Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:36
Behavioral task
behavioral1
Sample
Quas_Brout_ncrypt.exe
Resource
win7-20240903-en
General
-
Target
Quas_Brout_ncrypt.exe
-
Size
3.1MB
-
MD5
df7b0e428b11f8aa5102168e65156a3b
-
SHA1
7a48d280aee1b17e8a2e36b21c7441d4670cc7bc
-
SHA256
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
-
SHA512
c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
SSDEEP
49152:HvyI22SsaNYfdPBldt698dBcjH+a071Jv0oGdPZTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH+a0A/
Malware Config
Extracted
quasar
1.4.1
BROUTEUR
voltazur.ddns.net:4789
b435e96f-9e1a-4119-b07d-1ebccf7eb1b5
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/704-1-0x00000000005D0000-0x00000000008F4000-memory.dmp family_quasar behavioral2/files/0x000a000000023b7d-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Clients.exe -
Executes dropped EXE 15 IoCs
pid Process 3332 Clients.exe 1296 Clients.exe 2444 Clients.exe 5064 Clients.exe 4376 Clients.exe 2636 Clients.exe 5012 Clients.exe 808 Clients.exe 3332 Clients.exe 1184 Clients.exe 964 Clients.exe 4776 Clients.exe 3440 Clients.exe 1140 Clients.exe 2668 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe Quas_Brout_ncrypt.exe File opened for modification C:\Program Files\SubDare\Clients.exe Quas_Brout_ncrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4400 PING.EXE 3792 PING.EXE 1272 PING.EXE 60 PING.EXE 556 PING.EXE 3016 PING.EXE 3360 PING.EXE 5060 PING.EXE 2800 PING.EXE 5100 PING.EXE 3448 PING.EXE 3460 PING.EXE 1492 PING.EXE 4032 PING.EXE 388 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 556 PING.EXE 3016 PING.EXE 3360 PING.EXE 4032 PING.EXE 3792 PING.EXE 5060 PING.EXE 2800 PING.EXE 1272 PING.EXE 3448 PING.EXE 3460 PING.EXE 1492 PING.EXE 4400 PING.EXE 388 PING.EXE 60 PING.EXE 5100 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 408 schtasks.exe 1324 schtasks.exe 2720 schtasks.exe 1492 schtasks.exe 836 schtasks.exe 1200 schtasks.exe 1248 schtasks.exe 2596 schtasks.exe 2812 schtasks.exe 2828 schtasks.exe 1540 schtasks.exe 1044 schtasks.exe 3212 schtasks.exe 5036 schtasks.exe 1772 schtasks.exe 4616 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 704 Quas_Brout_ncrypt.exe Token: SeDebugPrivilege 3332 Clients.exe Token: SeDebugPrivilege 1296 Clients.exe Token: SeDebugPrivilege 2444 Clients.exe Token: SeDebugPrivilege 5064 Clients.exe Token: SeDebugPrivilege 4376 Clients.exe Token: SeDebugPrivilege 2636 Clients.exe Token: SeDebugPrivilege 5012 Clients.exe Token: SeDebugPrivilege 808 Clients.exe Token: SeDebugPrivilege 3332 Clients.exe Token: SeDebugPrivilege 1184 Clients.exe Token: SeDebugPrivilege 964 Clients.exe Token: SeDebugPrivilege 4776 Clients.exe Token: SeDebugPrivilege 3440 Clients.exe Token: SeDebugPrivilege 1140 Clients.exe Token: SeDebugPrivilege 2668 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 704 wrote to memory of 2596 704 Quas_Brout_ncrypt.exe 83 PID 704 wrote to memory of 2596 704 Quas_Brout_ncrypt.exe 83 PID 704 wrote to memory of 3332 704 Quas_Brout_ncrypt.exe 85 PID 704 wrote to memory of 3332 704 Quas_Brout_ncrypt.exe 85 PID 3332 wrote to memory of 408 3332 Clients.exe 86 PID 3332 wrote to memory of 408 3332 Clients.exe 86 PID 3332 wrote to memory of 3916 3332 Clients.exe 88 PID 3332 wrote to memory of 3916 3332 Clients.exe 88 PID 3916 wrote to memory of 4880 3916 cmd.exe 90 PID 3916 wrote to memory of 4880 3916 cmd.exe 90 PID 3916 wrote to memory of 3448 3916 cmd.exe 91 PID 3916 wrote to memory of 3448 3916 cmd.exe 91 PID 3916 wrote to memory of 1296 3916 cmd.exe 93 PID 3916 wrote to memory of 1296 3916 cmd.exe 93 PID 1296 wrote to memory of 2812 1296 Clients.exe 96 PID 1296 wrote to memory of 2812 1296 Clients.exe 96 PID 1296 wrote to memory of 2408 1296 Clients.exe 98 PID 1296 wrote to memory of 2408 1296 Clients.exe 98 PID 2408 wrote to memory of 3256 2408 cmd.exe 101 PID 2408 wrote to memory of 3256 2408 cmd.exe 101 PID 2408 wrote to memory of 3360 2408 cmd.exe 102 PID 2408 wrote to memory of 3360 2408 cmd.exe 102 PID 2408 wrote to memory of 2444 2408 cmd.exe 113 PID 2408 wrote to memory of 2444 2408 cmd.exe 113 PID 2444 wrote to memory of 1044 2444 Clients.exe 114 PID 2444 wrote to memory of 1044 2444 Clients.exe 114 PID 2444 wrote to memory of 4440 2444 Clients.exe 116 PID 2444 wrote to memory of 4440 2444 Clients.exe 116 PID 4440 wrote to memory of 4704 4440 cmd.exe 119 PID 4440 wrote to memory of 4704 4440 cmd.exe 119 PID 4440 wrote to memory of 3460 4440 cmd.exe 120 PID 4440 wrote to memory of 3460 4440 cmd.exe 120 PID 4440 wrote to memory of 5064 4440 cmd.exe 124 PID 4440 wrote to memory of 5064 4440 cmd.exe 124 PID 5064 wrote to memory of 2828 5064 Clients.exe 125 PID 5064 wrote to memory of 2828 5064 Clients.exe 125 PID 5064 wrote to memory of 1920 5064 Clients.exe 128 PID 5064 wrote to memory of 1920 5064 Clients.exe 128 PID 1920 wrote to memory of 3120 1920 cmd.exe 130 PID 1920 wrote to memory of 3120 1920 cmd.exe 130 PID 1920 wrote to memory of 1492 1920 cmd.exe 131 PID 1920 wrote to memory of 1492 1920 cmd.exe 131 PID 1920 wrote to memory of 4376 1920 cmd.exe 134 PID 1920 wrote to memory of 4376 1920 cmd.exe 134 PID 4376 wrote to memory of 836 4376 Clients.exe 135 PID 4376 wrote to memory of 836 4376 Clients.exe 135 PID 4376 wrote to memory of 392 4376 Clients.exe 137 PID 4376 wrote to memory of 392 4376 Clients.exe 137 PID 392 wrote to memory of 4788 392 cmd.exe 140 PID 392 wrote to memory of 4788 392 cmd.exe 140 PID 392 wrote to memory of 4032 392 cmd.exe 141 PID 392 wrote to memory of 4032 392 cmd.exe 141 PID 392 wrote to memory of 2636 392 cmd.exe 143 PID 392 wrote to memory of 2636 392 cmd.exe 143 PID 2636 wrote to memory of 3212 2636 Clients.exe 144 PID 2636 wrote to memory of 3212 2636 Clients.exe 144 PID 2636 wrote to memory of 3912 2636 Clients.exe 146 PID 2636 wrote to memory of 3912 2636 Clients.exe 146 PID 3912 wrote to memory of 3636 3912 cmd.exe 149 PID 3912 wrote to memory of 3636 3912 cmd.exe 149 PID 3912 wrote to memory of 4400 3912 cmd.exe 150 PID 3912 wrote to memory of 4400 3912 cmd.exe 150 PID 3912 wrote to memory of 5012 3912 cmd.exe 151 PID 3912 wrote to memory of 5012 3912 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quas_Brout_ncrypt.exe"C:\Users\Admin\AppData\Local\Temp\Quas_Brout_ncrypt.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2596
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H46yaACDvzTv.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3448
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EldTepD6eKnv.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4KNbgZGJzvQg.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3460
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YZldsFPmv2Oo.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3120
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1492
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMzWZ3kgdekr.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4032
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4SxCJwnNXCeQ.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4400
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2A1yUOGqEiTb.bat" "15⤵PID:3664
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:388
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWY5iWOv2ZrN.bat" "17⤵PID:3380
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:60
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcDeuXgBHrwK.bat" "19⤵PID:2540
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3792
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyRDAxh6eU1V.bat" "21⤵PID:212
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5060
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ETrYy6MM0OaV.bat" "23⤵PID:3756
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:556
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H3RhRkxfacit.bat" "25⤵PID:4608
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2800
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pVgRfBQYGKGz.bat" "27⤵PID:4908
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiQmFeyZPsgH.bat" "29⤵PID:3140
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1272
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyOyTkyo3p7n.bat" "31⤵PID:5036
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5df7b0e428b11f8aa5102168e65156a3b
SHA17a48d280aee1b17e8a2e36b21c7441d4670cc7bc
SHA256f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
SHA512c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
195B
MD51f1a151eb3ed7b6b1f07268b13443c61
SHA1f58cca4e63bda8b2d6308bc6451cda712a28d6b8
SHA256e668af932812f47838342e788c5bbcafe851fa5b4441f395444650e679634e8f
SHA51237ce9054e89b03ca3c686ef9ebbf7cb258caecc0e68b954ced226a336b9b1be4df96ef754c544e173a51737bc199a815a748fdbae3a1e67cb1b0354bd16d8873
-
Filesize
195B
MD50e5eedecd89b078a086461aa443c728a
SHA151bb607b1f7dec9b6a77daa4a63059421b345efe
SHA256d174bd4d4fe932dcd82237f7978019ab36c9997d8301ef93a1ebf0f4db70275b
SHA512e807f7b73cd159345b2b9af8b251d8eb220f999778c7372196eb198907d6137531ff010ab4323364c036501c67f786a504af9024123afe03cf2b5b6d5ca1020a
-
Filesize
195B
MD5bffba75fe6788062d01712a345df5913
SHA122649ed8812681d31c3e9ad94cb7a1c0784db2fe
SHA2563eb4d713850f663ba1881e4b53d5468fcd657b16223d5ee251d0b2941f82e574
SHA512c6badbdfbbd9819465b05bd9bc6741b0206e414cf72a1eee4258ee1a0aae51877f1c29646b7a30e8895d2fdb09f35fcb544a8b11dbe0f4f6edfc67dc54decde3
-
Filesize
195B
MD57d228d81fa02adb2a63ae668e71d4a13
SHA1a4021461a4f908ae24a5df4f555238720675a679
SHA256f4309b902a7360bcda1cb2b09a7ca3e05c81dcfac00c12487574770361b97366
SHA512e1a2c1341d42dbb307fc8c0214166e9a610808d560cdf8af67c0092457f894e526da9c392d6c500efd7988fcf051b9567d2fabf9e9cd561b55074c56f9e74231
-
Filesize
195B
MD5a4172406c4d10fada2858bc41ffbc170
SHA1759216625c719a6654813399703c1c2e21d3a8b6
SHA25604fae4a7fa80b398b3865c2008aacc762fa5311d156ff5a39688495f65c168d4
SHA5127e29e688810e7281cf5236ec9feb60d98026bb815fb6d1ae9b4a2a261bdc81065a9c1a7a634c85312e2349462b5bb636a41004011f59a4773a87f292ab910895
-
Filesize
195B
MD5c425dc2d8120768bf7d2df31e467a80f
SHA1477c8345f5663cb1416f32aeade23bd77fa2b8f7
SHA2566a2ac854c740d19252b949a856a663884e8cbcb75f25f9b9dd2108e6a386d5ae
SHA512c282f9a1a931d1d0c9e42cb989dadc183645d81a1441366e56ded0817af625a5647e9e2ef8ceff9e02ca9166ef0566e6a9148a106ec04c7ba4bd60e21a7e6ebe
-
Filesize
195B
MD5a91b6b6ce2bcb4cfd8433eb6b80c236d
SHA1ec410a53b7788f15c13b64959e93c244fe180d67
SHA2561474304b7a958b744be6b7a49e1f85999233a6b3e17e9e59882a4055e593633d
SHA5127005ca5086e7e2f1141c260efd0362ab51ff1728889d244b6324ef879a1d4bd07c825e135ad35df4557a816385c6c6b54fa6832e265db14ef2332a1c97f4eb0f
-
Filesize
195B
MD5af7fb5962186adfcf85aaa0d9bd2e89e
SHA12f2fdd640c16858883d1a42c9086617da85cdfff
SHA2563ecc880c7162a43ced6bea1834078c05daa8c7f7bfa3498201f7c9c43f2a0858
SHA5125c6858e105acf6c8489b19d4c9c7215b84a222ee5c8087e9bbf45ed8e17c699a02d126c8d1057a51bf23d45131cf4af934c465ad022fd5eebdcc6d1bfa10755f
-
Filesize
195B
MD53c5e348033ef6a1128c470003a4c1181
SHA10cca67ac6a5f88b3212feb076b7f856fd86c8fce
SHA25698be1726f77346cf7df760bb3f70d01f1bfe6e52e98e4cc0251a5685c6f55cca
SHA5128620d12bfb4561dd151a9e8050dc3400fc660ab9f12a678271107405542f572b7735413b3557a88b2a532055a00d9ff32c85dc117e6fc3ad26168907e52fd746
-
Filesize
195B
MD58cf74d1eee72cc50d879c06f363d5f23
SHA1a2e7d3bf94a5d1502756e0e7b85287e0977ba3d6
SHA25631c56b1d149117c5a7a41ac416c7b968b2ab42ea79c9113ca3fa67a1fef6cda5
SHA512ab3c3481a7126a08d715023bfa39b13e48e6d7e288e91848680fcb751d8fcdbf5cee893f540f14f889d0feffc861a47a7e20535161d0f079e43d8f816089a9a7
-
Filesize
195B
MD5ffeb1c3e1ed6c70de64adc0f73b31dd2
SHA17b91cf60b3d84ce6a47a942e2b334e9b90d70f58
SHA2560b05faec8493ebc418fa1efdf63a5947b7505916dfbefa6a7bebde3f0ff588a1
SHA5128ca7ed6bd57297c1993201a63a67a868d4ce27195f00a8fcccd6c215b30f7a5ac2c6e9e4f9c813679f8b0f2aa31185edee4d6049c8ddf1130d12f95561c98de1
-
Filesize
195B
MD58dad16d5a019306183bac7d4847e8c8d
SHA1887e8e79e1a4da117547c512dda9400081a8cf37
SHA256449f488adca7f786a29fdb194416a65f24f00f6f203a884101408dbd1059610d
SHA512447a26a2eff4797984b15e498f5d5473faf2f67bb807269789669c17df34c0159df7bc6dff334995917f776c2b048c846eaab776346d03c0ce58f9b07492e987
-
Filesize
195B
MD5a306f35e8f5cb584918b54e14002b2e0
SHA1b778a7392f5b258e93d7672a47afc6115f6c0aa1
SHA256b804f37f4702a0562876ac66c9cd26b6a5d2e689fe55225550469f202d360e3c
SHA5125f5347f597c697a93e861dbead24bd5a603c4cd0a2e12eb8a053a7beb086950f1d3951711915acd92d9a0aeafcf866e4b7fdee6be3abed2ca59b5d61a0e13c4e
-
Filesize
195B
MD5652c9e4ad328b5a39fef3e68ccd506ce
SHA10c0197bd8b0b983dbae2757b91390f5df19d49e9
SHA256d00b79aeda0f55b54dd4882b53f6d3179a7d8fd684c0dda71a1a49b5c0e4d319
SHA512c7fe2a8a172422308f6c36744329ad974b43c79422378a1cb3e80231331e61cfb7f86e73aabbfd8d61d436efbce93062062842785b4335b0ea1bb59296aaa23c
-
Filesize
195B
MD591754aec06696565b1936b6a6c67afb8
SHA1a8f9ee288b258e4f70ac7c4c48fc52afda31f599
SHA25642104831c03381282bfcc6b7ebdfe55e924a41cb9f46c0a05adacc91819a3ddf
SHA512e892cfd206e4d151cd487237b3657258e4ea9052d807ad1db9ff7c8d325a70741a4def223a62d7149e4164694140f1bbbb0598ba1ec17b69657c86757b78e5df