a38d
-
Filesize
207B
MD5fb8154b64d4c145bd1cc6cae37d9ec1e
SHA1b565643789740bea948cf2d65522f31f62a0fbd6
SHA256b89491411ec8ee9934af00a62ac095049cb5f7f678e49be2e329a2be66aeaab3
SHA512fbc8ccc204b343cc19600a22365897a35ead191d201b893ec54ea12f6425634a48c1b8c9cddab69e0b956d4e0b10ee2b327ac97f3bbacb45c3bcc60b9a416213
-
Filesize
207B
MD51a7a1caee3f8646b1607e3ef15d293ba
SHA18f1d78d733694bbd7f2af64e70c4d69482120f35
SHA256f8e846b0068d31020adce040b209712565205e0ac6a2d065236ac148a9563a88
SHA5127c8c12a5d247e68a0b7e178f85414713bc1ae0f05e6d687e52a81614afc2cd9f4fa2ef69f4567295c9187b12e69e8a75f70d827d389e2a1f0222878add7af8eb
-
Filesize
207B
MD5f2423cdd49b7cf5310038126b5e1ca75
SHA1006a43d9c5bfeba3c8e0a4ba669988021b5f9d32
SHA256dafa2682af77ad5127c8b4f9c4d9ecc4c5917fe7c7ab2ee102155e74c944761b
SHA512f619a186e08930ff4344dd4df6b237ebf7a50287ce81f4022d13925f78ea272a87384cb1f32620a1a4f3eca8d141051ed4dcef8b7156f13142b15e4ef7e023e4
-
Filesize
207B
MD5323f49c7e3f2ab51efcdccbab3e61a6b
SHA162e0c4f496a620a1a3e2931cfefe76ff9212b0df
SHA2560b87f45c73e556a33012f62bd872a974f428778ba587222233317c729654470a
SHA512f628bc4a0f498b3665747aa02bfb78c80187b8f5cbd4d9fbdd9fdc8bc44ce740e43afcd982cf74bd1a023f7a41a24e6d97db1285e6f6fb21298b002c96887fb9
-
Filesize
207B
MD5b9d35788e22ab70aa1935f47ba571700
SHA1085719d7c6aefe2fa36c211fa408863500602315
SHA2567e7379d86b3b40883f1f4b0fe3e993c07d3eb7acef0bda13cd7a78057f6e7de5
SHA5122ee9b3cef265c6db86118d5ca86d071e008587c5b2521fce78f8c8f7266b1d1b782e01404ba7b675ff0abf62eaa0a58822bcfa1444342e0e5120eb1f650660c1
-
Filesize
207B
MD5d218b1504440279c4d7066412bc6424a
SHA19a390f9867571a4dcc7f93c3fa8e116f6cd99126
SHA256064e77a2640584282a03b5af1fb30d5d380b8bf3f72d7089c06f3d96976d2c6f
SHA512ec0b7878497d995f4f77a320831dbbfc4709d8e8e337c45a88ed6add07ef51f09ad403865b145fa66886cd1e3ee5c28099a30dd71dc722f62da0e27098f329a1
-
Filesize
207B
MD54ded353950ac74b7e78037d4977bea41
SHA1415cffad5f4401c4fff35f09e37f95284bc8049c
SHA256f396562645d5ef3f792c1b9b43663dc6847818f64961223d64fe74892e257b42
SHA512a0a5998ea7264fba3a85666b3c4b1050ba926b721f422e4484d8a764e479159f1b823c012f9774c659d42ddbe01edb536afcb7a2cb8020c35e6591bf09a6c7c2
-
Filesize
207B
MD563608c81afd2a34dec7a6873a5892c7e
SHA14495dabdb541247f996f97b3e1229c3aa617515d
SHA256faaebed4e181a3ffdb4166b5b5ab5bbd65c87fa3a043d18ea9da0601a5c83caa
SHA5123af2acbfc626ec054dd9caf66892e230470cd8b33507b47ce4c117ab2219f51dc41333e8beb51b595c25e4fa0b5bb52ff2a4d6058e782aa4571518146398e83f
-
Filesize
207B
MD52520aa599652acdaf0f48eca539621dd
SHA1a7143e3ff9f8678e40cd7fe5512d831629f854cc
SHA256c9f7bcd66a4f09cc0dc936ca6aacc91096e1dbb3cc86f4d4505bab6bf024602a
SHA51252fe991ef4693efb9073ca10384f5310ab6675133124f006bf7cfe678c271468c8bb828df4ea104f86ae2b3468c4ad0ad89e3037a3cd82c24fd191fa70e624e5
-
Filesize
207B
MD58937f5a5b8df3a7b0166169a5a70fe87
SHA1ce35d561dfcc014005b14680753294bafbd92190
SHA256403312fc583e499a45dc874d438714bcedd8ae58d2925949160cc2a838083381
SHA512f699dc9bff872d9cda926cae73ff95e980af17f92f7570656a2210143b5c11e16a477d617148c4ec9b7a7cab76f35b8c87ee327f591a376f268dda91f6117fc2
-
Filesize
207B
MD56e3059b2b20dbf5c14475e814ddc36af
SHA1bb0e90b962ecabab5e0c2f607f30ec899cbf6bf7
SHA256007a41461a81146e17e4a519ceb23a086a0dac54fc3895fb24ff8d0b4f17995c
SHA51226037b65563357dd54f64f33109288cc56b52124f51e327bc2771cef9babb842df1907786c81d0db1548f991ec1d4633f494b996bead18d31b9468b8b01b7567
-
Filesize
207B
MD5fd7762a0afa531fd1e4c717b0d6a0370
SHA154cabe482ad19f960292f2782cffe34328943133
SHA2565fd38f1fb55098d53bc359c2657c9e1f970450333d81d655753afd9da1fc0b56
SHA512f6c710dc5444c5743e63b770c94a8280460ad7be2fafa5f53e8174ecaa3a59d11b1502f5633fc0aefaf36a73e1206b80f7f09d9eb3d7ad3342f3635bd2fc2d90
-
Filesize
3.1MB
MD59bcbafeac1f399303090ac7f3a805aa9
SHA1a1d6a496f8468ac6257beeb2eaf5b368f88da1be
SHA25601f708414e049d3c7c030c7fc6f584ac905a4b9eba6377e036e6e54eb14fb2cc
SHA512567c8c02532846277604e310ac95baee0da887676b482f9f00a42564dc92258c1eacdccfdf59f82867ed9a9257504dc646bb2d900fd122dd2881e6fef9275dbd