quasar | 7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe
Size

3.1MB
MD5

5c73e901190eb50c2794a879a354417d
SHA1

e7e0e5552b9656e3790aa748f9af8774b606ed66
SHA256

7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6
SHA512

fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6
SSDEEP

49152:Wvkt62XlaSFNWPjljiFa2RoUYIf1So1J/UoGd8zTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIf1SX

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hilol.zapto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1052-1-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b73-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2076	Client.exe
4976	Client.exe
2072	Client.exe
4604	Client.exe
3176	Client.exe
1816	Client.exe
4056	Client.exe
1688	Client.exe
4636	Client.exe
2292	Client.exe
1756	Client.exe
1180	Client.exe
3904	Client.exe
652	Client.exe
2192	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
380	PING.EXE
516	PING.EXE
3672	PING.EXE
4928	PING.EXE
4436	PING.EXE
1384	PING.EXE
3364	PING.EXE
4352	PING.EXE
4412	PING.EXE
2520	PING.EXE
2608	PING.EXE
4888	PING.EXE
4032	PING.EXE
4864	PING.EXE
1848	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3672	PING.EXE
4888	PING.EXE
4352	PING.EXE
4928	PING.EXE
1848	PING.EXE
516	PING.EXE
2608	PING.EXE
3364	PING.EXE
4032	PING.EXE
1384	PING.EXE
380	PING.EXE
4412	PING.EXE
4436	PING.EXE
4864	PING.EXE
2520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3888	schtasks.exe
3908	schtasks.exe
4588	schtasks.exe
4664	schtasks.exe
2976	schtasks.exe
4888	schtasks.exe
4600	schtasks.exe
1188	schtasks.exe
1360	schtasks.exe
5028	schtasks.exe
4820	schtasks.exe
1648	schtasks.exe
4892	schtasks.exe
4656	schtasks.exe
4452	schtasks.exe
440	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe
Token: SeDebugPrivilege	2076	Client.exe
Token: SeDebugPrivilege	4976	Client.exe
Token: SeDebugPrivilege	2072	Client.exe
Token: SeDebugPrivilege	4604	Client.exe
Token: SeDebugPrivilege	3176	Client.exe
Token: SeDebugPrivilege	1816	Client.exe
Token: SeDebugPrivilege	4056	Client.exe
Token: SeDebugPrivilege	1688	Client.exe
Token: SeDebugPrivilege	4636	Client.exe
Token: SeDebugPrivilege	2292	Client.exe
Token: SeDebugPrivilege	1756	Client.exe
Token: SeDebugPrivilege	1180	Client.exe
Token: SeDebugPrivilege	3904	Client.exe
Token: SeDebugPrivilege	652	Client.exe
Token: SeDebugPrivilege	2192	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4820	1052	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe	82
PID 1052 wrote to memory of 4820	1052	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe	82
PID 1052 wrote to memory of 2076	1052	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe	84
PID 1052 wrote to memory of 2076	1052	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe	84
PID 2076 wrote to memory of 3888	2076	Client.exe	85
PID 2076 wrote to memory of 3888	2076	Client.exe	85
PID 2076 wrote to memory of 4864	2076	Client.exe	87
PID 2076 wrote to memory of 4864	2076	Client.exe	87
PID 4864 wrote to memory of 3116	4864	cmd.exe	89
PID 4864 wrote to memory of 3116	4864	cmd.exe	89
PID 4864 wrote to memory of 1384	4864	cmd.exe	90
PID 4864 wrote to memory of 1384	4864	cmd.exe	90
PID 4864 wrote to memory of 4976	4864	cmd.exe	96
PID 4864 wrote to memory of 4976	4864	cmd.exe	96
PID 4976 wrote to memory of 4600	4976	Client.exe	97
PID 4976 wrote to memory of 4600	4976	Client.exe	97
PID 4976 wrote to memory of 3428	4976	Client.exe	99
PID 4976 wrote to memory of 3428	4976	Client.exe	99
PID 3428 wrote to memory of 3200	3428	cmd.exe	101
PID 3428 wrote to memory of 3200	3428	cmd.exe	101
PID 3428 wrote to memory of 516	3428	cmd.exe	102
PID 3428 wrote to memory of 516	3428	cmd.exe	102
PID 3428 wrote to memory of 2072	3428	cmd.exe	105
PID 3428 wrote to memory of 2072	3428	cmd.exe	105
PID 2072 wrote to memory of 1188	2072	Client.exe	106
PID 2072 wrote to memory of 1188	2072	Client.exe	106
PID 2072 wrote to memory of 3552	2072	Client.exe	108
PID 2072 wrote to memory of 3552	2072	Client.exe	108
PID 3552 wrote to memory of 3872	3552	cmd.exe	110
PID 3552 wrote to memory of 3872	3552	cmd.exe	110
PID 3552 wrote to memory of 3672	3552	cmd.exe	111
PID 3552 wrote to memory of 3672	3552	cmd.exe	111
PID 3552 wrote to memory of 4604	3552	cmd.exe	113
PID 3552 wrote to memory of 4604	3552	cmd.exe	113
PID 4604 wrote to memory of 3908	4604	Client.exe	115
PID 4604 wrote to memory of 3908	4604	Client.exe	115
PID 4604 wrote to memory of 4472	4604	Client.exe	117
PID 4604 wrote to memory of 4472	4604	Client.exe	117
PID 4472 wrote to memory of 2100	4472	cmd.exe	119
PID 4472 wrote to memory of 2100	4472	cmd.exe	119
PID 4472 wrote to memory of 2608	4472	cmd.exe	120
PID 4472 wrote to memory of 2608	4472	cmd.exe	120
PID 4472 wrote to memory of 3176	4472	cmd.exe	121
PID 4472 wrote to memory of 3176	4472	cmd.exe	121
PID 3176 wrote to memory of 4892	3176	Client.exe	122
PID 3176 wrote to memory of 4892	3176	Client.exe	122
PID 3176 wrote to memory of 1856	3176	Client.exe	124
PID 3176 wrote to memory of 1856	3176	Client.exe	124
PID 1856 wrote to memory of 3084	1856	cmd.exe	126
PID 1856 wrote to memory of 3084	1856	cmd.exe	126
PID 1856 wrote to memory of 380	1856	cmd.exe	127
PID 1856 wrote to memory of 380	1856	cmd.exe	127
PID 1856 wrote to memory of 1816	1856	cmd.exe	128
PID 1856 wrote to memory of 1816	1856	cmd.exe	128
PID 1816 wrote to memory of 4588	1816	Client.exe	129
PID 1816 wrote to memory of 4588	1816	Client.exe	129
PID 1816 wrote to memory of 2248	1816	Client.exe	131
PID 1816 wrote to memory of 2248	1816	Client.exe	131
PID 2248 wrote to memory of 3360	2248	cmd.exe	133
PID 2248 wrote to memory of 3360	2248	cmd.exe	133
PID 2248 wrote to memory of 4888	2248	cmd.exe	134
PID 2248 wrote to memory of 4888	2248	cmd.exe	134
PID 2248 wrote to memory of 4056	2248	cmd.exe	135
PID 2248 wrote to memory of 4056	2248	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe
"C:\Users\Admin\AppData\Local\Temp\7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4820
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9zXBDdawML3f.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3116
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1384
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X6uDSORf2wqt.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3200
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9QL2MpPIxhay.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5rMNvlyHOiWI.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1G9d3FfhT4nj.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\38ZzOQSc79IL.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lzKOTl7qaAH5.bat" "
        15⤵
        
        PID:3256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9SitUsqJnOmZ.bat" "
        17⤵
        
        PID:4372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jTjTmBhrUpaO.bat" "
        19⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKkIxZtLzP1o.bat" "
        21⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwhqzubGLwxu.bat" "
        23⤵
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TtWoA5jCSFLI.bat" "
        25⤵
        
        PID:4556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cDATbgbnU2E1.bat" "
        27⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SbxDQMLwmKG7.bat" "
        29⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqXECY41r6MQ.bat" "
        31⤵
        
        PID:4352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1G9d3FfhT4nj.bat

Filesize
207B

MD5
f9e7e9b1b239967468d5a2d388163228

SHA1
be95d3c2f3d66596bb6de0ea2b718fbaa12914df

SHA256
14fdc4f759a9b76a7a2a126bcb2b90b95ce1c8c6a44c8a43119c43331a2b574c

SHA512
820d1341188ff7ec527b2f0c0bf7f93b577b607cb7fb9227451f2e5863bbf85e6bc59fb15664e60fa81557a6dacb6c668e5e92406148eed920d55ca16516e413

Download Submit
C:\Users\Admin\AppData\Local\Temp\38ZzOQSc79IL.bat

Filesize
207B

MD5
4d5d2159d21ea92df1dba055e6246f11

SHA1
a35ded483851c28b3bd7fd5a54fddfd1c50e1d27

SHA256
0fecbf447345fd8910275d703f5da7f0e5e46aba453adec1f831c9dbd4ee5c02

SHA512
86683db7ff4964c261167b308ec563a3c19651b1c30f769ec5034200179ff1cdbf2689a660e9ea2d9dacaee15e0480b8650a3a92e7a2aa1cb9b0818ea897beed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5rMNvlyHOiWI.bat

Filesize
207B

MD5
f2166e5b16ec27ce42b74eb3162f80b1

SHA1
67e68f38954242602cc5906e978da1c8bf2f1848

SHA256
c4718462c2ae01d18c4579870b1f61121af797372b94fd3dbbfab33a490be94f

SHA512
dd3b07457baf149a90d30f371fad5f7c465b776a154eb2475f7da1fc6e69cbd111f4c985ae314b1bf249ec5c15bff648b981822ffb6c009d57de45394048af01

Download Submit
C:\Users\Admin\AppData\Local\Temp\9QL2MpPIxhay.bat

Filesize
207B

MD5
729a46a03230b7dd59fbf635dd1109b1

SHA1
7a74c228093698381ff5d481bef40fd632453dd1

SHA256
d448c6152cb1d52a83fbe14bbb9a70a66f70aadcc01023bf2023167645dc635b

SHA512
4f180dfda729acb3792c1435af4412b6ad234480afae500d0c23ced417b3630a2bd6137d72fed92f952ead9385b55b40439d695fbdb73e7906c438cfd90083b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9SitUsqJnOmZ.bat

Filesize
207B

MD5
c659b4a249d557fb8763f761628db89a

SHA1
7e38dfecc8692ba0cf675a46bc88edb5385a162b

SHA256
6bee382a1b52ae0ff549223aec44a1d3a40a39d55820028edd67f5477f2ee6d6

SHA512
b2dc53a178fe28100fe05b3cc00550c6d984559b426fbf2f9ed2ee4cf71cfb9f126d91e3c8545ada0c7644931fe2cc8630561187bbe075ba4c0488b8b3022bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9zXBDdawML3f.bat

Filesize
207B

MD5
4072b416e71146dd7660691b3b0f0dc1

SHA1
13a41a6a4a1d5fcf90c40e7327122d565ab22664

SHA256
d01bbede0bd782cc918a858ddd722df392368c5af160fe45f4849b72a25604f0

SHA512
fe9da8068c6d40e3d9bbb65e51c4581fa78674838772f25e3277bfc7c48036786c1d2df3463bacd3fe189b41d0b6eac6d455a3807d9de2614cac0ddf5af64fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqXECY41r6MQ.bat

Filesize
207B

MD5
1d8ca8067940327f5ea3255a2f4a5e03

SHA1
133578a888dac7cd437145cbd3049c0bdbdfcd71

SHA256
ad5b1b4f69d0b24eeff6d1c8f288a4e7eaacd10abc6dab92b82e23173c5d9093

SHA512
47b65070876ca8511879f51652df25b20c65d53cc93f55dabb5f3814baa3361568b00893bda685cf729aba129f3ceb32f8fd826626bebc58252e827b30c224ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SbxDQMLwmKG7.bat

Filesize
207B

MD5
c610f990c2187a5ae617f36f4bb8567b

SHA1
467fa6d66675fe5e878cc9167c02eb8f86a720df

SHA256
0baae251275e0d13d9bc3eeeb94f0537eee7803983711ca2e9d31eaa168babed

SHA512
323a09cf75e1fbfcfd29198ba1d74f413041f9ed0682e633f4e6822232f103e059620258806612032a802af9c139f2dc607a68506e4c76fada8850e2efc6a6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtWoA5jCSFLI.bat

Filesize
207B

MD5
184201918aa2e5fc09f6296569c98349

SHA1
3c9899d2e2eeb6de0985d5517c9416a78def2256

SHA256
01cc44c4253fb34ec596c110a5d5a161f65f58afca022890fc0334f9678c5584

SHA512
bc86c18d6b4addc6852031e5aa279de87597acd92319fdc85c45191bc1af8076bae5a8f479ecbf912383bb35d8865a194ec198300aaf5e3677bcb468edef99b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\X6uDSORf2wqt.bat

Filesize
207B

MD5
cfad5468113df25baa0d40632fc97032

SHA1
d0ebfe5d17bbf4099415e422945bad45e36d4bab

SHA256
628a57943c494b45d91bd24de3ffe9b7bd497e314aa5f2c6e6975822fec46f75

SHA512
6b43a2259b7f4ffce46f00291ce4a2b0a7c4e77830e341f3187d84aff1657ac800a9b9e8219258665608d5402941c42b4d7255b7f9739c851a1392dd91bea004

Download Submit
C:\Users\Admin\AppData\Local\Temp\cDATbgbnU2E1.bat

Filesize
207B

MD5
e9f0ebd3a16042c5c2ca563255827ab1

SHA1
f90b8e1f1dd82e9711de2050517ca60626fc473a

SHA256
09e7b2068f3cf303dc30451632be03ce9c2840575e4e80132615f64a26248c96

SHA512
daf1c922611738d3f4bfe3771b75f7cefd232342aeae1a9d424ff9c64db97967b3d66f9d5bcd4c4aa037b51394f4cdfd507e582634cf4347ec415a17b638a6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\jTjTmBhrUpaO.bat

Filesize
207B

MD5
91d74c6de07488fb2918d00ccc21743e

SHA1
a3622c1523bf610767741cc110b3dd5ce750aedf

SHA256
4184f729100aeedce8d83f30d73a7fa911ed632af2523481ae5bf3d2b0d62f7b

SHA512
486773ec7d1d95be86478bb42e70e761dc463d52d5828189dcea5e27609c7c2eb2469c01d7f4c18196a4b23232fbe39ae73df7b636161e6952bdcf8c22c6d425

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzKOTl7qaAH5.bat

Filesize
207B

MD5
ab65be282d7e96a22a8c428a812bf7a5

SHA1
bd599f9f113900323d6ef1c13a7cfe8badb5df55

SHA256
2c2e7aa01a371ec0d4beb898e99adc8ae2e9f5bf6d31aa1301f08bbfebb5f3f9

SHA512
3fa036358e4d0740901c8a153ce657af7220838549e1c6b407e5b64bb89ef032b7800c059c6c81562351edfd19c2fda8b023562b03e6c276416e7cd388ca93dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwhqzubGLwxu.bat

Filesize
207B

MD5
108de7fc6d853899a266b829a6a56724

SHA1
6f323053c56a81492ae94bd2d8dd86a95db05256

SHA256
d5a5967714232ce90d5d58ea8198dd7579ebc14d8ae5e074480eaa3c37290641

SHA512
d9256fbbe2e4a346a77bcfb92436bf819b590813eff851c9a37dc3301e5f5185fab5cd8e2986e25457f1280f86f3f3c72c5dc044903da899aa9256055923d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKkIxZtLzP1o.bat

Filesize
207B

MD5
eae1640cdf1e5bed41c58ced29af89b4

SHA1
930b80e915e5a88d47c22e6cc2663e74e82a65f1

SHA256
9da733859c82418e02bfbbab29e56593dca0b5a64b68c5b77c028852d9833aee

SHA512
906c2a1a3a8d433d6b5ea4af898e1bbba601d217eaa686036d801532077e56d45c840b0c1d79fda3265fdcab77b3d18c1c7ae047360ccbf0944d9e0bb539fc33

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
5c73e901190eb50c2794a879a354417d

SHA1
e7e0e5552b9656e3790aa748f9af8774b606ed66

SHA256
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6

SHA512
fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6

Download Submit
memory/1052-10-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-0-0x00007FFDBF313000-0x00007FFDBF315000-memory.dmp

Filesize
8KB

Download
memory/1052-2-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/2076-9-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-11-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-12-0x0000000002ED0000-0x0000000002F20000-memory.dmp

Filesize
320KB

Download
memory/2076-19-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/2076-13-0x000000001C5C0000-0x000000001C672000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads