quasar | e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Size

3.1MB
MD5

5da0a355dcd44b29fdd27a5eba904d8d
SHA1

1099e489937a644376653ab4b5921da9527f50a9
SHA256

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512

289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
SSDEEP

49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.79:4782

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/2808-1-0x0000000000F40000-0x0000000001264000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b7b-6.dat	family_quasar
behavioral2/files/0x000a000000023b7b-86.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1392	Client.exe
4284	Client.exe
1320	Client.exe
3436	Client.exe
220	Client.exe
3540	Client.exe
332	Client.exe
400	Client.exe
4940	Client.exe
2276	Client.exe
4852	Client.exe
3964	Client.exe
3460	Client.exe
2808	Client.exe
4956	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2976	PING.EXE
740	PING.EXE
2356	PING.EXE
3980	PING.EXE
4804	PING.EXE
4444	PING.EXE
3304	PING.EXE
3252	PING.EXE
1740	PING.EXE
4928	PING.EXE
2920	PING.EXE
3284	PING.EXE
1220	PING.EXE
2780	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2356	PING.EXE
4928	PING.EXE
2976	PING.EXE
4804	PING.EXE
3304	PING.EXE
740	PING.EXE
1740	PING.EXE
4444	PING.EXE
3284	PING.EXE
1220	PING.EXE
2780	PING.EXE
3252	PING.EXE
3980	PING.EXE
2920	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4288	schtasks.exe
2200	schtasks.exe
4592	schtasks.exe
3092	schtasks.exe
4064	schtasks.exe
3284	schtasks.exe
3284	schtasks.exe
4892	schtasks.exe
4564	schtasks.exe
2748	schtasks.exe
2316	schtasks.exe
2996	schtasks.exe
5012	schtasks.exe
2536	schtasks.exe
3048	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Token: SeDebugPrivilege	1392	Client.exe
Token: SeDebugPrivilege	4284	Client.exe
Token: SeDebugPrivilege	1320	Client.exe
Token: SeDebugPrivilege	3436	Client.exe
Token: SeDebugPrivilege	220	Client.exe
Token: SeDebugPrivilege	3540	Client.exe
Token: SeDebugPrivilege	332	Client.exe
Token: SeDebugPrivilege	400	Client.exe
Token: SeDebugPrivilege	4940	Client.exe
Token: SeDebugPrivilege	2276	Client.exe
Token: SeDebugPrivilege	4852	Client.exe
Token: SeDebugPrivilege	3964	Client.exe
Token: SeDebugPrivilege	3460	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	4956	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1392	Client.exe
4284	Client.exe
1320	Client.exe
3436	Client.exe
220	Client.exe
3540	Client.exe
332	Client.exe
400	Client.exe
4940	Client.exe
2276	Client.exe
4852	Client.exe
3964	Client.exe
3460	Client.exe
2808	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1392	Client.exe
4284	Client.exe
1320	Client.exe
3436	Client.exe
220	Client.exe
3540	Client.exe
332	Client.exe
400	Client.exe
4940	Client.exe
2276	Client.exe
4852	Client.exe
3964	Client.exe
3460	Client.exe
2808	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2748	2808	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	85
PID 2808 wrote to memory of 2748	2808	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	85
PID 2808 wrote to memory of 1392	2808	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	87
PID 2808 wrote to memory of 1392	2808	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	87
PID 1392 wrote to memory of 2316	1392	Client.exe	88
PID 1392 wrote to memory of 2316	1392	Client.exe	88
PID 1392 wrote to memory of 2324	1392	Client.exe	90
PID 1392 wrote to memory of 2324	1392	Client.exe	90
PID 2324 wrote to memory of 3664	2324	cmd.exe	92
PID 2324 wrote to memory of 3664	2324	cmd.exe	92
PID 2324 wrote to memory of 4804	2324	cmd.exe	93
PID 2324 wrote to memory of 4804	2324	cmd.exe	93
PID 2324 wrote to memory of 4284	2324	cmd.exe	107
PID 2324 wrote to memory of 4284	2324	cmd.exe	107
PID 4284 wrote to memory of 2996	4284	Client.exe	108
PID 4284 wrote to memory of 2996	4284	Client.exe	108
PID 4284 wrote to memory of 4008	4284	Client.exe	111
PID 4284 wrote to memory of 4008	4284	Client.exe	111
PID 4008 wrote to memory of 2348	4008	cmd.exe	113
PID 4008 wrote to memory of 2348	4008	cmd.exe	113
PID 4008 wrote to memory of 3304	4008	cmd.exe	114
PID 4008 wrote to memory of 3304	4008	cmd.exe	114
PID 4008 wrote to memory of 1320	4008	cmd.exe	116
PID 4008 wrote to memory of 1320	4008	cmd.exe	116
PID 1320 wrote to memory of 5012	1320	Client.exe	117
PID 1320 wrote to memory of 5012	1320	Client.exe	117
PID 1320 wrote to memory of 4480	1320	Client.exe	119
PID 1320 wrote to memory of 4480	1320	Client.exe	119
PID 4480 wrote to memory of 2952	4480	cmd.exe	122
PID 4480 wrote to memory of 2952	4480	cmd.exe	122
PID 4480 wrote to memory of 3284	4480	cmd.exe	123
PID 4480 wrote to memory of 3284	4480	cmd.exe	123
PID 4480 wrote to memory of 3436	4480	cmd.exe	127
PID 4480 wrote to memory of 3436	4480	cmd.exe	127
PID 3436 wrote to memory of 2536	3436	Client.exe	128
PID 3436 wrote to memory of 2536	3436	Client.exe	128
PID 3436 wrote to memory of 3708	3436	Client.exe	130
PID 3436 wrote to memory of 3708	3436	Client.exe	130
PID 3708 wrote to memory of 848	3708	cmd.exe	133
PID 3708 wrote to memory of 848	3708	cmd.exe	133
PID 3708 wrote to memory of 740	3708	cmd.exe	134
PID 3708 wrote to memory of 740	3708	cmd.exe	134
PID 3708 wrote to memory of 220	3708	cmd.exe	137
PID 3708 wrote to memory of 220	3708	cmd.exe	137
PID 220 wrote to memory of 2200	220	Client.exe	138
PID 220 wrote to memory of 2200	220	Client.exe	138
PID 220 wrote to memory of 5064	220	Client.exe	140
PID 220 wrote to memory of 5064	220	Client.exe	140
PID 5064 wrote to memory of 4240	5064	cmd.exe	143
PID 5064 wrote to memory of 4240	5064	cmd.exe	143
PID 5064 wrote to memory of 1220	5064	cmd.exe	144
PID 5064 wrote to memory of 1220	5064	cmd.exe	144
PID 5064 wrote to memory of 3540	5064	cmd.exe	145
PID 5064 wrote to memory of 3540	5064	cmd.exe	145
PID 3540 wrote to memory of 4592	3540	Client.exe	146
PID 3540 wrote to memory of 4592	3540	Client.exe	146
PID 3540 wrote to memory of 5020	3540	Client.exe	148
PID 3540 wrote to memory of 5020	3540	Client.exe	148
PID 5020 wrote to memory of 3684	5020	cmd.exe	151
PID 5020 wrote to memory of 3684	5020	cmd.exe	151
PID 5020 wrote to memory of 2780	5020	cmd.exe	152
PID 5020 wrote to memory of 2780	5020	cmd.exe	152
PID 5020 wrote to memory of 332	5020	cmd.exe	155
PID 5020 wrote to memory of 332	5020	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
"C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2748
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7w2cYAv59PM0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3664
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4804
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKm6zlVRT4DA.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2348
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tprr0GuZnpx1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgAVPbR0It31.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cNT1DJMBJHnU.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWbuk0473xeN.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0tFRUAu843jJ.bat" "
        15⤵
        
        PID:3296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\225wDjOGwvex.bat" "
        17⤵
        
        PID:3532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sz2ifCGUFesR.bat" "
        19⤵
        
        PID:3292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWLBX4zASk6Z.bat" "
        21⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqgxfRqxaDO4.bat" "
        23⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMv4UNn2Kjl9.bat" "
        25⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acTAkBxZQpxC.bat" "
        27⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOBkROC2Wm4c.bat" "
        29⤵
        
        PID:440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tFRUAu843jJ.bat

Filesize
207B

MD5
cee0f23937d8184f8eb857c04461063b

SHA1
2dd0857fcfa3b36294f521cc4f530c3d74e289d6

SHA256
03e135834c545e24235164294eb72f3022c8617950143d4abf2cb8fa8d6278b6

SHA512
5b3c40780db67591d893222c6dfa24cdec59f0c9d6116bda8f571588859c4789b589c0f9d1bd97ef90345f51492b450072328d43270dde33dad11fd453a76c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\225wDjOGwvex.bat

Filesize
207B

MD5
ae7df466f6763be5cfb838ee2d3a58e0

SHA1
b106bc2758b61855535b9b2b79a92ba7daf29b08

SHA256
6a29f9f2471e979a019e28c89b9d6a581e019b786b55ab01f500bf3c1cd5a9ae

SHA512
66b207d83387ccaae8dd503d56c9461dbc503b5bbfe41b63ba3c8f6fae7f2a8a5cfbedc447f7997388314deaaeb6b8b07e41db5eceac8d18038d36d3d624a5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7w2cYAv59PM0.bat

Filesize
207B

MD5
50b98f64e4848b2d2c3864153d677634

SHA1
07e83517cda6278a90d23622101ee0fa4f07366e

SHA256
da1cdcd415ec79ded93d01dcd548b46d215be9722d171e70a80bcdd98c53b2c6

SHA512
af3c8c961cfdf93a611694621348ae85149dfd76a2e527c6fec68826244c7c546112cdc0b6cfb69c81183ad9a4e1d4929f13e28806354bd49887416cd39b919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOBkROC2Wm4c.bat

Filesize
207B

MD5
3c96d957987f4f6c043dee6b3d6d09c3

SHA1
74f3032820414f64f84511200059488549a804e8

SHA256
4079c9553c9905075b58f88d35f90076592ef41f3372468b2bf5f187c22748e7

SHA512
036729d80726fd9197f179a1ed83d83b7714ae523a378983ae68b2df849801c928ccae3551f2b4eb24bdb59382f80dbf675cc50ba696d02c981b024a2e9b07b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWLBX4zASk6Z.bat

Filesize
207B

MD5
d178c5dcf9c75b7a887ebe2c55eff1fc

SHA1
54991cfc6a24d576f8192c8ff442046795303f22

SHA256
7d87b54ce4ebe6541b9d83c0d1fb0ef485035d9451a4656436e6a6183b2cff2b

SHA512
2ccbf5fa215daa512e2a14534cb483be887c5dfb50447cca84d16bf4dc356317ef4e02d1d4d8b0866a1a7ad760422cf615cd11594bd33b520d095faf8ec7d987

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqgxfRqxaDO4.bat

Filesize
207B

MD5
bde4795c6de87a3bee3bf5ee8c95e615

SHA1
db47b76866ec01d1a4e58b0a51a7ea24d95f76db

SHA256
3404ddadb8ded20e5474697e2c090af4ae7e7026b346536095b2f05ba262174b

SHA512
6496ff709ed2fc1183fb45ac372af327d06ca9c6200ec0c6fe88f7fcef2a6a59e130ef1d18f97fa5184a7ee17c472c07e6d1e88de8fa1ac66ebe1d2c48e11263

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sz2ifCGUFesR.bat

Filesize
207B

MD5
42fa3042ccbf7a9c6afc86f981717b93

SHA1
e145f69ba2308a7de0ab043cb3b26ea868f1442b

SHA256
90e51bab5371edab68867ecc17930766a434e8660b77871850d826a9282b0620

SHA512
1407e1c222fb05d78b8b10617323a3fd769a56f947ef8d3aa5bcc1a0b76af0829957beb5f184cfdb18d735d58c0aa1d71ae4fa692dcf204bf6ba93f7e795348e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgAVPbR0It31.bat

Filesize
207B

MD5
74994815741e4c5565210a6d020824b5

SHA1
074dd6bc87f6e4b6888df241a70081c24d852983

SHA256
b62ee9a446692b6078cfe70671a3429030784c956a407e4249af58c0ff900aa6

SHA512
6a298bbbe455ee09ea86ec8dcfacc321663977b75fdda24d1670babf43e98fe267365a89ca8958c364de4e8bc8965fe1af14cfea330886caa60127fc3b5f92b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tprr0GuZnpx1.bat

Filesize
207B

MD5
a8dbed67e745217fbaa6699f6cd3a4e5

SHA1
02aafcec06b6a2719c67a034e3c5344627680ddc

SHA256
97376cec1527e874d3b505f00ec0c5f50080feb9939f90c2dc7d950b1d0b957c

SHA512
73f5ee0ac5f91dc5d342ce1d79dfb0b0915123521f646c23e2032b484091c182987fb6d2271c85962a7d3628f49ef6f62f9af85aad2bddd95d1bd5d0acc91b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acTAkBxZQpxC.bat

Filesize
207B

MD5
dea98b2d5f50870686fbfbcb3fd652c4

SHA1
f7caeca36d07b35a3e6e42640967c5645bf880fe

SHA256
e7f7770bab27c64ea9734a019dbf2caeb89d20a91ca4e1c2e530c4f8b25a6cda

SHA512
d5ff98652108cb8a3b33cc7bc480c1c58e2adbe3a4930fe10ce84a0a72334fd5c91d49b8fd88b16711e51226fc5674d0494bf772ce01ac6af7aeb7c0095aefe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cNT1DJMBJHnU.bat

Filesize
207B

MD5
5ec79970655323a99b62053a36dde283

SHA1
c18102277df63e66be00b58d12df1353dfba6efc

SHA256
f0d8116bb472fba8f1f6f9f1e979409ba04e753027c2fcabf7eb7d9224e1baa6

SHA512
ac71907274563fbd142389dc1ae794a08aad075f2296bf7b5a0d0a5ccb441150b8bea63e905ced0459132ed25e5ed2d983f18a917f8953c0ff94f92f56e6bc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWbuk0473xeN.bat

Filesize
207B

MD5
2aaea202f476390d762068521cfcb9df

SHA1
d8a7ae492a4303b6ddca9f1aa25788773c93e904

SHA256
568658b8512f78ad120ad16ac44d0499d5ff76fd7466662a3b6ee24961175c38

SHA512
ff374c4e65e3660971fed1d9cf65b14fff6a95cc91d9337f7171d525a458a3f552cd4a53a2453cbf825b9ddf9a099829368204e447e4b8803fd274c31b5e1c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKm6zlVRT4DA.bat

Filesize
207B

MD5
0a6a00f0404deb542c4b9588be77156d

SHA1
2d9e81a9a301eeacd18f28d408000e83d5de80e7

SHA256
920ecd25acbb5dc42fc9c23a74ac410db09216fa7b20057c6d5f57d8d6c24242

SHA512
204966d8f5e863e3276779bfccea36926c5e459eaf60d94b2e7939e40538db85c50df072ace2a439618633e3e691283defb03233be10da95ebc3e6208d1ced56

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMv4UNn2Kjl9.bat

Filesize
207B

MD5
169ce836a693c5a527344a1ed970548d

SHA1
65aeea8834f1490fd172e5db832d741b983d8168

SHA256
9092387ed9a7539c24577f3d7740381962dc13019934a8c3a05768085d0049c6

SHA512
1619818dedc84de943bb1f2c33aae91ebd8bcae0f42a59e7486a72e102555d06f937aa1c39aac454ab7e6e47a6e6fcf63d12405926474287eecbafbc280551fc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
5da0a355dcd44b29fdd27a5eba904d8d

SHA1
1099e489937a644376653ab4b5921da9527f50a9

SHA256
e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

SHA512
289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
2.8MB

MD5
cac602e09b8e43875e773ea66ddb8304

SHA1
f15297e66a934d281680415e2d23af22cedf8dc5

SHA256
56311d905db4d1c388a5560ecd1b75817e3a2f908f4d0c6915ee952c7496eac6

SHA512
092d0bb50653e32f6a2c3e488f7de994f26e00f66c7490a1e69d68bca409b6e9ec3a6cea72862896b6bfea8173af9cda36a67d5ebc091da7ed35158b862c00f6

Download Submit
memory/1392-18-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1392-13-0x000000001C100000-0x000000001C1B2000-memory.dmp

Filesize
712KB

Download
memory/1392-12-0x000000001BFF0000-0x000000001C040000-memory.dmp

Filesize
320KB

Download
memory/1392-11-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/1392-9-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/2808-0-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/2808-10-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/2808-2-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/2808-1-0x0000000000F40000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads