quasar | e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Size

3.1MB
MD5

5da0a355dcd44b29fdd27a5eba904d8d
SHA1

1099e489937a644376653ab4b5921da9527f50a9
SHA256

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512

289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
SSDEEP

49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.79:4782

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1320-1-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000195c5-7.dat	family_quasar
behavioral1/memory/3016-10-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/memory/2592-23-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/336-34-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/memory/1944-45-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar
behavioral1/memory/2312-68-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/memory/1848-79-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar
behavioral1/memory/2020-112-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/2936-124-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/932-135-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
3016	Client.exe
2592	Client.exe
336	Client.exe
1944	Client.exe
940	Client.exe
2312	Client.exe
1848	Client.exe
2572	Client.exe
2616	Client.exe
2020	Client.exe
2936	Client.exe
932	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1368	PING.EXE
2344	PING.EXE
1732	PING.EXE
2424	PING.EXE
2580	PING.EXE
824	PING.EXE
708	PING.EXE
1968	PING.EXE
2408	PING.EXE
2648	PING.EXE
1432	PING.EXE
1596	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1432	PING.EXE
2424	PING.EXE
1596	PING.EXE
1368	PING.EXE
824	PING.EXE
1968	PING.EXE
2344	PING.EXE
1732	PING.EXE
2648	PING.EXE
2580	PING.EXE
708	PING.EXE
2408	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2284	schtasks.exe
1916	schtasks.exe
2176	schtasks.exe
2508	schtasks.exe
2232	schtasks.exe
2500	schtasks.exe
2244	schtasks.exe
2676	schtasks.exe
2056	schtasks.exe
1708	schtasks.exe
2504	schtasks.exe
2548	schtasks.exe
1032	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Token: SeDebugPrivilege	3016	Client.exe
Token: SeDebugPrivilege	2592	Client.exe
Token: SeDebugPrivilege	336	Client.exe
Token: SeDebugPrivilege	1944	Client.exe
Token: SeDebugPrivilege	940	Client.exe
Token: SeDebugPrivilege	2312	Client.exe
Token: SeDebugPrivilege	1848	Client.exe
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	2616	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	2936	Client.exe
Token: SeDebugPrivilege	932	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3016	Client.exe
2592	Client.exe
336	Client.exe
1944	Client.exe
940	Client.exe
2312	Client.exe
1848	Client.exe
2572	Client.exe
2616	Client.exe
2020	Client.exe
2936	Client.exe
932	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3016	Client.exe
2592	Client.exe
336	Client.exe
1944	Client.exe
940	Client.exe
2312	Client.exe
1848	Client.exe
2572	Client.exe
2616	Client.exe
2020	Client.exe
2936	Client.exe
932	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3016	Client.exe
2592	Client.exe
336	Client.exe
1944	Client.exe
940	Client.exe
2312	Client.exe
1848	Client.exe
2572	Client.exe
2616	Client.exe
2020	Client.exe
2936	Client.exe
932	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2504	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	31
PID 1320 wrote to memory of 2504	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	31
PID 1320 wrote to memory of 2504	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	31
PID 1320 wrote to memory of 3016	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	33
PID 1320 wrote to memory of 3016	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	33
PID 1320 wrote to memory of 3016	1320	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	33
PID 3016 wrote to memory of 2176	3016	Client.exe	34
PID 3016 wrote to memory of 2176	3016	Client.exe	34
PID 3016 wrote to memory of 2176	3016	Client.exe	34
PID 3016 wrote to memory of 2680	3016	Client.exe	36
PID 3016 wrote to memory of 2680	3016	Client.exe	36
PID 3016 wrote to memory of 2680	3016	Client.exe	36
PID 2680 wrote to memory of 2844	2680	cmd.exe	38
PID 2680 wrote to memory of 2844	2680	cmd.exe	38
PID 2680 wrote to memory of 2844	2680	cmd.exe	38
PID 2680 wrote to memory of 2580	2680	cmd.exe	39
PID 2680 wrote to memory of 2580	2680	cmd.exe	39
PID 2680 wrote to memory of 2580	2680	cmd.exe	39
PID 2680 wrote to memory of 2592	2680	cmd.exe	40
PID 2680 wrote to memory of 2592	2680	cmd.exe	40
PID 2680 wrote to memory of 2592	2680	cmd.exe	40
PID 2592 wrote to memory of 2548	2592	Client.exe	41
PID 2592 wrote to memory of 2548	2592	Client.exe	41
PID 2592 wrote to memory of 2548	2592	Client.exe	41
PID 2592 wrote to memory of 1572	2592	Client.exe	43
PID 2592 wrote to memory of 1572	2592	Client.exe	43
PID 2592 wrote to memory of 1572	2592	Client.exe	43
PID 1572 wrote to memory of 2032	1572	cmd.exe	45
PID 1572 wrote to memory of 2032	1572	cmd.exe	45
PID 1572 wrote to memory of 2032	1572	cmd.exe	45
PID 1572 wrote to memory of 1368	1572	cmd.exe	46
PID 1572 wrote to memory of 1368	1572	cmd.exe	46
PID 1572 wrote to memory of 1368	1572	cmd.exe	46
PID 1572 wrote to memory of 336	1572	cmd.exe	47
PID 1572 wrote to memory of 336	1572	cmd.exe	47
PID 1572 wrote to memory of 336	1572	cmd.exe	47
PID 336 wrote to memory of 1032	336	Client.exe	48
PID 336 wrote to memory of 1032	336	Client.exe	48
PID 336 wrote to memory of 1032	336	Client.exe	48
PID 336 wrote to memory of 2008	336	Client.exe	50
PID 336 wrote to memory of 2008	336	Client.exe	50
PID 336 wrote to memory of 2008	336	Client.exe	50
PID 2008 wrote to memory of 1276	2008	cmd.exe	52
PID 2008 wrote to memory of 1276	2008	cmd.exe	52
PID 2008 wrote to memory of 1276	2008	cmd.exe	52
PID 2008 wrote to memory of 824	2008	cmd.exe	53
PID 2008 wrote to memory of 824	2008	cmd.exe	53
PID 2008 wrote to memory of 824	2008	cmd.exe	53
PID 2008 wrote to memory of 1944	2008	cmd.exe	54
PID 2008 wrote to memory of 1944	2008	cmd.exe	54
PID 2008 wrote to memory of 1944	2008	cmd.exe	54
PID 1944 wrote to memory of 2508	1944	Client.exe	55
PID 1944 wrote to memory of 2508	1944	Client.exe	55
PID 1944 wrote to memory of 2508	1944	Client.exe	55
PID 1944 wrote to memory of 3044	1944	Client.exe	57
PID 1944 wrote to memory of 3044	1944	Client.exe	57
PID 1944 wrote to memory of 3044	1944	Client.exe	57
PID 3044 wrote to memory of 1092	3044	cmd.exe	59
PID 3044 wrote to memory of 1092	3044	cmd.exe	59
PID 3044 wrote to memory of 1092	3044	cmd.exe	59
PID 3044 wrote to memory of 708	3044	cmd.exe	60
PID 3044 wrote to memory of 708	3044	cmd.exe	60
PID 3044 wrote to memory of 708	3044	cmd.exe	60
PID 3044 wrote to memory of 940	3044	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
"C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2504
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2176
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\shwOsUW0n3Rn.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2844
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2580
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NarXIBuUvqsW.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2032
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1368
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wxwxr783zqYd.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogCCTgKUcw4b.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6Qhj5rAT4UQo.bat" "
        11⤵
        
        PID:1544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\H9yK1fAX3td6.bat" "
        13⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8noFuKOwu2Sr.bat" "
        15⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y1apO3VDiPF8.bat" "
        17⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hRYMSERjLmNb.bat" "
        19⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KKRyzbNi5ioZ.bat" "
        21⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eqg5OOMg6hy7.bat" "
        23⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOVChixbiXBg.bat" "
        25⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6Qhj5rAT4UQo.bat

Filesize
207B

MD5
09ee862bb4fab1e6ae3a288427f421bd

SHA1
5df506b8ef42a26bdd7b75f2ca5e99717921eaee

SHA256
6aca42e27e589f6cc317024114d9e889b5dc344d3264681047b7cb0894acd633

SHA512
3219970e0d092b0021dcdef17822571684161659114e1f69369ef7e9e64bb942738417e467aca5ace2340a5d8c8c3d0f0404841f2981f542def9f98fb63374d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8noFuKOwu2Sr.bat

Filesize
207B

MD5
418fd8c4cebd5cf20f8647dd778a8f46

SHA1
4c54c7d645ec63b8b583f0d3c891ead5d908a975

SHA256
6191f96bdaf2d6a4cfad31e6f630e4b1d80b51aa999a2e1adbbd1f827ff4394b

SHA512
7ed52c544815ee5005441e69dd2b0740465f3c7e20422e6164e8b98058a3774e09722028b7d4447bde7baca903ef0593d5c0902f83563e0fd81d37bd190b0b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOVChixbiXBg.bat

Filesize
207B

MD5
ad4074e52dae5c56f441a34606cd862a

SHA1
41f193a55bf8d300e220aecf05b0f5a932bd4e6b

SHA256
90da8b88188513d8ff094de3ec9611b9c9216897e3821e0edd271d1cce6b8d50

SHA512
891d3403c058d03f29d9bc1a75b6ea22ab63e6f507abc792fc743a8f2c40bb914cfbe7d6a327d5e5639bb1245851aeaad60b3ad237eddaa828dd19475d9f793e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eqg5OOMg6hy7.bat

Filesize
207B

MD5
303d6fe23208bd12022caa020cd68051

SHA1
99b3c7af3e246d8157a5a49bc8d35e61b8c477d4

SHA256
d86b7733ba05f34f1204225c2cdc65d5c14b386fcb1fbda3fc1be69add64eef1

SHA512
5872034df091f2e3c922de2dbcc992b2c9927b60bfd8bdc81a0cd57fff4977e48464fb1bc6e9bdbaf831c087e7d67e0394af622e3583aee898f62d27e5460c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\H9yK1fAX3td6.bat

Filesize
207B

MD5
47670ddf83c4cf4c4559bd690334dfed

SHA1
4447b7bb9066763499e8e172f300493ffdcb6b24

SHA256
14ee73fc448d1b242c87eb8dff69462a60768ab4089f729fbc99f5e7c634ab2f

SHA512
a81aa8c88eb8bf5e41e6564baff5b5a8eb165a426e21aa9c3ca77bb4f1d8b6b31bd7cde074340e9c645de89324188f92e5ee8972198290ef4f6b21e97d0304d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKRyzbNi5ioZ.bat

Filesize
207B

MD5
0fc601ef03cb41805d8c2009833b6dd7

SHA1
5d7954f88873694a952ae7a317db038a5df567f3

SHA256
2bbecd7d3be5d2cf01dc635e1cc7e2f0a983c8632215ebfb4c721d46225d8681

SHA512
462fe56a8a1885e610d01258c09fc9edf70e850fe25b59559e30c2029059f75e035165be0bce3de75c3c6ff16bffe9752691cf0c0677cba309697ce43422505b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NarXIBuUvqsW.bat

Filesize
207B

MD5
d62e1b7a3484ac8b00110ee7cd33e56c

SHA1
70d89733d007f6e0fe5b3a70b08b37ec1fe767db

SHA256
1231978cfc52a2bb2b473c8df594fbf6182e50db4acf76ecae13c4db9c16a109

SHA512
ec3afb06452f4a5600f9e629e6902196f5ce4b1c2e3f7a96c692508a08b67b4a616df257e9343c29a04712552784ebfe97097632cb2e89c421c0f218096b89d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hRYMSERjLmNb.bat

Filesize
207B

MD5
f13db879238ae8f6f6a4180ea6dc4344

SHA1
a511ab4381d85db030e31464fc7bd35c801587d4

SHA256
40f4c9f44bb5c93bff329b5596ea0314e2727eecae97b4e91adf169cdd503974

SHA512
a20ed61104eef0cec8311bffb939111f687fb6de6b8f15c27cb2b57769fc8e461a183364af3ef3dd0063b97dd138fe272c9912b280ff230065c12df6fe68fdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogCCTgKUcw4b.bat

Filesize
207B

MD5
ab2e0133df2698b214b3678d37d8c847

SHA1
20e085fd1213ae5114681c9103992a06d462028d

SHA256
c750fcc672755f3627d32f518b6a22e09108327619cff59fc9e920d6c2533ea6

SHA512
3cd04e43c98d38d18d60d62dcf144c2dff49861fd80d2defdec220a7ecbe9fc8e6781ed079ac719f72c18dd1e0054927fbb229e9d8128a011f230433d39c7373

Download Submit
C:\Users\Admin\AppData\Local\Temp\shwOsUW0n3Rn.bat

Filesize
207B

MD5
551a8f542fa57948e5c969e1c3a05247

SHA1
04c2ee643505172a7f91c19e6b7c609bd753ebdc

SHA256
49910cac7359fa59a38c1bac63dc7271da71cf988bb2e52813b58f471124d0ca

SHA512
1360620f722f77c81b3f9f8a17dc86f9382bbfc88cc400c0c5c12e18717e7b9997d8979b2e8f76df47a99865488cbc36a5093a1770b0a2b8bb047468ddd5488c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxwxr783zqYd.bat

Filesize
207B

MD5
aff5847336d08b62763cd84ef3f0f4eb

SHA1
cb82f97bc6c51b22a2653defc0b657192d95540b

SHA256
921cbde7d2a16dbdaca227cb1faaa6997b71c850d027eed790143157007080f7

SHA512
c6d7a597b73871bc3d416d76f20e9c9e389943752c3ddb8edb08342705a22fe41a203fcba8b9ece0a2754ae9a67625bd6f210fc3c92ea0096a9c3062dd10aaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1apO3VDiPF8.bat

Filesize
207B

MD5
220ebeff819a03a6af732a2f08de0fa8

SHA1
34a8eb0ed0b329fc00d52592f0baa3e39123886d

SHA256
7b7a9a80f8b5f39a9bc406f0d4b85cb0748ed8f32d2f8e4d8fb39f81251507d5

SHA512
6a3ef46badf8bc45ea6ff647863a0b1038add0f6e1f8f1d001de5b6e57b7fa6af409904cfef7e6ae4fc2e3ef712d863d276c41e2023aa90ec4a033f5e387e941

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
5da0a355dcd44b29fdd27a5eba904d8d

SHA1
1099e489937a644376653ab4b5921da9527f50a9

SHA256
e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

SHA512
289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

Download Submit
memory/336-34-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/932-135-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/1320-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1320-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-9-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-1-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/1848-79-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/1944-45-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/2020-112-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2312-68-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/2592-23-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2936-124-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/3016-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-10-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/3016-8-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads