Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 02:43
Behavioral task
behavioral1
Sample
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Resource
win7-20240903-en
General
-
Target
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
-
Size
3.1MB
-
MD5
f67e6aafbd9c86771f11c05ae83ae83e
-
SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0
-
SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
-
SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4588-1-0x0000000000F50000-0x0000000001274000-memory.dmp family_quasar behavioral2/files/0x0008000000023c82-6.dat family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 14 IoCs
pid Process 1116 Client.exe 1000 Client.exe 2256 Client.exe 2800 Client.exe 4428 Client.exe 3540 Client.exe 2380 Client.exe 1732 Client.exe 1556 Client.exe 3220 Client.exe 1432 Client.exe 1076 Client.exe 4068 Client.exe 3108 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3268 PING.EXE 232 PING.EXE 720 PING.EXE 1336 PING.EXE 712 PING.EXE 2884 PING.EXE 4908 PING.EXE 4212 PING.EXE 5052 PING.EXE 4336 PING.EXE 3836 PING.EXE 1236 PING.EXE 3752 PING.EXE 4844 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 3752 PING.EXE 3268 PING.EXE 1236 PING.EXE 3836 PING.EXE 1336 PING.EXE 4212 PING.EXE 4844 PING.EXE 4908 PING.EXE 720 PING.EXE 712 PING.EXE 232 PING.EXE 2884 PING.EXE 5052 PING.EXE 4336 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2404 schtasks.exe 4400 schtasks.exe 4812 schtasks.exe 1320 schtasks.exe 4772 schtasks.exe 1368 schtasks.exe 4664 schtasks.exe 1864 schtasks.exe 3700 schtasks.exe 3716 schtasks.exe 3572 schtasks.exe 1968 schtasks.exe 4948 schtasks.exe 3728 schtasks.exe 848 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4588 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe Token: SeDebugPrivilege 1116 Client.exe Token: SeDebugPrivilege 1000 Client.exe Token: SeDebugPrivilege 2256 Client.exe Token: SeDebugPrivilege 2800 Client.exe Token: SeDebugPrivilege 4428 Client.exe Token: SeDebugPrivilege 3540 Client.exe Token: SeDebugPrivilege 2380 Client.exe Token: SeDebugPrivilege 1732 Client.exe Token: SeDebugPrivilege 1556 Client.exe Token: SeDebugPrivilege 3220 Client.exe Token: SeDebugPrivilege 1432 Client.exe Token: SeDebugPrivilege 1076 Client.exe Token: SeDebugPrivilege 4068 Client.exe Token: SeDebugPrivilege 3108 Client.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 1116 Client.exe 1000 Client.exe 2256 Client.exe 2800 Client.exe 4428 Client.exe 3540 Client.exe 2380 Client.exe 1732 Client.exe 1556 Client.exe 3220 Client.exe 1432 Client.exe 1076 Client.exe 4068 Client.exe 3108 Client.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 1116 Client.exe 1000 Client.exe 2256 Client.exe 2800 Client.exe 4428 Client.exe 3540 Client.exe 2380 Client.exe 1732 Client.exe 1556 Client.exe 3220 Client.exe 1432 Client.exe 1076 Client.exe 4068 Client.exe 3108 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4588 wrote to memory of 1968 4588 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 82 PID 4588 wrote to memory of 1968 4588 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 82 PID 4588 wrote to memory of 1116 4588 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 84 PID 4588 wrote to memory of 1116 4588 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 84 PID 1116 wrote to memory of 4664 1116 Client.exe 85 PID 1116 wrote to memory of 4664 1116 Client.exe 85 PID 1116 wrote to memory of 1468 1116 Client.exe 87 PID 1116 wrote to memory of 1468 1116 Client.exe 87 PID 1468 wrote to memory of 4908 1468 cmd.exe 89 PID 1468 wrote to memory of 4908 1468 cmd.exe 89 PID 1468 wrote to memory of 3268 1468 cmd.exe 90 PID 1468 wrote to memory of 3268 1468 cmd.exe 90 PID 1468 wrote to memory of 1000 1468 cmd.exe 96 PID 1468 wrote to memory of 1000 1468 cmd.exe 96 PID 1000 wrote to memory of 2404 1000 Client.exe 97 PID 1000 wrote to memory of 2404 1000 Client.exe 97 PID 1000 wrote to memory of 2644 1000 Client.exe 99 PID 1000 wrote to memory of 2644 1000 Client.exe 99 PID 2644 wrote to memory of 4068 2644 cmd.exe 101 PID 2644 wrote to memory of 4068 2644 cmd.exe 101 PID 2644 wrote to memory of 1236 2644 cmd.exe 102 PID 2644 wrote to memory of 1236 2644 cmd.exe 102 PID 2644 wrote to memory of 2256 2644 cmd.exe 105 PID 2644 wrote to memory of 2256 2644 cmd.exe 105 PID 2256 wrote to memory of 1864 2256 Client.exe 106 PID 2256 wrote to memory of 1864 2256 Client.exe 106 PID 2256 wrote to memory of 1004 2256 Client.exe 108 PID 2256 wrote to memory of 1004 2256 Client.exe 108 PID 1004 wrote to memory of 1508 1004 cmd.exe 110 PID 1004 wrote to memory of 1508 1004 cmd.exe 110 PID 1004 wrote to memory of 4212 1004 cmd.exe 111 PID 1004 wrote to memory of 4212 1004 cmd.exe 111 PID 1004 wrote to memory of 2800 1004 cmd.exe 114 PID 1004 wrote to memory of 2800 1004 cmd.exe 114 PID 2800 wrote to memory of 3700 2800 Client.exe 115 PID 2800 wrote to memory of 3700 2800 Client.exe 115 PID 2800 wrote to memory of 3060 2800 Client.exe 117 PID 2800 wrote to memory of 3060 2800 Client.exe 117 PID 3060 wrote to memory of 3728 3060 cmd.exe 119 PID 3060 wrote to memory of 3728 3060 cmd.exe 119 PID 3060 wrote to memory of 3752 3060 cmd.exe 120 PID 3060 wrote to memory of 3752 3060 cmd.exe 120 PID 3060 wrote to memory of 4428 3060 cmd.exe 121 PID 3060 wrote to memory of 4428 3060 cmd.exe 121 PID 4428 wrote to memory of 4400 4428 Client.exe 122 PID 4428 wrote to memory of 4400 4428 Client.exe 122 PID 4428 wrote to memory of 4036 4428 Client.exe 124 PID 4428 wrote to memory of 4036 4428 Client.exe 124 PID 4036 wrote to memory of 1256 4036 cmd.exe 126 PID 4036 wrote to memory of 1256 4036 cmd.exe 126 PID 4036 wrote to memory of 712 4036 cmd.exe 127 PID 4036 wrote to memory of 712 4036 cmd.exe 127 PID 4036 wrote to memory of 3540 4036 cmd.exe 128 PID 4036 wrote to memory of 3540 4036 cmd.exe 128 PID 3540 wrote to memory of 4812 3540 Client.exe 129 PID 3540 wrote to memory of 4812 3540 Client.exe 129 PID 3540 wrote to memory of 1472 3540 Client.exe 131 PID 3540 wrote to memory of 1472 3540 Client.exe 131 PID 1472 wrote to memory of 2704 1472 cmd.exe 133 PID 1472 wrote to memory of 2704 1472 cmd.exe 133 PID 1472 wrote to memory of 4844 1472 cmd.exe 134 PID 1472 wrote to memory of 4844 1472 cmd.exe 134 PID 1472 wrote to memory of 2380 1472 cmd.exe 135 PID 1472 wrote to memory of 2380 1472 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiW7ztQEHCT1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0v2MnnpAOLJ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1236
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmKXZ1DxVMvp.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1508
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4212
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fTMK6GvlF7YJ.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3752
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucJH0CCNsuJr.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:712
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qd1AgYoYTfnK.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J1k81h605227.bat" "15⤵PID:3932
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:232
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjIbxm58tZek.bat" "17⤵PID:428
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQZu7WXgYttZ.bat" "19⤵PID:4488
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3836
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swNB6HlAVtMX.bat" "21⤵PID:4628
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4pQaIwfFu4Pq.bat" "23⤵PID:4780
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4336
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Ou0qI6wmGjP.bat" "25⤵PID:4944
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O5j8401M36jB.bat" "27⤵PID:3172
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1336
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGNxVIeJ54VU.bat" "29⤵PID:4788
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD54ee5d01b3d4338eb85fbc0194d8aee2c
SHA15627e295742840ce41d7eb827dcb3847b846221d
SHA256c7aa7daa4cdb19a1415272a07190067d8db8f0e77865193953f61746af951326
SHA51209c1ccb79e26d0fa41dc7c6671c46c983eaaeb763dc9469cc9d6091288e24fbde4de4714ac6cb95af66d526578aa25be24f6ee34e7185af127adf48213eb7ee4
-
Filesize
207B
MD51b251adea80d17301e4d50d9a2db5440
SHA115a416e105ca068da14add3c89a1b1576e24c734
SHA2566877af05a0aa6b87a7f9dbb92987e1bdda10b9ad95353595df25b9818c688575
SHA512c56fdadffa0a0cb83420946b8e165f4c86d7de2a71a7fb4fa5bac9cefaa130a83f48e44aca61ba0033bb4fbd4dd8bfd066051d2c214d55083eb9208bfedf5cfc
-
Filesize
207B
MD5af232c3d6a7b5d2aa4a443bcd1f2c502
SHA1337d0f8586162d82a0bef809560520e8384546fc
SHA2562dfd030dc22b01e89d3c9a593012860ed948ea20962d621ee9207f636a9bae07
SHA512cfbb49964637d7a10268373b6146a0d46353c97b9b5b539cabff9c60f4b0d949437b50c565109584b90cfdadb3f3be82e147ad5949795a12860618c1fd4791d4
-
Filesize
207B
MD54b8f0539a0007c28b65a94473f72d56c
SHA1f4f0750bd7025015fd3b7c20c17c71489c9de3dc
SHA256846053f1b0a3ee88889c97f6efea197256c02326bea1a5fea40c99ddedbda07c
SHA512329a17517e590506c54e89ee3f4f26ee6829c99f58e91714ea60f4b8496c62a2583c88d1e22c1d99dff97c6ccc95441cbb6bd08d5b440d17671d3ca0412f1f83
-
Filesize
207B
MD55aa8b3daaa48f8e363b64aa271a9d2b5
SHA127945bf859d8a09cdf8938def85ae2fc8e10d629
SHA256daf3a6d9d69a2ff76c55cb9af0f84bd43513eaec10da1e7d0c7e9fe7410c3ee2
SHA512fbc115e121cf59f79655c95d644b96709c30a5544c8a835e970cb41832cb927938aac3880a83ceaac650948a9961ad5574977d83e989ac40b2bf608bf52270c9
-
Filesize
207B
MD59407acb67f38ae833ba61f7ee8c76e14
SHA134086b4925f2918db2f90aa1ad1581ff2714675e
SHA256d09fd63f09f3c0dc4c408a3134fd4af683665d9f87800c643a3bcdf393417ed1
SHA5124e1e8520f074451040c43afa3337596f3fb87a7b13a568625ff7a634929d874103fcb3d4d297b7eddf62e0277e798dc0753b286907936a716098473f5b5e02cc
-
Filesize
207B
MD5fe00d1d7131e21183da1a45ac2f17efc
SHA1149e022f121925cfb876cf1badbacc0a598dfac2
SHA2560e234341bc2e25d44a99883d8bcb4b682047a08ddf1ea1ca74eca25b37a4bec5
SHA51225bfca91533a5c8451db8bb6a50ee2b6bf8dbd61c719f1d733556a2a7f91ce47493d2ad8f2cf2f1d8d2d79ffaaff98a80f615432f4e1d70cd59832524ad77b52
-
Filesize
207B
MD5e1a337df9788cc15c6209c0e147f3e20
SHA137c9f0ef6767c0755908c6db72a117779a6bc0f0
SHA256b1f315ed020af6ceb08ad0b04b7f618bcc8c03b5048c9c48f75dd8205d5df3e7
SHA512e25bbe6dc6b4c95a8b19c19abaaec41415e9a171da37ae3614e5b4e615f2e2d0070c8f6a0092b9a78224becb28acfcb36c35961052b6fb8620c8f156eb151b65
-
Filesize
207B
MD5e44b974345f8807347527cf9a7852f7c
SHA122be25877727cac833c4b4ad2548e023ab6e1dc5
SHA256113f942957c6de63df76d399964fc12a87af00d97ef72008f32757284dc5ef3c
SHA51252f79d204149ac97f0c3e9543ff8d7a7c8b38d66596487a3602022feaa7e0e05cada5e851f33f987f61a244d11cc68295367a3ed9526c51066449f079fcecf0a
-
Filesize
207B
MD53e2796e6fee3809a9ecdb16f43c93e54
SHA17470852def24d160cf1f90be9f27f1bf1c603e39
SHA2568964b123a741089296dc20d3a940bdb556d9f3007caf32c9f9c835d492309bd3
SHA51256a340219b4de0300bc999e50f07ca6fd3babd4044556f8b948deb3efbebdab7194ad9a461f394849730d81da6ed54daf05faf70d4306db82c6ef60cecafab36
-
Filesize
207B
MD57ce26fd7731b9c33284ca903ef5dddc2
SHA1436d053757f189100932b19ac7817bec596b87f0
SHA25606cf0138af5f519d0d3e3ab056f484e0fe52fe62953b37e87ae4a2a73fa27f4e
SHA5120d09046ee2a6aa6bc994264314a5137843fef4a7979152eba69f32fbd99abb6e051bec24f5a31b14cf1a9c8795206f1833f26476b4b551b154f5b14752342033
-
Filesize
207B
MD5c7b2adf037a18a28d8487bf690ade3b7
SHA18ee5288b0bc9cc57cbefe233511a44c0523fe58e
SHA256bcf5a547f44a851457eb88952fd42774e7b5ee559edf0224e8dbb3f65b1451f3
SHA5125171e832c4020b38afd05c2f6716c95b8d0003b599ae1a392347a6bec8e8e9efbfcf22be71ecb5592e1b4b7f684fca202c9bc98787def67223e6e98de18ae959
-
Filesize
207B
MD559b3214c1f3aa75fcffb17ff395cb7e9
SHA1a78d0fd064c1d2f989a44a05a1e6cd343e1533f4
SHA25622bed2087b12674dadc67064eb8a0184b6cd959dfa503dadf5c063688748c458
SHA5127f02daffcd24adf9f133887c42e615a6a5fced8ddd9aeeb6428458c0ba6c7509d1902dd05f88d4f79b9d5fbafed3fb397524962cac76a04a00660a8fb6af6e11
-
Filesize
207B
MD50202b62fd61194c32fc74ffe3e9830f5
SHA1b028113b0c588957a9f963670705ee7cf457d385
SHA2568364dfc885007867a41ba778634129940ab3179a3c02f53f0d753309eee77153
SHA51221344c807a4deca13092595eab31a2aa351329da29f4ca9e69031e646f8ce389bd38312884b021c691b1aac313b4bc6ecc0d10823d569b1bfd467fd809d0696e
-
Filesize
3.1MB
MD5f67e6aafbd9c86771f11c05ae83ae83e
SHA1c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a