quasar | e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Size

3.1MB
MD5

5da0a355dcd44b29fdd27a5eba904d8d
SHA1

1099e489937a644376653ab4b5921da9527f50a9
SHA256

e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512

289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
SSDEEP

49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.79:4782

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3016-1-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b76-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4900	Client.exe
2792	Client.exe
4688	Client.exe
2860	Client.exe
3724	Client.exe
1644	Client.exe
864	Client.exe
2104	Client.exe
3036	Client.exe
4680	Client.exe
4660	Client.exe
4444	Client.exe
4536	Client.exe
3124	Client.exe
1672	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2628	PING.EXE
1672	PING.EXE
3540	PING.EXE
4708	PING.EXE
1592	PING.EXE
4376	PING.EXE
1460	PING.EXE
3556	PING.EXE
1652	PING.EXE
980	PING.EXE
2132	PING.EXE
4136	PING.EXE
3000	PING.EXE
732	PING.EXE
2232	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1460	PING.EXE
4708	PING.EXE
1592	PING.EXE
1672	PING.EXE
980	PING.EXE
3000	PING.EXE
3540	PING.EXE
732	PING.EXE
2232	PING.EXE
2132	PING.EXE
4376	PING.EXE
1652	PING.EXE
2628	PING.EXE
3556	PING.EXE
4136	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3136	schtasks.exe
4240	schtasks.exe
4936	schtasks.exe
3084	schtasks.exe
3068	schtasks.exe
3476	schtasks.exe
1160	schtasks.exe
3668	schtasks.exe
3456	schtasks.exe
4512	schtasks.exe
1668	schtasks.exe
2180	schtasks.exe
4284	schtasks.exe
4008	schtasks.exe
2132	schtasks.exe
1352	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
Token: SeDebugPrivilege	4900	Client.exe
Token: SeDebugPrivilege	2792	Client.exe
Token: SeDebugPrivilege	4688	Client.exe
Token: SeDebugPrivilege	2860	Client.exe
Token: SeDebugPrivilege	3724	Client.exe
Token: SeDebugPrivilege	1644	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	2104	Client.exe
Token: SeDebugPrivilege	3036	Client.exe
Token: SeDebugPrivilege	4680	Client.exe
Token: SeDebugPrivilege	4660	Client.exe
Token: SeDebugPrivilege	4444	Client.exe
Token: SeDebugPrivilege	4536	Client.exe
Token: SeDebugPrivilege	3124	Client.exe
Token: SeDebugPrivilege	1672	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4900	Client.exe
2792	Client.exe
4688	Client.exe
2860	Client.exe
3724	Client.exe
1644	Client.exe
864	Client.exe
2104	Client.exe
3036	Client.exe
4680	Client.exe
4660	Client.exe
4444	Client.exe
4536	Client.exe
3124	Client.exe
1672	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4900	Client.exe
2792	Client.exe
4688	Client.exe
2860	Client.exe
3724	Client.exe
1644	Client.exe
864	Client.exe
2104	Client.exe
3036	Client.exe
4680	Client.exe
4660	Client.exe
4444	Client.exe
4536	Client.exe
3124	Client.exe
1672	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3068	3016	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	83
PID 3016 wrote to memory of 3068	3016	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	83
PID 3016 wrote to memory of 4900	3016	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	85
PID 3016 wrote to memory of 4900	3016	e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe	85
PID 4900 wrote to memory of 3476	4900	Client.exe	86
PID 4900 wrote to memory of 3476	4900	Client.exe	86
PID 4900 wrote to memory of 4704	4900	Client.exe	88
PID 4900 wrote to memory of 4704	4900	Client.exe	88
PID 4704 wrote to memory of 3808	4704	cmd.exe	90
PID 4704 wrote to memory of 3808	4704	cmd.exe	90
PID 4704 wrote to memory of 1652	4704	cmd.exe	91
PID 4704 wrote to memory of 1652	4704	cmd.exe	91
PID 4704 wrote to memory of 2792	4704	cmd.exe	93
PID 4704 wrote to memory of 2792	4704	cmd.exe	93
PID 2792 wrote to memory of 1160	2792	Client.exe	94
PID 2792 wrote to memory of 1160	2792	Client.exe	94
PID 2792 wrote to memory of 4376	2792	Client.exe	97
PID 2792 wrote to memory of 4376	2792	Client.exe	97
PID 4376 wrote to memory of 3184	4376	cmd.exe	99
PID 4376 wrote to memory of 3184	4376	cmd.exe	99
PID 4376 wrote to memory of 2232	4376	cmd.exe	102
PID 4376 wrote to memory of 2232	4376	cmd.exe	102
PID 4376 wrote to memory of 4688	4376	cmd.exe	114
PID 4376 wrote to memory of 4688	4376	cmd.exe	114
PID 4688 wrote to memory of 1668	4688	Client.exe	115
PID 4688 wrote to memory of 1668	4688	Client.exe	115
PID 4688 wrote to memory of 4356	4688	Client.exe	117
PID 4688 wrote to memory of 4356	4688	Client.exe	117
PID 4356 wrote to memory of 4700	4356	cmd.exe	120
PID 4356 wrote to memory of 4700	4356	cmd.exe	120
PID 4356 wrote to memory of 2132	4356	cmd.exe	121
PID 4356 wrote to memory of 2132	4356	cmd.exe	121
PID 4356 wrote to memory of 2860	4356	cmd.exe	124
PID 4356 wrote to memory of 2860	4356	cmd.exe	124
PID 2860 wrote to memory of 3136	2860	Client.exe	125
PID 2860 wrote to memory of 3136	2860	Client.exe	125
PID 2860 wrote to memory of 5044	2860	Client.exe	129
PID 2860 wrote to memory of 5044	2860	Client.exe	129
PID 5044 wrote to memory of 628	5044	cmd.exe	131
PID 5044 wrote to memory of 628	5044	cmd.exe	131
PID 5044 wrote to memory of 1592	5044	cmd.exe	132
PID 5044 wrote to memory of 1592	5044	cmd.exe	132
PID 5044 wrote to memory of 3724	5044	cmd.exe	134
PID 5044 wrote to memory of 3724	5044	cmd.exe	134
PID 3724 wrote to memory of 2180	3724	Client.exe	135
PID 3724 wrote to memory of 2180	3724	Client.exe	135
PID 3724 wrote to memory of 4464	3724	Client.exe	137
PID 3724 wrote to memory of 4464	3724	Client.exe	137
PID 4464 wrote to memory of 1672	4464	cmd.exe	140
PID 4464 wrote to memory of 1672	4464	cmd.exe	140
PID 4464 wrote to memory of 4136	4464	cmd.exe	141
PID 4464 wrote to memory of 4136	4464	cmd.exe	141
PID 4464 wrote to memory of 1644	4464	cmd.exe	143
PID 4464 wrote to memory of 1644	4464	cmd.exe	143
PID 1644 wrote to memory of 4008	1644	Client.exe	144
PID 1644 wrote to memory of 4008	1644	Client.exe	144
PID 1644 wrote to memory of 3964	1644	Client.exe	146
PID 1644 wrote to memory of 3964	1644	Client.exe	146
PID 3964 wrote to memory of 5092	3964	cmd.exe	149
PID 3964 wrote to memory of 5092	3964	cmd.exe	149
PID 3964 wrote to memory of 4376	3964	cmd.exe	150
PID 3964 wrote to memory of 4376	3964	cmd.exe	150
PID 3964 wrote to memory of 864	3964	cmd.exe	152
PID 3964 wrote to memory of 864	3964	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
"C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3068
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4fytmzjF6wa.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3808
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1652
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8M5bfG2EBeLn.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3184
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okaClaGN1Y8T.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qDdpU35VksTu.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POzBValj1pZL.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E4u3vIATq8W.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwLxBJrq13XJ.bat" "
        15⤵
        
        PID:804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2HUe1jFcmzqj.bat" "
        17⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aGRkmx1garI.bat" "
        19⤵
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PpRbqdTYENJH.bat" "
        21⤵
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7hLk5gIw5koj.bat" "
        23⤵
        
        PID:4040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p2nbEj0yc0XD.bat" "
        25⤵
        
        PID:1632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lVPmctF3XC2G.bat" "
        27⤵
        
        PID:724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OTlVTJ8J2IJ0.bat" "
        29⤵
        
        PID:3140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nADzf0HCuYZ6.bat" "
        31⤵
        
        PID:4756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2HUe1jFcmzqj.bat

Filesize
207B

MD5
5eb44ab424aa4f5fab6a9aa6ddcbd830

SHA1
d979cc4e2bf17fc0dc9f09925726a0ef338576d5

SHA256
f6a8b337604a450dc35ea3934de8c5ca9aa1fd063a4319a882324ba0d72e1e53

SHA512
c8d6700de09ac3905ee6604b0a1c38e991931b78bbd3b6d87e41684a9c95c4e40b7aea63437fac88886edd1e1d98c2d9e4e5002c92386bfb10164820e556c993

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4u3vIATq8W.bat

Filesize
207B

MD5
d05aee73e418466da4a7412c0972c2a8

SHA1
3a38d795cefb3ad744340f3320f6676dc8b92f98

SHA256
180760a3ebe7101decdd733b1d5c451e192d4452bfa13c587ff839357cb919e3

SHA512
d5dd9213f2089f0e688091b294e5c028c398aa4f511acb662fa5f54ba4c87ea4016c122ce8c6f96932e143fd91d65cd9a52843c356431856ca2bf70ec55f138b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hLk5gIw5koj.bat

Filesize
207B

MD5
af177e7f588ad61ae7d062c25d66243e

SHA1
827b48ed27e330f7ce1336307f34902438e25612

SHA256
f4538e9255fe68140193662059e872c8cb42e8f30a7ae440b24f308a02397f06

SHA512
da93206a18a80b34ed94b3ba0ec9842a567a53749bca568be8820c8ce799e928679409f34f31ac3591198cbca6cbfebfb09f58d7bc3971bcd72ac1197c38b672

Download Submit
C:\Users\Admin\AppData\Local\Temp\8M5bfG2EBeLn.bat

Filesize
207B

MD5
05b718a9882a4d1334e97628abe6100c

SHA1
b4a9357687190a831e23b5aa213e3706ecee9f16

SHA256
d4a9c33f73345d74d4f86ff25ea4ec04a6db199717c6fb91fc4b090f6e72d6fc

SHA512
69bc69684068c3d3685e9b3559ec2c1b050453fc68d207c8741226e15cd13b91037613ca1f38a74cf6a74ae4606ec415b81581d2c46c982dd11326a861f96207

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aGRkmx1garI.bat

Filesize
207B

MD5
9cbc6a0be82c5f253068cf75f874ceeb

SHA1
b8a0f941ab8ff353536045c70ccbcc83b4d76859

SHA256
127b8719ec7e279f615c5425ab153a9c1c20d0a30a2385ed12b589ec22c9648c

SHA512
2227aa93bad332b921eeb3aa780ec73f7c879eb905f5ae9f7dff6b4332c93bc4aab7c695f15738201360712292a3105156ebb20d482b08f0df43872ae1375f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4fytmzjF6wa.bat

Filesize
207B

MD5
b7920dd53c7abb149a85cc847f03a5e8

SHA1
d13ea2e670a7c529a19f7df8184d920cb4f15155

SHA256
c7e4f15cbfb1908e79318effebd38edb0ae1bbe694e1fc59ba4652071f4f2083

SHA512
29787d77c9ee18b3b92bda65a54eba7e8eb59499b9dc26ca55eb510a68365f6844479dc1b5bff86f65e45dcb43b9430d48e73118f8a608e470ac64614a76280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTlVTJ8J2IJ0.bat

Filesize
207B

MD5
7012fd8133701a5211e42b3d55bae525

SHA1
84241aa308853380df26f29b867b67dcb02ba79e

SHA256
e03cf68197894349c6cfb448136421b0fcef7edfe3752b5586afdaa36a85cbc6

SHA512
f8c278679aee0102e6822feb0dbeba9248b6b3bef7842a3cb06bbe4967344a6a9d2550b52f9d2bbddc8eedd8794f6904a207dade9c84d5c662b93fcdf683f493

Download Submit
C:\Users\Admin\AppData\Local\Temp\POzBValj1pZL.bat

Filesize
207B

MD5
034f7ca7f6ab7baab066303889bdf3a4

SHA1
e4d62ad0296e835f7ee40b61e0ea1b0209474698

SHA256
4ed392175112d150387ffba2a0f2bca3e534b6d2a94dbff7d336fc92bc5200d6

SHA512
1bad9ad9f255acc9cf17655d71e11d96f3593dcc84c2eae6dccfc2ab760fff4bc0c296dee5de83e369e16aa67a87bfcc73f552d81acbe95a2d75ddde3546630f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PpRbqdTYENJH.bat

Filesize
207B

MD5
332a10a597b05dc5843fefd9cba89e27

SHA1
483842dbd5cc350ed0b9217338b9a7688f21b6c8

SHA256
083904fd430165f6ba7e75ffff5f27ff4301cc0c36085b3eae1504f6df457a47

SHA512
e81b84b988a1e2df690dbb1d4551c7f0b0b3d66fd1cb0e1ec6af48f50170e3f843579f42ccf9172cd44490fc5c109423f8d1babb941e770b883eec33bd4cebd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lVPmctF3XC2G.bat

Filesize
207B

MD5
2e02b8332cf0bc0f69a3a07e2c320515

SHA1
ddd771730b69dc09ba288a3209893da83e42a6a5

SHA256
b52e8d112fbf3028d50f00afd416cd66cab472590a29587d67ccc222ab44378e

SHA512
e7090a93cfd724af18d048567c4fc41e76d791ececc44e533730bbeec858e5b80984729df9c33c22d3e97376dee80b385835d30066a3dcbb44fefc8a42ddb258

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwLxBJrq13XJ.bat

Filesize
207B

MD5
2c0e35f142043de7ffd5d68ab90fd5d5

SHA1
7650ac66c02cf5aa3a7987af40ecbc883209682e

SHA256
6df10bd104c9836cb66a3a88ce49572c15f9faee5837ae8cd2926bb9d3dbef45

SHA512
d1896b610452e4b60f52beba7ada77c1248b9bf5e80694785901867886374cf39a03ec561f2fb7a92091f31ae9cad7d2a2f547a09b70f9998d29affc7a4c39dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nADzf0HCuYZ6.bat

Filesize
207B

MD5
c055b99ea8352959bae5194b5a6a748d

SHA1
eb01160ad169a1c24d610fbb78cedbc7b0ab4f14

SHA256
66ee3478b7cdd24b233fe2f7767a6c9c2fbb58ddf25e13fb257508b8224d6642

SHA512
4d63188de8a9e885bb7881be36d418cc4ccff84ee8f58b1e28f09a9d2cc63aa58a3ed279402fe8f0e2164df78e587cbc5dfae00661dce58f8ec62b73ffe29860

Download Submit
C:\Users\Admin\AppData\Local\Temp\okaClaGN1Y8T.bat

Filesize
207B

MD5
240324385474ae5ddc6035f0baf42a15

SHA1
9d382984a6d2398d9144ddd0256973fa3faffa26

SHA256
69dbfa41d136e46b98bb45389db236050cd5bbd100169853f6201efb835def51

SHA512
b35347c999c62e1d516e6b6e17e0be79a030e11eb149316373e5cbb4f462c2ba179a67914f98ed2b5f32db1bdb5d4e8fef83249e17f98c145ecc83439bb271e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2nbEj0yc0XD.bat

Filesize
207B

MD5
1c18f344601434a52a6fa5cb040bf456

SHA1
1e1736b9e99b4dd31a4472529d45594971aeddf0

SHA256
59f6bc21a59624326aa219aa3296602623efa750173c665aa3ab4f9b138adddc

SHA512
cc03eb83209074b1a3527d304ff571f7a3f2fee660a4482b1cf00acfdf1c3ed9505b5a475d90cd7d09892497b7aad08059be5896ed69bcccf2ac816494b269ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDdpU35VksTu.bat

Filesize
207B

MD5
1c51d913ad8e9d6a73bd1ce8dd2b7dbd

SHA1
d372134309c7c2d75cd63ed1c20a2648b358921d

SHA256
235c429e942146dadfe95bd43bde8382cce0822b2fab3e8036c1f295a9a0b6db

SHA512
913c2e3a5d244aebf4b3180011ac987cea1cc6a00d2277780d665daaf0f60c2ea1f7cb6d015f89414ffd7d9b7f5509171ecc8f780fc2540d7bbf5c6cd4bbd7ab

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
5da0a355dcd44b29fdd27a5eba904d8d

SHA1
1099e489937a644376653ab4b5921da9527f50a9

SHA256
e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

SHA512
289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

Download Submit
memory/3016-0-0x00007FFBE0620000-0x00007FFBE06BB000-memory.dmp

Filesize
620KB

Download
memory/3016-8-0x00007FFBE0620000-0x00007FFBE06BB000-memory.dmp

Filesize
620KB

Download
memory/3016-1-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/4900-16-0x00007FFBE0620000-0x00007FFBE06BB000-memory.dmp

Filesize
620KB

Download
memory/4900-11-0x000000001BFD0000-0x000000001C082000-memory.dmp

Filesize
712KB

Download
memory/4900-10-0x000000001BEC0000-0x000000001BF10000-memory.dmp

Filesize
320KB

Download
memory/4900-9-0x00007FFBE0620000-0x00007FFBE06BB000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads