Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:31
Behavioral task
behavioral1
Sample
Quas_Autre_ncrypt.exe
Resource
win7-20240708-en
General
-
Target
Quas_Autre_ncrypt.exe
-
Size
3.1MB
-
MD5
2be44f2f5ea83cbc61fbd13b50c0f88c
-
SHA1
f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
-
SHA256
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
-
SHA512
95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK
Malware Config
Extracted
quasar
1.4.1
AUTRE
voltazur.ddns.net:4789
eddf685a-87b7-4f5a-9bac-e09fd56aab1e
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4880-1-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar behavioral2/files/0x0007000000023cad-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Clients.exe -
Executes dropped EXE 15 IoCs
pid Process 3676 Clients.exe 3972 Clients.exe 4884 Clients.exe 2348 Clients.exe 2808 Clients.exe 776 Clients.exe 2104 Clients.exe 2272 Clients.exe 2612 Clients.exe 4672 Clients.exe 3964 Clients.exe 4248 Clients.exe 2128 Clients.exe 3916 Clients.exe 5104 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe Quas_Autre_ncrypt.exe File opened for modification C:\Program Files\SubDare\Clients.exe Quas_Autre_ncrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4280 PING.EXE 4304 PING.EXE 760 PING.EXE 3040 PING.EXE 2296 PING.EXE 1980 PING.EXE 2304 PING.EXE 380 PING.EXE 3928 PING.EXE 2896 PING.EXE 2832 PING.EXE 3436 PING.EXE 2716 PING.EXE 1380 PING.EXE 1052 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 760 PING.EXE 1980 PING.EXE 3436 PING.EXE 2296 PING.EXE 2896 PING.EXE 380 PING.EXE 2716 PING.EXE 3040 PING.EXE 4280 PING.EXE 2304 PING.EXE 1380 PING.EXE 2832 PING.EXE 1052 PING.EXE 4304 PING.EXE 3928 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4384 schtasks.exe 3128 schtasks.exe 2840 schtasks.exe 4248 schtasks.exe 2416 schtasks.exe 4860 schtasks.exe 2468 schtasks.exe 1132 schtasks.exe 1920 schtasks.exe 4584 schtasks.exe 2112 schtasks.exe 1944 schtasks.exe 4496 schtasks.exe 1208 schtasks.exe 536 schtasks.exe 744 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4880 Quas_Autre_ncrypt.exe Token: SeDebugPrivilege 3676 Clients.exe Token: SeDebugPrivilege 3972 Clients.exe Token: SeDebugPrivilege 4884 Clients.exe Token: SeDebugPrivilege 2348 Clients.exe Token: SeDebugPrivilege 2808 Clients.exe Token: SeDebugPrivilege 776 Clients.exe Token: SeDebugPrivilege 2104 Clients.exe Token: SeDebugPrivilege 2272 Clients.exe Token: SeDebugPrivilege 2612 Clients.exe Token: SeDebugPrivilege 4672 Clients.exe Token: SeDebugPrivilege 3964 Clients.exe Token: SeDebugPrivilege 4248 Clients.exe Token: SeDebugPrivilege 2128 Clients.exe Token: SeDebugPrivilege 3916 Clients.exe Token: SeDebugPrivilege 5104 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4880 wrote to memory of 2112 4880 Quas_Autre_ncrypt.exe 83 PID 4880 wrote to memory of 2112 4880 Quas_Autre_ncrypt.exe 83 PID 4880 wrote to memory of 3676 4880 Quas_Autre_ncrypt.exe 85 PID 4880 wrote to memory of 3676 4880 Quas_Autre_ncrypt.exe 85 PID 3676 wrote to memory of 2840 3676 Clients.exe 86 PID 3676 wrote to memory of 2840 3676 Clients.exe 86 PID 3676 wrote to memory of 2252 3676 Clients.exe 88 PID 3676 wrote to memory of 2252 3676 Clients.exe 88 PID 2252 wrote to memory of 4456 2252 cmd.exe 90 PID 2252 wrote to memory of 4456 2252 cmd.exe 90 PID 2252 wrote to memory of 3436 2252 cmd.exe 91 PID 2252 wrote to memory of 3436 2252 cmd.exe 91 PID 2252 wrote to memory of 3972 2252 cmd.exe 102 PID 2252 wrote to memory of 3972 2252 cmd.exe 102 PID 3972 wrote to memory of 1208 3972 Clients.exe 103 PID 3972 wrote to memory of 1208 3972 Clients.exe 103 PID 3972 wrote to memory of 2424 3972 Clients.exe 105 PID 3972 wrote to memory of 2424 3972 Clients.exe 105 PID 2424 wrote to memory of 1532 2424 cmd.exe 110 PID 2424 wrote to memory of 1532 2424 cmd.exe 110 PID 2424 wrote to memory of 4304 2424 cmd.exe 111 PID 2424 wrote to memory of 4304 2424 cmd.exe 111 PID 2424 wrote to memory of 4884 2424 cmd.exe 113 PID 2424 wrote to memory of 4884 2424 cmd.exe 113 PID 4884 wrote to memory of 536 4884 Clients.exe 114 PID 4884 wrote to memory of 536 4884 Clients.exe 114 PID 4884 wrote to memory of 3376 4884 Clients.exe 116 PID 4884 wrote to memory of 3376 4884 Clients.exe 116 PID 3376 wrote to memory of 2596 3376 cmd.exe 119 PID 3376 wrote to memory of 2596 3376 cmd.exe 119 PID 3376 wrote to memory of 380 3376 cmd.exe 120 PID 3376 wrote to memory of 380 3376 cmd.exe 120 PID 3376 wrote to memory of 2348 3376 cmd.exe 124 PID 3376 wrote to memory of 2348 3376 cmd.exe 124 PID 2348 wrote to memory of 1944 2348 Clients.exe 125 PID 2348 wrote to memory of 1944 2348 Clients.exe 125 PID 2348 wrote to memory of 4772 2348 Clients.exe 128 PID 2348 wrote to memory of 4772 2348 Clients.exe 128 PID 4772 wrote to memory of 3124 4772 cmd.exe 130 PID 4772 wrote to memory of 3124 4772 cmd.exe 130 PID 4772 wrote to memory of 2716 4772 cmd.exe 131 PID 4772 wrote to memory of 2716 4772 cmd.exe 131 PID 4772 wrote to memory of 2808 4772 cmd.exe 133 PID 4772 wrote to memory of 2808 4772 cmd.exe 133 PID 2808 wrote to memory of 4860 2808 Clients.exe 134 PID 2808 wrote to memory of 4860 2808 Clients.exe 134 PID 2808 wrote to memory of 3464 2808 Clients.exe 136 PID 2808 wrote to memory of 3464 2808 Clients.exe 136 PID 3464 wrote to memory of 4604 3464 cmd.exe 139 PID 3464 wrote to memory of 4604 3464 cmd.exe 139 PID 3464 wrote to memory of 3928 3464 cmd.exe 140 PID 3464 wrote to memory of 3928 3464 cmd.exe 140 PID 3464 wrote to memory of 776 3464 cmd.exe 142 PID 3464 wrote to memory of 776 3464 cmd.exe 142 PID 776 wrote to memory of 4496 776 Clients.exe 143 PID 776 wrote to memory of 4496 776 Clients.exe 143 PID 776 wrote to memory of 1932 776 Clients.exe 146 PID 776 wrote to memory of 1932 776 Clients.exe 146 PID 1932 wrote to memory of 4184 1932 cmd.exe 148 PID 1932 wrote to memory of 4184 1932 cmd.exe 148 PID 1932 wrote to memory of 2896 1932 cmd.exe 149 PID 1932 wrote to memory of 2896 1932 cmd.exe 149 PID 1932 wrote to memory of 2104 1932 cmd.exe 150 PID 1932 wrote to memory of 2104 1932 cmd.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe"C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X7kKKjxCa6kV.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4456
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3436
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w3kSMlIr4LGM.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4304
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FdsevzC7zDT6.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:380
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q7P3cPH578IX.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRra1mquttZC.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GS6zMTCWj3iJ.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jT1sfmCDytCK.bat" "15⤵PID:4852
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2296
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IJNWQujAOeMy.bat" "17⤵PID:2332
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1380
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0qToROldTwWe.bat" "19⤵PID:2036
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1052
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xP6z7dB0mh1A.bat" "21⤵PID:2024
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:760
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tDxgoAiZ2H3o.bat" "23⤵PID:3828
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9VwtZa4GIlsL.bat" "25⤵PID:3444
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G412e8BRrgFv.bat" "27⤵PID:864
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kzalVGPISdOB.bat" "29⤵PID:2524
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OlDvQxwbmRiv.bat" "31⤵PID:2908
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52be44f2f5ea83cbc61fbd13b50c0f88c
SHA1f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
SHA256cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
SHA51295f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
195B
MD580c431cfd5a29b0c8d178f8132e90c0c
SHA12d6388aa23f34f8efc70fad9b60ef9a3ef1b7a83
SHA256f035fe716a6846baff8df6b4b589e9b1c15bf24c3d0c5c4c3f92a14a8a551540
SHA5125eda0023bcf34e1439696c7b691a1b3a0ba866d28cfb1adcdd11b0e2e68b93cb42b337a4ae79d292bb970372cdd0fdd59ea3a0ffc19a53809ea8fa0f87256788
-
Filesize
195B
MD58139e1de18374fbac3a3f7b9875c0f77
SHA1ef4c33ca88103acf7229a7e22d2e5b6d46bcd60f
SHA256727cac7f97aa4e49dd7659b3df93e8244a02cdfac3f81974d7fa515020bfb1e3
SHA5128a034c1f0d4c0f1f821208738de3f64ae3c96e454fe64682b67d70b916b5ca6fa4656fc2eed742ed4c90bcf9cc24ef7499bc450931bb342a174224f49f39363b
-
Filesize
195B
MD50b15e08a8643b4a1ec6fce5be2801294
SHA122f0297a0c77bbae13d701964d57ee99a52438d5
SHA2561b6d4d0a736e711bd8a38cc85a6c1448649abe5aea0e249de2236008aa3e0680
SHA512c01a028f10c2b59b06a59408f364c6105003595320858a698cc2e8025c9031ddcd1f080764036c2979541f505ec79273f148c2d7539b38a3a2ee543ccef903ad
-
Filesize
195B
MD5f6191cdb9f6743931a8d86f6a58ba5fe
SHA1f35ecfb49cff63f473987e6a4b6eb3e2e4200541
SHA256fa4794eaacda458cd98847eb655d7a714765de37542bf158eab01169c4cf7250
SHA5122ba9138ab36e44ca33000fbe7785d5951893229193dbdaa76ed4bf10f5c3b452b2e96f422b3f10e464535825bb6dea089279243c0b90ebde0c1fdfca2a1bd13f
-
Filesize
195B
MD50af70f7101f402c0a8fa01885f57a774
SHA178944bc4d48e2c5e435297707ea8ff312d0ebad1
SHA256c7106ecb93f13a72bf3ec6314b243fb35bb49caaf19a65b36e373423127fba8b
SHA512ff269fbdd2d2e4864f5f6c7d6c10a717ec72289bd99a11220137cf446f21aa7b2b237955c7411766f5e80d443d0b9d651857f0fd1097f1731d07def2c049cf99
-
Filesize
195B
MD52bc0cad5f2b8ffdf355692217bb3efff
SHA164bf7f9d9e8dff315b98a5eb1270ad1536431f4b
SHA256c6eb155b03aaa228512a744a0e033154fd77562d36723e982fce9f341066bb5b
SHA51232e07e20d196b840d3f1c03ef117758aa495c068aa0622f7a3a237196f906ac73a0042adb45907fbaa995f19d071444153f3685ec47b011f3040f98b05de6813
-
Filesize
195B
MD53b625c0f6b534449a3a093a1a6d9c754
SHA1be34f12f74825c2373454a94729fc5b7db81bde8
SHA25655fe840c5318766d148103b968750d73693b415aa41c1a06e7934a9e76a33cae
SHA512c6f94e3aa8f03957e4e2abda29c40cf64b23ea1f7f469e4b86b13daf1ccc23212b1b56cc552a83d8b673685de1bacc39d3652b6316c01ca591c3b207a9db537e
-
Filesize
195B
MD577649e2cbef6aa2a8329a31486d0ecd6
SHA198dba65b2515a104d5bbec67b12b8da145f3c9d6
SHA256dc1dda8270843913db1f8dd26fcb68170dfc6b32a90cf0c60c55b8f77a67671c
SHA5123c769dffe1a9c1baf5626b8e9333ee5f3a1baeaf49c9333d937e875f34ce8532a95e878204925e61b2b88d3c981ff676e65c806ee874056c83c155aeb9a5e14c
-
Filesize
195B
MD5d9f20738462e696f454264829119f936
SHA1068cc1b28a37004da58d4ea5be7d7feabe8d28d8
SHA256be71b765d9107991d1b74ebc1139b437f51cdb191b5d820178f5f0b2494fc897
SHA512ec7fdf2d2bf4b9449d9aec2753478f2894b05b7a6610b6b1dc68ce7e06ff29f6ad25f4d67872250494637f10ab636a78d46d10c9097f927c566dd563fe2c33ea
-
Filesize
195B
MD5ec97bc121fb78e49fca1f05bbb8c4ee8
SHA1f6d64ccbb084915ba04c57def7eeab26bab7c9d6
SHA2562655f9c413da79adc2733388905c4a9e5773907cd594a0edb21b171af17cf6b0
SHA512387442bd0cc81705305e4f110b050339bcf2747234d43a9e79a70e6f55c820eda1956eebb8007a582d98f1179588645284356b2eb858a2c9195f442d608fbe09
-
Filesize
195B
MD5ee4fca6468605262941daab49f57c842
SHA140647e83465569dfea683ec280fd1ef270f1be00
SHA256b00b942bfeab79e9d31cd327835abc991844934d5cb372e455e12b3c85769724
SHA512fbab28ac8e57dddacc6b035b4f41b901d803fa80710406563d8a5e93c384571835eb4d772c17875c0f2484866ce0b91da3d32cf9777b748d1b4a15ba5f701d2f
-
Filesize
195B
MD5c5ca6b13ca2b00eb52db03b162d0cfc9
SHA16ea83e37369754e29a0fdeb21a7ce26b84fe554e
SHA256b3ad57905abff5a2033109a6b9e384ebd8d116eb6e33b0ecfc069d13a44d3100
SHA512e282a49712de9e9e5d53d959cf496747f67b81b334067d22c66c84341e7bd6b559c61ec3cee0fed0924056359638fbc22c1cfc80accf94522ccac4ef27fea636
-
Filesize
195B
MD58b25f947ce1a902ab6bb5265e1425df1
SHA1539e6f0ec2859bce2eba85b675a9630f31e425ae
SHA25622afdfe64100405619eca936c97f2ac3b20931765abde0a49221d6483397de11
SHA51207d06eba26299e7d718d4e2b0986d6fe81a1b7cb7ee04ae6b1f86efd6b4ea5a8807dbc42269a2a7076eb36a03c9409a40e9deb4dda5fdc7bfc0d2c1606bb8d40
-
Filesize
195B
MD53b9a685222282ca5ac156d393e1c7721
SHA1813b533d73697cd57d6dbca083e3ebcccf00ffcb
SHA2562d335ae7ca4f5eba5d7bee3798ec96a25df434e09eaa62c022390ae67582c050
SHA5120b50d307b68b3e6cc95a8f326c0bcfbe488a117e63bfa68e175d8512bb2986cf153eb217c35b18426047a2426e204adb94384ec90dc853aafade5c7bb6fe22b3
-
Filesize
195B
MD51edbf831ec2df779ac88df0c24fd56bd
SHA194f36cdaf350076315a0dabd0bc88fb657d4af91
SHA256916fc8616955c4d764d2341e19ba8fa36d437d16948551d5c94ba2f6a8d9f522
SHA512788b8d9b734253069717855c1c56603e10b3e1b5d9d79af56b6a74d841e8b94c370dfe69e125ce4ca26d7004617fca31c644d41598b36afbf88a50677e89d0ab