quasar | 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Size

3.1MB
MD5

a29d070abe87b2be24892421e0c763bb
SHA1

383104c7c6956a98ae5f63c743250f737700f509
SHA256

00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA512

6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
SSDEEP

49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1272-1-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d0e-6.dat	family_quasar
behavioral1/memory/1656-10-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/2748-23-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/memory/1816-35-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar
behavioral1/memory/2612-79-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2784-90-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral1/memory/2708-101-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar
behavioral1/memory/2144-114-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/1736-125-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/1532-137-0x00000000013E0000-0x0000000001704000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1656	Client.exe
2748	Client.exe
1816	Client.exe
2912	Client.exe
676	Client.exe
2484	Client.exe
2612	Client.exe
2784	Client.exe
2708	Client.exe
2144	Client.exe
1736	Client.exe
1532	Client.exe
2576	Client.exe
1516	Client.exe
2892	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1472	PING.EXE
2432	PING.EXE
1796	PING.EXE
892	PING.EXE
2304	PING.EXE
2984	PING.EXE
2092	PING.EXE
2196	PING.EXE
1756	PING.EXE
2264	PING.EXE
844	PING.EXE
1832	PING.EXE
408	PING.EXE
1912	PING.EXE
2760	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1756	PING.EXE
2092	PING.EXE
2196	PING.EXE
2264	PING.EXE
844	PING.EXE
2984	PING.EXE
408	PING.EXE
1832	PING.EXE
2432	PING.EXE
1796	PING.EXE
892	PING.EXE
1912	PING.EXE
1472	PING.EXE
2304	PING.EXE
2760	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2316	schtasks.exe
1708	schtasks.exe
1932	schtasks.exe
3000	schtasks.exe
1760	schtasks.exe
832	schtasks.exe
1672	schtasks.exe
2068	schtasks.exe
1716	schtasks.exe
3036	schtasks.exe
292	schtasks.exe
2724	schtasks.exe
2732	schtasks.exe
336	schtasks.exe
532	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Token: SeDebugPrivilege	1656	Client.exe
Token: SeDebugPrivilege	2748	Client.exe
Token: SeDebugPrivilege	1816	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	676	Client.exe
Token: SeDebugPrivilege	2484	Client.exe
Token: SeDebugPrivilege	2612	Client.exe
Token: SeDebugPrivilege	2784	Client.exe
Token: SeDebugPrivilege	2708	Client.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	1532	Client.exe
Token: SeDebugPrivilege	2576	Client.exe
Token: SeDebugPrivilege	1516	Client.exe
Token: SeDebugPrivilege	2892	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1656	Client.exe
2748	Client.exe
1816	Client.exe
2912	Client.exe
676	Client.exe
2484	Client.exe
2612	Client.exe
2784	Client.exe
2708	Client.exe
2144	Client.exe
1736	Client.exe
1532	Client.exe
2576	Client.exe
1516	Client.exe
2892	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1656	Client.exe
2748	Client.exe
1816	Client.exe
2912	Client.exe
676	Client.exe
2484	Client.exe
2612	Client.exe
2784	Client.exe
2708	Client.exe
2144	Client.exe
1736	Client.exe
1532	Client.exe
2576	Client.exe
1516	Client.exe
2892	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1656	Client.exe
676	Client.exe
2708	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2068	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	30
PID 1272 wrote to memory of 2068	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	30
PID 1272 wrote to memory of 2068	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	30
PID 1272 wrote to memory of 1656	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	32
PID 1272 wrote to memory of 1656	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	32
PID 1272 wrote to memory of 1656	1272	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	32
PID 1656 wrote to memory of 2316	1656	Client.exe	33
PID 1656 wrote to memory of 2316	1656	Client.exe	33
PID 1656 wrote to memory of 2316	1656	Client.exe	33
PID 1656 wrote to memory of 2816	1656	Client.exe	35
PID 1656 wrote to memory of 2816	1656	Client.exe	35
PID 1656 wrote to memory of 2816	1656	Client.exe	35
PID 2816 wrote to memory of 2264	2816	cmd.exe	37
PID 2816 wrote to memory of 2264	2816	cmd.exe	37
PID 2816 wrote to memory of 2264	2816	cmd.exe	37
PID 2816 wrote to memory of 2984	2816	cmd.exe	38
PID 2816 wrote to memory of 2984	2816	cmd.exe	38
PID 2816 wrote to memory of 2984	2816	cmd.exe	38
PID 2816 wrote to memory of 2748	2816	cmd.exe	40
PID 2816 wrote to memory of 2748	2816	cmd.exe	40
PID 2816 wrote to memory of 2748	2816	cmd.exe	40
PID 2748 wrote to memory of 2724	2748	Client.exe	41
PID 2748 wrote to memory of 2724	2748	Client.exe	41
PID 2748 wrote to memory of 2724	2748	Client.exe	41
PID 2748 wrote to memory of 1100	2748	Client.exe	43
PID 2748 wrote to memory of 1100	2748	Client.exe	43
PID 2748 wrote to memory of 1100	2748	Client.exe	43
PID 1100 wrote to memory of 1696	1100	cmd.exe	45
PID 1100 wrote to memory of 1696	1100	cmd.exe	45
PID 1100 wrote to memory of 1696	1100	cmd.exe	45
PID 1100 wrote to memory of 1796	1100	cmd.exe	46
PID 1100 wrote to memory of 1796	1100	cmd.exe	46
PID 1100 wrote to memory of 1796	1100	cmd.exe	46
PID 1100 wrote to memory of 1816	1100	cmd.exe	47
PID 1100 wrote to memory of 1816	1100	cmd.exe	47
PID 1100 wrote to memory of 1816	1100	cmd.exe	47
PID 1816 wrote to memory of 1708	1816	Client.exe	48
PID 1816 wrote to memory of 1708	1816	Client.exe	48
PID 1816 wrote to memory of 1708	1816	Client.exe	48
PID 1816 wrote to memory of 1976	1816	Client.exe	50
PID 1816 wrote to memory of 1976	1816	Client.exe	50
PID 1816 wrote to memory of 1976	1816	Client.exe	50
PID 1976 wrote to memory of 288	1976	cmd.exe	52
PID 1976 wrote to memory of 288	1976	cmd.exe	52
PID 1976 wrote to memory of 288	1976	cmd.exe	52
PID 1976 wrote to memory of 1756	1976	cmd.exe	53
PID 1976 wrote to memory of 1756	1976	cmd.exe	53
PID 1976 wrote to memory of 1756	1976	cmd.exe	53
PID 1976 wrote to memory of 2912	1976	cmd.exe	54
PID 1976 wrote to memory of 2912	1976	cmd.exe	54
PID 1976 wrote to memory of 2912	1976	cmd.exe	54
PID 2912 wrote to memory of 2732	2912	Client.exe	55
PID 2912 wrote to memory of 2732	2912	Client.exe	55
PID 2912 wrote to memory of 2732	2912	Client.exe	55
PID 2912 wrote to memory of 2540	2912	Client.exe	57
PID 2912 wrote to memory of 2540	2912	Client.exe	57
PID 2912 wrote to memory of 2540	2912	Client.exe	57
PID 2540 wrote to memory of 860	2540	cmd.exe	59
PID 2540 wrote to memory of 860	2540	cmd.exe	59
PID 2540 wrote to memory of 860	2540	cmd.exe	59
PID 2540 wrote to memory of 408	2540	cmd.exe	60
PID 2540 wrote to memory of 408	2540	cmd.exe	60
PID 2540 wrote to memory of 408	2540	cmd.exe	60
PID 2540 wrote to memory of 676	2540	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
"C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2068
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2316
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1TRPc3oQ4uoL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2264
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2984
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeUAksNDp3nl.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1696
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oNzrjslN3WL4.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9djLtjNDOr8S.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1rrJH3U8ojzv.bat" "
        11⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lBpUBYQRGVy7.bat" "
        13⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dk1HGVCwxqLd.bat" "
        15⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCWWMEKCWX0e.bat" "
        17⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1zmVSWNIQ75q.bat" "
        19⤵
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OTnjinlkptZc.bat" "
        21⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3fs44LnuauHz.bat" "
        23⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LREAMC6WXlFS.bat" "
        25⤵
        
        PID:764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5oaRP6nb1RZt.bat" "
        27⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1516
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HxBb9WtX800W.bat" "
        29⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7MEwuKND5oVL.bat" "
        31⤵
        
        PID:2828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1TRPc3oQ4uoL.bat

Filesize
207B

MD5
d25b4acb36777cb42f140c3dd54b5567

SHA1
7c0ff10619b65044992ad5ecf373a918537f5408

SHA256
3aede666d9d6d3810edc613fd5fb708bdad3d21297ee8e9dbfb560bc132398a2

SHA512
85baf285da267f96776d26966b3a30b66f10ef85c9ff7a1834f00c2f7e078784505351c57bea59f119614c96bd32b4e02beed2c87c295303871f3626a65e34ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rrJH3U8ojzv.bat

Filesize
207B

MD5
37bf0575cd1edb9d9cb52182d8fd7a65

SHA1
de44684b7b100ae8defbafad796ade689e6a742f

SHA256
0a87399e356059d2ec21a126607a8c67ff049cdf2d108dff3fcb0f7482d9aa5d

SHA512
5359f869cc05899981a9695a2b608e794627b5a699060691b636ed56623edd70b8eb0531bef22a153fa7981c2d921eeac704853a5af72dd2f03a41940744e6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zmVSWNIQ75q.bat

Filesize
207B

MD5
8e507828543f0c08f8aa518e98fbeaf7

SHA1
fcce84fff0806e2653d859c431624f56a6bdffa8

SHA256
b84eb019ecca45cda3f0d5cef8d7e52b5239003cff6b7189c4ff9072474328fb

SHA512
a8b87920fd17f2cce2c5be2c06bd8bd28652fcf20971720484f04158e7f710a217c4314ec088d98182ad2d15a6577eaee636b58fafd0e2bbe6d8f5fc963b90b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fs44LnuauHz.bat

Filesize
207B

MD5
d413acd5ce991b10f28b2e160a304982

SHA1
21e7c3cc11102b114397e1971f2b9af55b934550

SHA256
9974235f23a14f54c4a84880e0de03e30798945de31fddbd00d9f8347d9a704a

SHA512
e5016eaf4d6122f28f77978b2967b4441339112b780f06e58d5c9d43b6ad79965766d623265ca86b68922d662226e82f7026550a1ae87c70a9ba90831671cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5oaRP6nb1RZt.bat

Filesize
207B

MD5
495c7d1b22f0cd4a578a8477d5cd1afa

SHA1
9d9b9883062f153a2a07e0139e955166e034106f

SHA256
ba874a723a41f3a0a17ea33715ba557d7d9aeb90d5d284e08bc08ab4981b885c

SHA512
ce884e76f96e356457feeb239dae6b475a1f7add5c74a17c4827c4dbd74ab9f03bdf7ea8e5b14c318e467a2f0e66f496e2568c4443e08e127b8d38955b541beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7MEwuKND5oVL.bat

Filesize
207B

MD5
37b3e2d27ec947c83030d410e0e99639

SHA1
c1febce6bc825552485e19aa906395e5fed6dced

SHA256
9f4e9fdb0085c51202e47a803ea6e513a4e35db4a60266311e246c8bf55fb78a

SHA512
1015bd7659ed1d2263e78370870f91c3b0c85dd96f3391f90a8177bb85a318c5ea0eeb905f1e2d74215ac990fe819b8611d136c02697344528fae1da7c583daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9djLtjNDOr8S.bat

Filesize
207B

MD5
121a68a0ecd89715b231fd80df93e134

SHA1
9473d4423205554fbcbba09dc6647d4edb025cc6

SHA256
5f458e3bb78445ae5763ef02faf0a9ebab23eb791f5f6328c668e02cc6de18a9

SHA512
74e31b8cb49d84728b6744ea74222d4b6c99a56c9ad76c138dc401a4688ab60ed4d84eae20d09d227c61429b937759b9971d1b427bab6cd2d0550df4163e115f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HxBb9WtX800W.bat

Filesize
207B

MD5
4e326cbb8f77dc9d49b74d2dcac533ed

SHA1
2dbdd89912ea962340c9d91627e4648eceb0f9af

SHA256
2c789a2d9e6f9ac55cbf99dd933a589a338a27dbf72c334ebf3d474cba4aa47a

SHA512
fc4adc5189b03f3d7c05f233dad7af53dcfc53b995ed75bda249c6859d89ee75f514e1ad06e7f76db70c45dace0665752a8c8d3652efb54775adf3ffb52278ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\LREAMC6WXlFS.bat

Filesize
207B

MD5
e47e65a72cf9a2c84ec0e926b2b539dd

SHA1
ba0224fca4ff04c86cfb8b121a385743397ba5b4

SHA256
8eac68d7c3ecfe67b60db295d73bb453c08b1a573c2dc8ecc7e8fe5dbcc7487a

SHA512
a0289bc6478386b34574fa62a60c7a8b37014bb37656c340d6c37f74b4b633a07c8d2943167e92f53d0882cf7fb13e4f01edc8a3cc5b82af05fc621f2dfe08c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTnjinlkptZc.bat

Filesize
207B

MD5
558cf44fbb2f74b25af003601d96f5c1

SHA1
264e5de6870d93514602281d0ad2c76427591058

SHA256
4f384988ddc35d179e35d25b2aecd57f1bed3da5c203b928d6b03ac7dbfedda9

SHA512
32216762ea744ebbaa943bf46a535b249b3cfa705fac4106da76aac078ab6bb26265485e4c33c0c92719a94e66e36c6e78d6115ac6aeaf94b8f1b6cb5e519f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk1HGVCwxqLd.bat

Filesize
207B

MD5
b034e9daa27901fddf23ee491b1b7fb5

SHA1
c95a2c90f038c4f877bdf64d7be66505ed522a29

SHA256
1afce3a9c7506b51f5c4b717d93f2a6f913ba15d416246a59428c669cdb3b366

SHA512
5dd6da35ecc880f84a1ade1c7c9b6267e4d430b0569b6f6b826b36485f83bc91dd9a1f5802e975be0da657bd21d0d04b6d8a1e577ac6ff1deb0a0f8fb106da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeUAksNDp3nl.bat

Filesize
207B

MD5
09a0eded0f5b08638794263586d5a9a9

SHA1
f435d6d4846ec7e5ff50ef015bf0e10ed4017ce0

SHA256
a223b9eb4f117a1c44b1e6a9eb86a73ff0b2957ff02fe170a1778aa3f19a8e1b

SHA512
747eebe9b3f50f2653aec91c135a7df75a39757d063d8734ba5f781a926534debad90520924bac42ad4ebb8c981757fa072a51f28f1292ed6b1bea4d7104c9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBpUBYQRGVy7.bat

Filesize
207B

MD5
f68ad10f827c1f4cab7a033bc720e4ce

SHA1
a9d6454409d3e443a8bae6d733d5aee0dbad9e9e

SHA256
95bd8fbf1d1c858d20e18ebff8c21a3350528e0ddff1a2a49e36075c90e24e4b

SHA512
0f7e97298668cc70ab0e7078cb7924ada47e06c3406b07e966ca89a8ee67b6b9faec9b580f5a86996292b51dc2f1977b113246448218edf6caf1aa0f89403527

Download Submit
C:\Users\Admin\AppData\Local\Temp\oNzrjslN3WL4.bat

Filesize
207B

MD5
7d9d9f8667e1599007b1a42ba23db3fc

SHA1
04924ed287a4c65106ae88abcae522c96d631272

SHA256
2f5bf02ba10be9d36879d688095cf9d5fd4357d578168585326504031b5f58bc

SHA512
4d6509cb125326b07128d37b8e7722011b267c9cec9360f1a131a270fdf6edf1bfdee959634e269c362b27a3a232c143e16e975681122dccee7e612a9d15529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCWWMEKCWX0e.bat

Filesize
207B

MD5
80e6c3d899abe14c770d06b5509c7729

SHA1
b32981ba8a82c90708a843aa0d94ebe924ebb141

SHA256
d1872ac1ec967265647c593b9f389f33d9eb819483a6d7ad7c5be5e95c7195f2

SHA512
3aede1b3e16268bbee26b66092570e471ba0a4e3d1d34b0abdedd501d5c6f513a6cbef6ea477a406634f2bedd9d488dbb1bf1954f5a0d86bfa4f2e937a0fc33a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
a29d070abe87b2be24892421e0c763bb

SHA1
383104c7c6956a98ae5f63c743250f737700f509

SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969

Download Submit
memory/1272-1-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/1272-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1272-8-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1272-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/1532-137-0x00000000013E0000-0x0000000001704000-memory.dmp

Filesize
3.1MB

Download
memory/1656-10-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/1656-11-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-9-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-125-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/1816-35-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download
memory/2144-114-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2612-79-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2708-101-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/2748-23-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/2784-90-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads