quasar | 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Size

3.1MB
MD5

a29d070abe87b2be24892421e0c763bb
SHA1

383104c7c6956a98ae5f63c743250f737700f509
SHA256

00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA512

6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
SSDEEP

49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2124-1-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c65-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1152	Client.exe
5044	Client.exe
4664	Client.exe
4724	Client.exe
228	Client.exe
3144	Client.exe
4248	Client.exe
4688	Client.exe
4520	Client.exe
3580	Client.exe
916	Client.exe
2104	Client.exe
3460	Client.exe
3320	Client.exe
1536	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2036	PING.EXE
3548	PING.EXE
2540	PING.EXE
1044	PING.EXE
2704	PING.EXE
852	PING.EXE
2000	PING.EXE
548	PING.EXE
1064	PING.EXE
2320	PING.EXE
5112	PING.EXE
536	PING.EXE
4516	PING.EXE
1052	PING.EXE
4340	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4516	PING.EXE
536	PING.EXE
852	PING.EXE
548	PING.EXE
2000	PING.EXE
3548	PING.EXE
1064	PING.EXE
1044	PING.EXE
2320	PING.EXE
2036	PING.EXE
1052	PING.EXE
4340	PING.EXE
2704	PING.EXE
5112	PING.EXE
2540	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
3968	schtasks.exe
4972	schtasks.exe
1284	schtasks.exe
892	schtasks.exe
1932	schtasks.exe
4116	schtasks.exe
4508	schtasks.exe
4260	schtasks.exe
4496	schtasks.exe
1312	schtasks.exe
2260	schtasks.exe
3832	schtasks.exe
3440	schtasks.exe
4260	schtasks.exe
3632	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Token: SeDebugPrivilege	1152	Client.exe
Token: SeDebugPrivilege	5044	Client.exe
Token: SeDebugPrivilege	4664	Client.exe
Token: SeDebugPrivilege	4724	Client.exe
Token: SeDebugPrivilege	228	Client.exe
Token: SeDebugPrivilege	3144	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	4688	Client.exe
Token: SeDebugPrivilege	4520	Client.exe
Token: SeDebugPrivilege	3580	Client.exe
Token: SeDebugPrivilege	916	Client.exe
Token: SeDebugPrivilege	2104	Client.exe
Token: SeDebugPrivilege	3460	Client.exe
Token: SeDebugPrivilege	3320	Client.exe
Token: SeDebugPrivilege	1536	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1152	Client.exe
5044	Client.exe
4664	Client.exe
4724	Client.exe
228	Client.exe
3144	Client.exe
4248	Client.exe
4688	Client.exe
4520	Client.exe
3580	Client.exe
916	Client.exe
2104	Client.exe
3460	Client.exe
3320	Client.exe
1536	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1152	Client.exe
5044	Client.exe
4664	Client.exe
4724	Client.exe
228	Client.exe
3144	Client.exe
4248	Client.exe
4688	Client.exe
4520	Client.exe
3580	Client.exe
916	Client.exe
2104	Client.exe
3460	Client.exe
3320	Client.exe
1536	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 892	2124	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	83
PID 2124 wrote to memory of 892	2124	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	83
PID 2124 wrote to memory of 1152	2124	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	85
PID 2124 wrote to memory of 1152	2124	00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe	85
PID 1152 wrote to memory of 2984	1152	Client.exe	86
PID 1152 wrote to memory of 2984	1152	Client.exe	86
PID 1152 wrote to memory of 3600	1152	Client.exe	88
PID 1152 wrote to memory of 3600	1152	Client.exe	88
PID 3600 wrote to memory of 4616	3600	cmd.exe	90
PID 3600 wrote to memory of 4616	3600	cmd.exe	90
PID 3600 wrote to memory of 4516	3600	cmd.exe	91
PID 3600 wrote to memory of 4516	3600	cmd.exe	91
PID 3600 wrote to memory of 5044	3600	cmd.exe	101
PID 3600 wrote to memory of 5044	3600	cmd.exe	101
PID 5044 wrote to memory of 3632	5044	Client.exe	105
PID 5044 wrote to memory of 3632	5044	Client.exe	105
PID 5044 wrote to memory of 4544	5044	Client.exe	107
PID 5044 wrote to memory of 4544	5044	Client.exe	107
PID 4544 wrote to memory of 3200	4544	cmd.exe	110
PID 4544 wrote to memory of 3200	4544	cmd.exe	110
PID 4544 wrote to memory of 1052	4544	cmd.exe	111
PID 4544 wrote to memory of 1052	4544	cmd.exe	111
PID 4544 wrote to memory of 4664	4544	cmd.exe	113
PID 4544 wrote to memory of 4664	4544	cmd.exe	113
PID 4664 wrote to memory of 3832	4664	Client.exe	114
PID 4664 wrote to memory of 3832	4664	Client.exe	114
PID 4664 wrote to memory of 3892	4664	Client.exe	116
PID 4664 wrote to memory of 3892	4664	Client.exe	116
PID 3892 wrote to memory of 2812	3892	cmd.exe	119
PID 3892 wrote to memory of 2812	3892	cmd.exe	119
PID 3892 wrote to memory of 1044	3892	cmd.exe	120
PID 3892 wrote to memory of 1044	3892	cmd.exe	120
PID 3892 wrote to memory of 4724	3892	cmd.exe	124
PID 3892 wrote to memory of 4724	3892	cmd.exe	124
PID 4724 wrote to memory of 2260	4724	Client.exe	126
PID 4724 wrote to memory of 2260	4724	Client.exe	126
PID 4724 wrote to memory of 2984	4724	Client.exe	129
PID 4724 wrote to memory of 2984	4724	Client.exe	129
PID 2984 wrote to memory of 4120	2984	cmd.exe	131
PID 2984 wrote to memory of 4120	2984	cmd.exe	131
PID 2984 wrote to memory of 4340	2984	cmd.exe	132
PID 2984 wrote to memory of 4340	2984	cmd.exe	132
PID 2984 wrote to memory of 228	2984	cmd.exe	133
PID 2984 wrote to memory of 228	2984	cmd.exe	133
PID 228 wrote to memory of 4260	228	Client.exe	134
PID 228 wrote to memory of 4260	228	Client.exe	134
PID 228 wrote to memory of 1392	228	Client.exe	137
PID 228 wrote to memory of 1392	228	Client.exe	137
PID 1392 wrote to memory of 2148	1392	cmd.exe	139
PID 1392 wrote to memory of 2148	1392	cmd.exe	139
PID 1392 wrote to memory of 2704	1392	cmd.exe	140
PID 1392 wrote to memory of 2704	1392	cmd.exe	140
PID 1392 wrote to memory of 3144	1392	cmd.exe	141
PID 1392 wrote to memory of 3144	1392	cmd.exe	141
PID 3144 wrote to memory of 1932	3144	Client.exe	142
PID 3144 wrote to memory of 1932	3144	Client.exe	142
PID 3144 wrote to memory of 2752	3144	Client.exe	144
PID 3144 wrote to memory of 2752	3144	Client.exe	144
PID 2752 wrote to memory of 1228	2752	cmd.exe	147
PID 2752 wrote to memory of 1228	2752	cmd.exe	147
PID 2752 wrote to memory of 2320	2752	cmd.exe	148
PID 2752 wrote to memory of 2320	2752	cmd.exe	148
PID 2752 wrote to memory of 4248	2752	cmd.exe	149
PID 2752 wrote to memory of 4248	2752	cmd.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
"C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:892
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AjpKsPliaIIw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4616
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4516
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmZycvMooz1K.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3200
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95mgotd4trTI.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R3JtSKrQIroK.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\38WEtlEwZqOm.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKI2bQ0AFa1w.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQERWueo94OT.bat" "
        15⤵
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zyjz15wcvJyu.bat" "
        17⤵
        
        PID:4612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rNPOhINRoy2M.bat" "
        19⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3580
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z1a5hQRcqX7n.bat" "
        21⤵
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5OHjwRbsYEfY.bat" "
        23⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HjEV4wOJVk6q.bat" "
        25⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rh4bQeLLbmo3.bat" "
        27⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAnbepl0qdhc.bat" "
        29⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgDv0A9KrrNw.bat" "
        31⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\38WEtlEwZqOm.bat

Filesize
207B

MD5
911d281a049a005ba7a938ce6775dc21

SHA1
51959d15443225b86ca4199108bdd586fe66b1b3

SHA256
4e91d03301b6a6dd3fa30eb50c9f95168c373e6ebf3d5c7cf696d7f131d85fc4

SHA512
98dee6bb69e8a77dc685f08985bbf5d3e85337617fc28f7417bf298d7de473cf234aa93f63bb293e8b4f6aee27a7a024f3966e7131b40727e57f42bc0b89bad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OHjwRbsYEfY.bat

Filesize
207B

MD5
3a790ec245f4183f6bdc21bb31eeede9

SHA1
94626f65eadc820ba2e828d2bed46fb0444ff285

SHA256
a76a1bc47f4215529a9f5ba4bf8416dc1495c3c82700425fb818ac7d007d2de7

SHA512
553df128ec23435dd985f965b1464e12c2369fe8d00265797c7b4cb3a114d208b976512d13ade3fb4b86288650c926e6af0815466cb8929b8d45d57bdf488451

Download Submit
C:\Users\Admin\AppData\Local\Temp\95mgotd4trTI.bat

Filesize
207B

MD5
d07bbcbecbb1204691a63895601c7733

SHA1
93e6b9748fcd897aaf8787980ebb330c89a8c83d

SHA256
bd839975fc485f974a98ab076840acc7b543189cef335cb69dffa0d7b423d3b5

SHA512
c183a632bb790ca62ec4964ee3de3d51bc375c5f4499da3c456b996855a793350d09fdca9a26003917dc1611e0a5eb132629316c87e255f1fea2ec6cb78477ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\AjpKsPliaIIw.bat

Filesize
207B

MD5
e20267463eebfdc8a5860e92f39e0a56

SHA1
c098b1341fa93cf0aa0c30e17f91bd0a052f81d9

SHA256
198942ca659c2b18865fae1c97a2a3c1b586b738b47da8d3f914fd3b1661348c

SHA512
4a19146c3cc7148a7b0c02042a19b8b322b444c777680b823da936fd906c77a94435cfc2fcc2f5e3c6c5c23c3e786b1c3df97ae34527601f582affff285033b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmZycvMooz1K.bat

Filesize
207B

MD5
18232a1d0931a5eb5e09575949bbc8ec

SHA1
a880bde37e1a56a5ad8eda7924f8e50c550595d9

SHA256
48be04f1769fbc110c8e714489283341602e8969ea5a88b82fe4ede1b9f1954f

SHA512
bdd0937049f7fc4debbbd444dc8da4d9b77d8e291007f389e4e1130ba26b46a87914b9a7b1320543823502f5e08fa7f8b1af6b7244429128400a88de6aaf350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjEV4wOJVk6q.bat

Filesize
207B

MD5
bbf49d605c7ab70dcef1685e25a65284

SHA1
78af9b5e5bdd1e71607709254adf18f4373de61d

SHA256
2099f0b8d691aced90ce49e5103d7436f57f1f935e6ce6d76428e695472a42eb

SHA512
d1282bb70c5feacfec54015246140426142f5c09509521c66f71101e073204f58fd4d440087bd6dd34d98b37666bd44675ae71133f0cd5074818d0dedb87a5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgDv0A9KrrNw.bat

Filesize
207B

MD5
013e57766207eaff57c360ea9a7b2839

SHA1
4ce5bb2ce0bba54b58e5b933a4a6771c4ffe75d2

SHA256
3daba5d32f974ed0f1c4920d2248a6ae399266659f3937ee5c01bc23ba0413dd

SHA512
a7186a74b74c4ac182513190204fb163dc00e7ee81791dcb1d6f0293a785dd74c93a7ad10611ebbc13ab5713fd69d5db2b71cdd707ea6b5d1f0419bd1dc87b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R3JtSKrQIroK.bat

Filesize
207B

MD5
0c07726e196169382275c959ebc083f9

SHA1
bcec0879ac06e441e4ddcd7d22c9d8c5fe1e0caf

SHA256
dddf2478b7b4eb2b0156cd59277f7b07dee6a791cba08d0de27c9754060ceada

SHA512
f1762df6177e5c799917b2f14ae26e7f172658b7e45c5f9cc22cf003604c2f616f9bd596ab67878303865be0b7d81e614698177e90ffdc895c5c2bf3e8fae3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQERWueo94OT.bat

Filesize
207B

MD5
f95238669d2dd482ce03a571119d224a

SHA1
d7d5e15d41e6038e221c44c5ba670f169f3063c3

SHA256
5a56ef8d1d7967275b549618dc3504d5764e613a7d559b7c4cd7c3f8989ac5a5

SHA512
5b4b15fc8e7dda28ba1ce578b1372a59774d2d96c9c7f8cb8c0855d8f6b3cb87b723e7bc5ce9c09d63ae25032bca028620f1dfe8a4db20402a012f3e9ce11b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKI2bQ0AFa1w.bat

Filesize
207B

MD5
f6e7c66b0cd37f48e6b9f4280e3e7c86

SHA1
a0e85ec73f16495977f20314c3c8c5b9810588c6

SHA256
f62e79079eb060f1b0ef375d2ceadd79de98836244f45a56afdafb40eba91838

SHA512
e1dd4fee393d0a6c85e1a083f9b64f31b1549453850431dc86a7c08292663c403a194d36306cfac036b09705810a157c12e393d4cceae5f7801811e5288452c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z1a5hQRcqX7n.bat

Filesize
207B

MD5
ced8183f062d8d0c2723dab47a026b76

SHA1
0010b6e3f7d703421058ef0dac3538cf5c8b5350

SHA256
3aaceaa15f51bc4e9a80d5d41b1930b54c5f295266269d26c828f5f1cd4af6fe

SHA512
c20a11383da7360278c3d301fa6544fd53ed9faa5d6da1d4f9defd30254a279d1ce82f82e56bb90154d6d6762ac4b8c4df7e51e700ffbe5f0a4f0d6e5465788f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zyjz15wcvJyu.bat

Filesize
207B

MD5
2bcdc532c1830a914ddd7053b035c498

SHA1
b168ac3b9157a8c406b273956b7eebba3af3c81f

SHA256
2a5248607ed01e0356ceaebc8be6fbcb9dc81c964e3b67a2fe1c7f123f145f44

SHA512
fbe72600811f6da5d8bb2acd67c925b6a890ffc1bb28f75155a907eeedc046353cc9899d77c235765ec3a14b166b206b149ca1f6c6260b8b9561ff08acc53462

Download Submit
C:\Users\Admin\AppData\Local\Temp\rNPOhINRoy2M.bat

Filesize
207B

MD5
62ee6038224c36c0069a478185a9aaf6

SHA1
07a90bf633693d4ff6bd53d30f21a20bf7de9bb0

SHA256
3620094064883bc278518858f13009933f01cdae49a1f925b685af7174126aa7

SHA512
5cbbeae19d16fd7434fed6f0ec5a07b9e28d547872b60777abf7792ebc08b71ced4d659ea7b64f249f287b0828263cf6e16402f2706fb65db19f850eabd6ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\rh4bQeLLbmo3.bat

Filesize
207B

MD5
3ab95da538ea40a87915cdb6131541ee

SHA1
482d371e7b23e57abfccee0fb010b38a81047b6f

SHA256
22e9eae116b7a9bdadc3c9bdb09af60fc5f2686ce86b903d9497cc3c72948a8e

SHA512
39ff3b682983008e1cd7f196626ee42890253b2ab26cb3fe62ddbed95dc2b26f827843f1b6168f6ae2ee888d4033aa56cd58aafcc1adc0abcef6089802fd4830

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAnbepl0qdhc.bat

Filesize
207B

MD5
4be5baa97324d932ba1449af6f5ba72b

SHA1
0b94d897b917d5f2cc7547506919dd22b41b0ea9

SHA256
7a3b89e632b8ae4f8200af0e809856b2304d63be95b7d9d17d82d2bda666952e

SHA512
f7375eec376b82c4638a7bf768b1ba96ca4280491ef344f58849677065194cff777d0aa0d7c7191ca1d9ec1261fc5adcc3a2d8d278f0dcda46bcfad282a5ca4a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
a29d070abe87b2be24892421e0c763bb

SHA1
383104c7c6956a98ae5f63c743250f737700f509

SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969

Download Submit
memory/1152-11-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/1152-9-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/1152-18-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/1152-12-0x000000001BE80000-0x000000001BED0000-memory.dmp

Filesize
320KB

Download
memory/1152-13-0x000000001BF90000-0x000000001C042000-memory.dmp

Filesize
712KB

Download
memory/2124-0-0x00007FFBC48C3000-0x00007FFBC48C5000-memory.dmp

Filesize
8KB

Download
memory/2124-10-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2124-2-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2124-1-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads