Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 03:26
Behavioral task
behavioral1
Sample
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe
Resource
win7-20240903-en
General
-
Target
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe
-
Size
3.1MB
-
MD5
5c73e901190eb50c2794a879a354417d
-
SHA1
e7e0e5552b9656e3790aa748f9af8774b606ed66
-
SHA256
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6
-
SHA512
fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6
-
SSDEEP
49152:Wvkt62XlaSFNWPjljiFa2RoUYIf1So1J/UoGd8zTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIf1SX
Malware Config
Extracted
quasar
1.4.1
Office04
hilol.zapto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/2156-1-0x00000000010C0000-0x00000000013E4000-memory.dmp family_quasar behavioral1/files/0x0008000000016ab9-6.dat family_quasar behavioral1/memory/1984-8-0x0000000000DC0000-0x00000000010E4000-memory.dmp family_quasar behavioral1/memory/2900-23-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar behavioral1/memory/2128-44-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar behavioral1/memory/1104-55-0x0000000000260000-0x0000000000584000-memory.dmp family_quasar behavioral1/memory/924-66-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/memory/2336-77-0x0000000000A40000-0x0000000000D64000-memory.dmp family_quasar behavioral1/memory/2708-98-0x0000000001370000-0x0000000001694000-memory.dmp family_quasar behavioral1/memory/1496-129-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar behavioral1/memory/1540-140-0x00000000012B0000-0x00000000015D4000-memory.dmp family_quasar -
Executes dropped EXE 16 IoCs
pid Process 1984 Client.exe 2900 Client.exe 2996 Client.exe 2128 Client.exe 1104 Client.exe 924 Client.exe 2336 Client.exe 2740 Client.exe 2708 Client.exe 2656 Client.exe 540 Client.exe 1496 Client.exe 1540 Client.exe 2492 Client.exe 1396 Client.exe 2012 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2852 PING.EXE 572 PING.EXE 3032 PING.EXE 3012 PING.EXE 1128 PING.EXE 564 PING.EXE 2676 PING.EXE 2008 PING.EXE 3048 PING.EXE 2476 PING.EXE 1672 PING.EXE 2604 PING.EXE 1292 PING.EXE 2100 PING.EXE 2836 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2676 PING.EXE 2852 PING.EXE 2476 PING.EXE 572 PING.EXE 1672 PING.EXE 3012 PING.EXE 2100 PING.EXE 1292 PING.EXE 2836 PING.EXE 2604 PING.EXE 1128 PING.EXE 2008 PING.EXE 3048 PING.EXE 564 PING.EXE 3032 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2648 schtasks.exe 3068 schtasks.exe 3068 schtasks.exe 1028 schtasks.exe 2728 schtasks.exe 2496 schtasks.exe 2228 schtasks.exe 2268 schtasks.exe 2760 schtasks.exe 2060 schtasks.exe 2240 schtasks.exe 1888 schtasks.exe 2676 schtasks.exe 1488 schtasks.exe 1312 schtasks.exe 2420 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe Token: SeDebugPrivilege 1984 Client.exe Token: SeDebugPrivilege 2900 Client.exe Token: SeDebugPrivilege 2996 Client.exe Token: SeDebugPrivilege 2128 Client.exe Token: SeDebugPrivilege 1104 Client.exe Token: SeDebugPrivilege 924 Client.exe Token: SeDebugPrivilege 2336 Client.exe Token: SeDebugPrivilege 2740 Client.exe Token: SeDebugPrivilege 2708 Client.exe Token: SeDebugPrivilege 2656 Client.exe Token: SeDebugPrivilege 540 Client.exe Token: SeDebugPrivilege 1496 Client.exe Token: SeDebugPrivilege 1540 Client.exe Token: SeDebugPrivilege 2492 Client.exe Token: SeDebugPrivilege 1396 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2268 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 30 PID 2156 wrote to memory of 2268 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 30 PID 2156 wrote to memory of 2268 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 30 PID 2156 wrote to memory of 1984 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 32 PID 2156 wrote to memory of 1984 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 32 PID 2156 wrote to memory of 1984 2156 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe 32 PID 1984 wrote to memory of 1488 1984 Client.exe 33 PID 1984 wrote to memory of 1488 1984 Client.exe 33 PID 1984 wrote to memory of 1488 1984 Client.exe 33 PID 1984 wrote to memory of 2408 1984 Client.exe 36 PID 1984 wrote to memory of 2408 1984 Client.exe 36 PID 1984 wrote to memory of 2408 1984 Client.exe 36 PID 2408 wrote to memory of 2700 2408 cmd.exe 38 PID 2408 wrote to memory of 2700 2408 cmd.exe 38 PID 2408 wrote to memory of 2700 2408 cmd.exe 38 PID 2408 wrote to memory of 2852 2408 cmd.exe 39 PID 2408 wrote to memory of 2852 2408 cmd.exe 39 PID 2408 wrote to memory of 2852 2408 cmd.exe 39 PID 2408 wrote to memory of 2900 2408 cmd.exe 40 PID 2408 wrote to memory of 2900 2408 cmd.exe 40 PID 2408 wrote to memory of 2900 2408 cmd.exe 40 PID 2900 wrote to memory of 2760 2900 Client.exe 41 PID 2900 wrote to memory of 2760 2900 Client.exe 41 PID 2900 wrote to memory of 2760 2900 Client.exe 41 PID 2900 wrote to memory of 2672 2900 Client.exe 43 PID 2900 wrote to memory of 2672 2900 Client.exe 43 PID 2900 wrote to memory of 2672 2900 Client.exe 43 PID 2672 wrote to memory of 940 2672 cmd.exe 45 PID 2672 wrote to memory of 940 2672 cmd.exe 45 PID 2672 wrote to memory of 940 2672 cmd.exe 45 PID 2672 wrote to memory of 3048 2672 cmd.exe 46 PID 2672 wrote to memory of 3048 2672 cmd.exe 46 PID 2672 wrote to memory of 3048 2672 cmd.exe 46 PID 2672 wrote to memory of 2996 2672 cmd.exe 47 PID 2672 wrote to memory of 2996 2672 cmd.exe 47 PID 2672 wrote to memory of 2996 2672 cmd.exe 47 PID 2996 wrote to memory of 2060 2996 Client.exe 48 PID 2996 wrote to memory of 2060 2996 Client.exe 48 PID 2996 wrote to memory of 2060 2996 Client.exe 48 PID 2996 wrote to memory of 1684 2996 Client.exe 50 PID 2996 wrote to memory of 1684 2996 Client.exe 50 PID 2996 wrote to memory of 1684 2996 Client.exe 50 PID 1684 wrote to memory of 2696 1684 cmd.exe 52 PID 1684 wrote to memory of 2696 1684 cmd.exe 52 PID 1684 wrote to memory of 2696 1684 cmd.exe 52 PID 1684 wrote to memory of 2476 1684 cmd.exe 53 PID 1684 wrote to memory of 2476 1684 cmd.exe 53 PID 1684 wrote to memory of 2476 1684 cmd.exe 53 PID 1684 wrote to memory of 2128 1684 cmd.exe 54 PID 1684 wrote to memory of 2128 1684 cmd.exe 54 PID 1684 wrote to memory of 2128 1684 cmd.exe 54 PID 2128 wrote to memory of 3068 2128 Client.exe 55 PID 2128 wrote to memory of 3068 2128 Client.exe 55 PID 2128 wrote to memory of 3068 2128 Client.exe 55 PID 2128 wrote to memory of 2388 2128 Client.exe 57 PID 2128 wrote to memory of 2388 2128 Client.exe 57 PID 2128 wrote to memory of 2388 2128 Client.exe 57 PID 2388 wrote to memory of 556 2388 cmd.exe 59 PID 2388 wrote to memory of 556 2388 cmd.exe 59 PID 2388 wrote to memory of 556 2388 cmd.exe 59 PID 2388 wrote to memory of 572 2388 cmd.exe 60 PID 2388 wrote to memory of 572 2388 cmd.exe 60 PID 2388 wrote to memory of 572 2388 cmd.exe 60 PID 2388 wrote to memory of 1104 2388 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe"C:\Users\Admin\AppData\Local\Temp\7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1488
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kFAAYOaJXaBa.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2852
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2760
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2vlweeCtXPN9.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\H7vzmBqmQ3A8.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\y9QcCMZuue1C.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\poozotSToTuh.bat" "11⤵PID:1960
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2240
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1Gn2fFNmguOK.bat" "13⤵PID:316
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:564
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rmSXn2f8AAae.bat" "15⤵PID:2176
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gPXMOQKRohfw.bat" "17⤵PID:2780
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2648
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jsVU6htIV35y.bat" "19⤵PID:3040
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3032
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1312
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FWdVVIjtRqsk.bat" "21⤵PID:2996
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kbpkME4SSDeT.bat" "23⤵PID:2220
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1128
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sBqsnFiUrbtf.bat" "25⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2228
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iLPmjdDNqm5a.bat" "27⤵PID:592
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:292
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1292
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2420
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gHKSObkkETy8.bat" "29⤵PID:2264
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2100
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hV5QX6SEHh9k.bat" "31⤵PID:2088
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2836
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"32⤵
- Executes dropped EXE
PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD504ab16035eb7db41ef95e131cc5a288c
SHA1755efb114975962684e219edb54bea5fa34bc70e
SHA256999a3602a48ec2aa5dc1a59cb8e19da9f0151d67b89e408c5dd49128b2bad890
SHA512a6ce02786f083519ca8d454c595018f8eb5f1cc65b6d73826dde3b745bdc2ccded12dc9a2f11a1926b33b878cbc0998bcca4e67c6059629eb020b490dc88e2d3
-
Filesize
207B
MD59faab180b2436b7457f9012cd7657808
SHA17012e1073cb7917e1ce552545ef464418d4f48ca
SHA256adec1fea2247d22ce715e268ae0861dcee353884685a9d90abc23260d092fadf
SHA51263962a157e6f906a74018573e9ddeff988234d09b823be455f351f622e6f7bdedc45693777da0c328a787b56beb915010ea19cc453d7eac30ecda5091d1ded12
-
Filesize
207B
MD59902567734b769bdcfc89bb87bde44d0
SHA1390cc6113a30592564906d14a604ef0a0d488077
SHA256c924ba39d5dcecbf7091d4e0086c6c9f801346fe866f05442dddc907da3704fa
SHA5122567aa082d7026af1655dac4516380bb3aeb0bf80e906771fecdd66e2ef0cabdac60a5e3104567b57fea119b96b1a1651cb72a64c5602e262eda12c8a9f71cdc
-
Filesize
207B
MD55c6335b6a17436e5bec46011c91f4935
SHA192830e3d33e184f6683235fb4938f568ddcdfafa
SHA256c8c4253baf075416b78ea322e056fe2eb5b5f52ba98e181fa08d2c522e466987
SHA512ef766272f170820f1cd294c200c7d8e0b9cccd484e45abf76725f99b75a586cf3fe5440789cf0247b2af6fbb1ac505f6647eb927cef77fd8004bbd76d0c97f90
-
Filesize
207B
MD5a238f3fbaa3683a1139fd886aa937521
SHA1bf90a2c59de67c919f4fe22dc21d6f3d5797dab0
SHA256f55f8e57c8f5e46093ea58dfb5f4ea3cc0d27ec2d0bcaf3712286b69c84ae0a6
SHA512047018ee30618e96c3d4fa221e121370ae685ca6401f820425626b822bb7f0f151aabd6e8413949a09e001c6e6b169755ff2a59397f4f64aed3d29ca29cbd7b1
-
Filesize
207B
MD5e1b322245efa89b50bebdb5bc474895f
SHA104569632f16033bb4acb7ab83d49623b00b44c33
SHA256a03929cccea28a1acb907e12adc0a94639416d7eb55384ead21611ef5a270632
SHA51292efefb6c6293f93fe4e65b573ddedb9fba105efc47f5558821f5e3de70da523ffa474966f567299d3a4039820cc35bb76d2bfcd086264c3618189450694244b
-
Filesize
207B
MD5a3e6b7571c3aa8c951f5fb54300b1e70
SHA16496fca38d598ab88c8a4a1f1e099d866d53c55b
SHA2567aae41f2228187395b27b10a8f7e8e36a0bb721a24d3eb2dc93c8af873663a22
SHA5123dd1917e340b16aeaacf23953c4f4b0856fc8d7586116d0863a33aca8fc94ad17e9849b924375422f000a5e8742e9767250326bf0d8fa3aba858e23ac797c830
-
Filesize
207B
MD53da7367212912a4875a060fed72c7711
SHA1b27ea7dda43feda6b376c5163144090e62fb1a1c
SHA2565d951e3c41d7b074752e63a503632f6a4666bf4eb203393363f6f5ac9a9c7f11
SHA512cf4952932db6952d184226c53ad626f29a06b12628c0d2f23909978fd99c9d0ad9861fa702a10922dd6db6ca1e2f9523a79a79db3d9003dbffe33d5bf4467af2
-
Filesize
207B
MD5a8d10820ac1bda47d9b42280737dcff9
SHA1cbdaa22d39602e96dbacc25fa2ac13aae2ac2cc9
SHA2565fbadd01ca50e056e9f3d095f4890123fdb8063d061b4a9caef9ba9b3c6ff1a6
SHA512f7e95f8db287ea67287e18ae9129d96e5db2238320c56ce416060fbd27884f1f932314b09f83aabb182df5c6c819b98dc1ba8b33cacfd7905ac61efce4dcd2ce
-
Filesize
207B
MD59fc9d05acb8919109ffe153c31cf4163
SHA193c75cc4bf805620e5556c08cb61f43e0ec429d6
SHA256aa6aee2f677fc2093ca7f6313dfb13225ffb587ce109f158fef8075f7a3ff0ed
SHA512b89dc5d97d0d60ab5a05d22a43caaf969df49c269f6e646ba30160154a64ad666bd04da05b6b4ad90c99ccb57c5ebaa3ff6b9238999cbbd225c58711c72f470b
-
Filesize
207B
MD582c273d5a4bd98bddecf690cb9255702
SHA1f01e34e1c698fe1aaa830c3d892a8b0c7fc16efa
SHA256a45db94775ee3adbbf363d813ae6eaaf5323ee56f6fbdc506737976f2e3c4353
SHA512a10ec86b9566e75e2d034a25e5ed89d8c41151eb41a01b9df15b515802befe065ce03bc73500c3e47a559bcfd6d4e42a28d895b10b59fce7df24ac6d86dc94e1
-
Filesize
207B
MD510630017c88699aeb2015e5fad8088ae
SHA13b762b2928c8ca85a454cd8c9b932f034d77c326
SHA2569af17cd1137b724a4a380152d969a4f8815750a08e45b9cf91f0e1801250f636
SHA512cce8b55794f93899875e7ebe2d94e1640a2bee1c471c6807c78a1a5c5e6bd0759ec89cea0e91f43d056b32176045025c03f81c90cdfcbce2dfbbabc141f11a53
-
Filesize
207B
MD5e086fcebc7d36510d616f1a8cc43ad9c
SHA1acf0baf9e505befbadb6b624fa89e015f8a41679
SHA256dbc818ef7c0e0fbedeb0a16f253ec06a86c644116765bd63324e1988d54d5ad4
SHA512c8d37b243ce66064280bdf6043e9b93ceb135b7c2435c592d652d6fccbdd20245c75e4fcdf9c5d94d07e42dc152f99b1fd5db165d94d72c67742c14afe47b0e9
-
Filesize
207B
MD5c6b48ea34e928ea18632690f6a2fea8b
SHA116d77cc0d009bebef59919cd3ad7e4b7f0269e53
SHA25628ffeeaf76b9ff7b430c0c0282a7bd3fa008a8e789d694d410719e04126b34b4
SHA5122ce2f63ce46a3c1c7e77c946589c2ea6637e06793948b8c8b7beb345216ccba36c6a1fe21e0d696a48dab6c127df03f81d14b25d1e572ca855a9794786820688
-
Filesize
207B
MD52ffea55b92fe3e8f726b3752bf88fbb9
SHA11d1b4a39b1800cc86a10cebd010fc1e51c9720fe
SHA256d7ed0b03398cf1cf4dcfa9a256434aa5d3151cfb82e057f1855f9c7a9ed78d76
SHA5126ecb633b3a6bde107fdc8fc0a8b70d9b43136479b8acf2498ffd47670847ca22b6d4db4bfd8af5be78ef67a92eb07bda283627a5e9e5e2d2d0fa510ca3486788
-
Filesize
1.9MB
MD5646a2d174811f628b4ad53f9555523e7
SHA1692feac677c039300f2353b970b09ebeba26fac1
SHA256b182600b0d0e88e345c69264df18f9226e7dd602c7f6523f4b3b7935281c798a
SHA5125a2e4f9130a19a42bb99296570d35a3489fee07a98e16b8993e6298db24282ad0731c587e8656a30352990ff8d28873eb3700cc96e32b2966ccf6db7e8b64635
-
Filesize
3.1MB
MD55c73e901190eb50c2794a879a354417d
SHA1e7e0e5552b9656e3790aa748f9af8774b606ed66
SHA2567ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6
SHA512fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6