quasar | 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Size

3.1MB
MD5

f67e6aafbd9c86771f11c05ae83ae83e
SHA1

c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256

534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512

f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
SSDEEP

49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2980-1-0x0000000001350000-0x0000000001674000-memory.dmp	family_quasar
behavioral1/files/0x0017000000018657-6.dat	family_quasar
behavioral1/memory/2520-9-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar
behavioral1/memory/1868-124-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/3004-135-0x0000000000F00000-0x0000000001224000-memory.dmp	family_quasar
behavioral1/memory/1920-146-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2860-157-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2520	Client.exe
2868	Client.exe
340	Client.exe
2636	Client.exe
1860	Client.exe
1340	Client.exe
1672	Client.exe
2784	Client.exe
2712	Client.exe
1728	Client.exe
380	Client.exe
1868	Client.exe
3004	Client.exe
1920	Client.exe
2860	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2008	PING.EXE
1804	PING.EXE
1644	PING.EXE
1528	PING.EXE
2716	PING.EXE
2364	PING.EXE
2040	PING.EXE
2192	PING.EXE
2292	PING.EXE
2436	PING.EXE
2792	PING.EXE
2864	PING.EXE
2196	PING.EXE
2552	PING.EXE
2108	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2040	PING.EXE
1644	PING.EXE
2108	PING.EXE
1528	PING.EXE
2792	PING.EXE
2864	PING.EXE
2192	PING.EXE
2552	PING.EXE
2008	PING.EXE
2436	PING.EXE
2292	PING.EXE
1804	PING.EXE
2716	PING.EXE
2364	PING.EXE
2196	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
2132	schtasks.exe
2136	schtasks.exe
596	schtasks.exe
3052	schtasks.exe
2952	schtasks.exe
2240	schtasks.exe
2660	schtasks.exe
2716	schtasks.exe
2832	schtasks.exe
2988	schtasks.exe
1300	schtasks.exe
2644	schtasks.exe
1052	schtasks.exe
2376	schtasks.exe
1756	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	2868	Client.exe
Token: SeDebugPrivilege	340	Client.exe
Token: SeDebugPrivilege	2636	Client.exe
Token: SeDebugPrivilege	1860	Client.exe
Token: SeDebugPrivilege	1340	Client.exe
Token: SeDebugPrivilege	1672	Client.exe
Token: SeDebugPrivilege	2784	Client.exe
Token: SeDebugPrivilege	2712	Client.exe
Token: SeDebugPrivilege	1728	Client.exe
Token: SeDebugPrivilege	380	Client.exe
Token: SeDebugPrivilege	1868	Client.exe
Token: SeDebugPrivilege	3004	Client.exe
Token: SeDebugPrivilege	1920	Client.exe
Token: SeDebugPrivilege	2860	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2520	Client.exe
2868	Client.exe
340	Client.exe
2636	Client.exe
1860	Client.exe
1340	Client.exe
1672	Client.exe
2784	Client.exe
2712	Client.exe
1728	Client.exe
380	Client.exe
1868	Client.exe
3004	Client.exe
1920	Client.exe
2860	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2520	Client.exe
2868	Client.exe
340	Client.exe
2636	Client.exe
1860	Client.exe
1340	Client.exe
1672	Client.exe
2784	Client.exe
2712	Client.exe
1728	Client.exe
380	Client.exe
1868	Client.exe
3004	Client.exe
1920	Client.exe
2860	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2324	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	30
PID 2980 wrote to memory of 2324	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	30
PID 2980 wrote to memory of 2324	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	30
PID 2980 wrote to memory of 2520	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	32
PID 2980 wrote to memory of 2520	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	32
PID 2980 wrote to memory of 2520	2980	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	32
PID 2520 wrote to memory of 2132	2520	Client.exe	33
PID 2520 wrote to memory of 2132	2520	Client.exe	33
PID 2520 wrote to memory of 2132	2520	Client.exe	33
PID 2520 wrote to memory of 2656	2520	Client.exe	35
PID 2520 wrote to memory of 2656	2520	Client.exe	35
PID 2520 wrote to memory of 2656	2520	Client.exe	35
PID 2656 wrote to memory of 2772	2656	cmd.exe	37
PID 2656 wrote to memory of 2772	2656	cmd.exe	37
PID 2656 wrote to memory of 2772	2656	cmd.exe	37
PID 2656 wrote to memory of 2792	2656	cmd.exe	38
PID 2656 wrote to memory of 2792	2656	cmd.exe	38
PID 2656 wrote to memory of 2792	2656	cmd.exe	38
PID 2656 wrote to memory of 2868	2656	cmd.exe	40
PID 2656 wrote to memory of 2868	2656	cmd.exe	40
PID 2656 wrote to memory of 2868	2656	cmd.exe	40
PID 2868 wrote to memory of 2716	2868	Client.exe	41
PID 2868 wrote to memory of 2716	2868	Client.exe	41
PID 2868 wrote to memory of 2716	2868	Client.exe	41
PID 2868 wrote to memory of 2808	2868	Client.exe	43
PID 2868 wrote to memory of 2808	2868	Client.exe	43
PID 2868 wrote to memory of 2808	2868	Client.exe	43
PID 2808 wrote to memory of 1656	2808	cmd.exe	45
PID 2808 wrote to memory of 1656	2808	cmd.exe	45
PID 2808 wrote to memory of 1656	2808	cmd.exe	45
PID 2808 wrote to memory of 1644	2808	cmd.exe	46
PID 2808 wrote to memory of 1644	2808	cmd.exe	46
PID 2808 wrote to memory of 1644	2808	cmd.exe	46
PID 2808 wrote to memory of 340	2808	cmd.exe	47
PID 2808 wrote to memory of 340	2808	cmd.exe	47
PID 2808 wrote to memory of 340	2808	cmd.exe	47
PID 340 wrote to memory of 2376	340	Client.exe	48
PID 340 wrote to memory of 2376	340	Client.exe	48
PID 340 wrote to memory of 2376	340	Client.exe	48
PID 340 wrote to memory of 1784	340	Client.exe	50
PID 340 wrote to memory of 1784	340	Client.exe	50
PID 340 wrote to memory of 1784	340	Client.exe	50
PID 1784 wrote to memory of 1032	1784	cmd.exe	52
PID 1784 wrote to memory of 1032	1784	cmd.exe	52
PID 1784 wrote to memory of 1032	1784	cmd.exe	52
PID 1784 wrote to memory of 2008	1784	cmd.exe	53
PID 1784 wrote to memory of 2008	1784	cmd.exe	53
PID 1784 wrote to memory of 2008	1784	cmd.exe	53
PID 1784 wrote to memory of 2636	1784	cmd.exe	54
PID 1784 wrote to memory of 2636	1784	cmd.exe	54
PID 1784 wrote to memory of 2636	1784	cmd.exe	54
PID 2636 wrote to memory of 2832	2636	Client.exe	55
PID 2636 wrote to memory of 2832	2636	Client.exe	55
PID 2636 wrote to memory of 2832	2636	Client.exe	55
PID 2636 wrote to memory of 2216	2636	Client.exe	57
PID 2636 wrote to memory of 2216	2636	Client.exe	57
PID 2636 wrote to memory of 2216	2636	Client.exe	57
PID 2216 wrote to memory of 2380	2216	cmd.exe	59
PID 2216 wrote to memory of 2380	2216	cmd.exe	59
PID 2216 wrote to memory of 2380	2216	cmd.exe	59
PID 2216 wrote to memory of 2436	2216	cmd.exe	60
PID 2216 wrote to memory of 2436	2216	cmd.exe	60
PID 2216 wrote to memory of 2436	2216	cmd.exe	60
PID 2216 wrote to memory of 1860	2216	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
"C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2324
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2132
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMVGIaFia3Se.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2772
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2792
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fBPoWFC2AZMF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1656
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xy8FLLjUBS8v.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NLX9llU4MN1S.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1860
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOGyCsgQOWtr.bat" "
        11⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1340
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BJ0smnBRG94k.bat" "
        13⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dNAghzgkeKg3.bat" "
        15⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgqBHvnt5TVv.bat" "
        17⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0wBQfxon0RJB.bat" "
        19⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1728
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yc3DeZgTkv5q.bat" "
        21⤵
        
        PID:864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mhlXVpDfgSc5.bat" "
        23⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RxXEYZ6FpcS4.bat" "
        25⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\l1OA1kXJsK5i.bat" "
        27⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0jzN8qwcyliS.bat" "
        29⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2860
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PzbMIYlNwxfs.bat" "
        31⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0jzN8qwcyliS.bat

Filesize
207B

MD5
386bfb3192143ca42edc2a56a6aea223

SHA1
8539054f1605be7547441315a478faa86a25f0b2

SHA256
e13bbd889c4caeca4592e1508d15326fb31a8ba91d3715b6b9f56a7b7d92cce7

SHA512
931b54171569a50373a41ca091600724e1843a5649b3ac00b69a98a8ff1861af019f81fcc9b2c827a94f8a4e2309d613a9b5fb38a81c2161d94569eb0bc4b124

Download Submit
C:\Users\Admin\AppData\Local\Temp\0wBQfxon0RJB.bat

Filesize
207B

MD5
0498a55541511e965ffce498577fb79d

SHA1
2b230029b86302170dc5296df370f1afb740762c

SHA256
ab75953146edb4b43874a7c365407a1067850c1b4c76648811f90cdc25e63a72

SHA512
010a9c33997db5d49b1eff2f968d4f954411895791eb0a6be4a4c07e87201a282ece534b1eebb07c37b5fecbc3196f50ca3bdfcd008bfa53dc36175be6245a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJ0smnBRG94k.bat

Filesize
207B

MD5
7e9be6b6d22c482542104fb3d4e3d831

SHA1
d6c2fb86beca0db952697121b5ee9f02277b1407

SHA256
ec3c6b66e9c392d270c7b08b1e4f1c33cf70276e23a0d7a95dcd30605daaff99

SHA512
78ea47eb60491eda67f0ae4a9d4a0ed88705ce802c1f36bfd8cf30db8148f040563b699c16ae43a19b0576bbdfe499f7793dca734fd7bfb97fb511d418e00799

Download Submit
C:\Users\Admin\AppData\Local\Temp\NLX9llU4MN1S.bat

Filesize
207B

MD5
cadc4a6f951d07bec1dd21daea8b1b00

SHA1
3d8aa0ab81f03fc9c807c651f30dd15a2148c552

SHA256
c9a22f005547d275cf07177ca70cd7ef7c6cb690a606e147d91829bd2c3a7b48

SHA512
995a2bd85cda57ed38eab14626fbf9a9587529881c79e2371cf1ef0854b2c87bc2dcde06542500dd8558c2e97f617050dbaddbfe8f2044a94fc4541fa4cf90d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PzbMIYlNwxfs.bat

Filesize
207B

MD5
9636c5fdcb11e50c6f8ef3b28766da00

SHA1
e4c593d68bfa86ba27e47051d106e63658ec39e5

SHA256
fa5f46ddcb46438494d9efe809d2149d39bc231a5bf16a91ee0e2b26b8f717a5

SHA512
3cd0ccd5f1dbbefe0a87fa7e88d38d44059ca2332e6d6fd0a52a4198c7032faa369a9cff141b94362db9cd4e8140a7e387d2688c2eca7f33e26a2f9f5db69f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RxXEYZ6FpcS4.bat

Filesize
207B

MD5
45f6d3ea4df4e092564b1074313f5908

SHA1
761dc0f86c6bab1a0ef9268eddab4b7592c89c47

SHA256
511d4c672dad44af05e982989ed3fbc1e3336d23042a6bebb12143bb69c95ad3

SHA512
12d28205412e1eb6970c61c097ee08d318a7f678be4ea43a10ed2eb2b71a51d8584fbe4249d23121efc34449ebb659ded3f513df477e4edcb25400da2ccc79f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOGyCsgQOWtr.bat

Filesize
207B

MD5
9d09116f0bbd4b4f46df1520dd09c289

SHA1
6ae29c8bfd40cc0c9dbda6d3301fe3c2ca5baa3b

SHA256
7df63ba22e797f003dfdfc371d2102e0672ad25e78910176fc6d4a30eb4f3b7b

SHA512
b6c09be387453fb3a88c699dd43866c0e8d345c81779bc8907ca736b46e6bf463751baee468366850feab5e86f53d6415c65420a6d9762c22c510c3bd760665b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yc3DeZgTkv5q.bat

Filesize
207B

MD5
c7a85d8485c600ead1c572594284b4ff

SHA1
0986a325e46bbd1efd5d112cca4defa4aa318a72

SHA256
5c0cc3645ecc78950acfb8b5fe3327e0ed79277602eaede40bab8956bea26e4e

SHA512
4630026d08065b9768065346e9ef60b6a25085781982b9c0d706324c2b8ebc6ea04522f0cad9617b54b39fb45f2232958dc956bca9293ae4eb9175a3a14ea449

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMVGIaFia3Se.bat

Filesize
207B

MD5
516a09d66c0d68210f3c0d4c6daac271

SHA1
86725ffc0291bead43ceab70903bb97d1f1f3caf

SHA256
e1468bfcc9cca99329c69214ce1e394bee715f73d84c7b448649eccf97651258

SHA512
5022f488b9ce5b27e60c17f785e27a2df2e1c77d11cd2a1b8e92d00a2b21df5e78053ab8dcd981a5b7acab6151cbfee6482d0e15d1c555b3c1d3a1a75ba0227b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dNAghzgkeKg3.bat

Filesize
207B

MD5
3f84db91a5eac19cf2f6bcd32959a82f

SHA1
f720813624d171b69b44a7c34f15a9d5a6e13106

SHA256
ce1cae9d92c0b6287dbf1d06c4cb6762ca82b9cbadb438c197e37850399c0324

SHA512
5aab7d733c26511b15b1bb533b30a508ff03b23cb66480fb250e4cf7c5a52ed76e406ff2d3f3d58823b7ddd3b07505b1844c4b013f35df62b9e200df16e0e5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBPoWFC2AZMF.bat

Filesize
207B

MD5
2758fc3189fabfc0c430f8027b2d9438

SHA1
4cb9069dcd0edd2efa414234bfda8939b2c9101d

SHA256
3051c1ce9572c3ba23803a3a1718e11371d12db35cf6d0b34469b8d09aff0437

SHA512
5d66e3196dddd9ca2ac6090a05b6fb143a85626ced2662d3f11f750f642ebf356176063b276b28d316aebb4edd59e018d23703a93f61c1ebb0d16acc60175657

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1OA1kXJsK5i.bat

Filesize
207B

MD5
7ec922671df74884a6ec084d147f68f5

SHA1
f4282b01c3b0e2d710838999917a290514f7ab8f

SHA256
7af27b5b8ae63d2812994ee61e2215c6390e10eedec8e4546e8fab10df41ab89

SHA512
bd8b1e403c12540d481d6d18a919c9aae95d40733a2a67e2b6c2177fe69d76ed696e672753d47dec7a90b5f1df04054b7b70f0881e59797fe42c6137e756210a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhlXVpDfgSc5.bat

Filesize
207B

MD5
d2a04fe3b653599ad5dec0a84fb7c8d4

SHA1
cf9c80a7219ef1f56fd30e8ebc85f4c21dc4735f

SHA256
4a93950787837388746f197e17003d3fc19cb524234051362e20fc4c5c5b463f

SHA512
136ff1b26a07938fdba8d2cf8cd41a50cce6050938e7df7e1ee0bfe1b8e6134d3adc9fbf62c2889fdcf58a19506ce4355b37b5637f2a1b477618c000240f9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xy8FLLjUBS8v.bat

Filesize
207B

MD5
cf549854115b477a9b34e83f61ea0dbf

SHA1
1436ed14a61d7a3c799cdac527d59f64c0b38812

SHA256
a99c213a4957b225225d9efad6ffd9e5218a0944436052113d52dde097c24dce

SHA512
8c2f134d2001d09faa80f9647345822e5028c61c2778c7464f688259733c46f0916643fb5b06997ce9e05d39c96e656087bb8d4968e6bee2f27ce43cb0d2039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgqBHvnt5TVv.bat

Filesize
207B

MD5
736b8b46f89e02a3a80e07a2d062ca53

SHA1
2d3790092a7e5b2995cd27207f5e4fd2b5a0166a

SHA256
38f04fe1a188fa563678230414b8758c3a8471372cb2b9cd201548d37fe06a7f

SHA512
f87b50c4f99ef44281676690272e8f8103d426c33b0f3b9352fd7acb23ea558baf9f41357a7d4686e386d234ac5b36a7187c75dc28aa6d1ef2741a42ad3bb375

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
f67e6aafbd9c86771f11c05ae83ae83e

SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0

SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

Download Submit
memory/1868-124-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/1920-146-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2520-21-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-11-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-9-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2520-8-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2860-157-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/2980-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-1-0x0000000001350000-0x0000000001674000-memory.dmp

Filesize
3.1MB

Download
memory/3004-135-0x0000000000F00000-0x0000000001224000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads