Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:37
Behavioral task
behavioral1
Sample
Quas_Autre_ncrypt.exe
Resource
win7-20241010-en
General
-
Target
Quas_Autre_ncrypt.exe
-
Size
3.1MB
-
MD5
2be44f2f5ea83cbc61fbd13b50c0f88c
-
SHA1
f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
-
SHA256
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
-
SHA512
95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK
Malware Config
Extracted
quasar
1.4.1
AUTRE
voltazur.ddns.net:4789
eddf685a-87b7-4f5a-9bac-e09fd56aab1e
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 12 IoCs
resource yara_rule behavioral1/memory/2192-1-0x0000000000380000-0x00000000006A4000-memory.dmp family_quasar behavioral1/files/0x0008000000018bdd-5.dat family_quasar behavioral1/memory/2304-8-0x00000000008B0000-0x0000000000BD4000-memory.dmp family_quasar behavioral1/memory/2824-22-0x0000000000DF0000-0x0000000001114000-memory.dmp family_quasar behavioral1/memory/1500-33-0x0000000000E50000-0x0000000001174000-memory.dmp family_quasar behavioral1/memory/1624-44-0x0000000001030000-0x0000000001354000-memory.dmp family_quasar behavioral1/memory/2936-55-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar behavioral1/memory/892-67-0x0000000000AE0000-0x0000000000E04000-memory.dmp family_quasar behavioral1/memory/1740-78-0x0000000000F20000-0x0000000001244000-memory.dmp family_quasar behavioral1/memory/1532-89-0x0000000001040000-0x0000000001364000-memory.dmp family_quasar behavioral1/memory/1820-131-0x00000000001B0000-0x00000000004D4000-memory.dmp family_quasar behavioral1/memory/1512-143-0x0000000000EC0000-0x00000000011E4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2304 Clients.exe 2824 Clients.exe 1500 Clients.exe 1624 Clients.exe 2936 Clients.exe 892 Clients.exe 1740 Clients.exe 1532 Clients.exe 2476 Clients.exe 2860 Clients.exe 1748 Clients.exe 1820 Clients.exe 1512 Clients.exe 772 Clients.exe 1724 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe Quas_Autre_ncrypt.exe File opened for modification C:\Program Files\SubDare\Clients.exe Quas_Autre_ncrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2960 PING.EXE 2668 PING.EXE 2436 PING.EXE 2328 PING.EXE 348 PING.EXE 768 PING.EXE 2648 PING.EXE 2576 PING.EXE 1736 PING.EXE 912 PING.EXE 2916 PING.EXE 2848 PING.EXE 2316 PING.EXE 1912 PING.EXE 2256 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2668 PING.EXE 2848 PING.EXE 2316 PING.EXE 1736 PING.EXE 2436 PING.EXE 2576 PING.EXE 2328 PING.EXE 2916 PING.EXE 2256 PING.EXE 912 PING.EXE 768 PING.EXE 2648 PING.EXE 1912 PING.EXE 348 PING.EXE 2960 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2056 schtasks.exe 832 schtasks.exe 2064 schtasks.exe 1664 schtasks.exe 2904 schtasks.exe 1780 schtasks.exe 484 schtasks.exe 2628 schtasks.exe 1676 schtasks.exe 1320 schtasks.exe 936 schtasks.exe 1708 schtasks.exe 316 schtasks.exe 2184 schtasks.exe 1280 schtasks.exe 316 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2192 Quas_Autre_ncrypt.exe Token: SeDebugPrivilege 2304 Clients.exe Token: SeDebugPrivilege 2824 Clients.exe Token: SeDebugPrivilege 1500 Clients.exe Token: SeDebugPrivilege 1624 Clients.exe Token: SeDebugPrivilege 2936 Clients.exe Token: SeDebugPrivilege 892 Clients.exe Token: SeDebugPrivilege 1740 Clients.exe Token: SeDebugPrivilege 1532 Clients.exe Token: SeDebugPrivilege 2476 Clients.exe Token: SeDebugPrivilege 2860 Clients.exe Token: SeDebugPrivilege 1748 Clients.exe Token: SeDebugPrivilege 1820 Clients.exe Token: SeDebugPrivilege 1512 Clients.exe Token: SeDebugPrivilege 772 Clients.exe Token: SeDebugPrivilege 1724 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1664 2192 Quas_Autre_ncrypt.exe 30 PID 2192 wrote to memory of 1664 2192 Quas_Autre_ncrypt.exe 30 PID 2192 wrote to memory of 1664 2192 Quas_Autre_ncrypt.exe 30 PID 2192 wrote to memory of 2304 2192 Quas_Autre_ncrypt.exe 32 PID 2192 wrote to memory of 2304 2192 Quas_Autre_ncrypt.exe 32 PID 2192 wrote to memory of 2304 2192 Quas_Autre_ncrypt.exe 32 PID 2304 wrote to memory of 936 2304 Clients.exe 33 PID 2304 wrote to memory of 936 2304 Clients.exe 33 PID 2304 wrote to memory of 936 2304 Clients.exe 33 PID 2304 wrote to memory of 2768 2304 Clients.exe 35 PID 2304 wrote to memory of 2768 2304 Clients.exe 35 PID 2304 wrote to memory of 2768 2304 Clients.exe 35 PID 2768 wrote to memory of 540 2768 cmd.exe 37 PID 2768 wrote to memory of 540 2768 cmd.exe 37 PID 2768 wrote to memory of 540 2768 cmd.exe 37 PID 2768 wrote to memory of 2436 2768 cmd.exe 38 PID 2768 wrote to memory of 2436 2768 cmd.exe 38 PID 2768 wrote to memory of 2436 2768 cmd.exe 38 PID 2768 wrote to memory of 2824 2768 cmd.exe 39 PID 2768 wrote to memory of 2824 2768 cmd.exe 39 PID 2768 wrote to memory of 2824 2768 cmd.exe 39 PID 2824 wrote to memory of 2904 2824 Clients.exe 40 PID 2824 wrote to memory of 2904 2824 Clients.exe 40 PID 2824 wrote to memory of 2904 2824 Clients.exe 40 PID 2824 wrote to memory of 2716 2824 Clients.exe 42 PID 2824 wrote to memory of 2716 2824 Clients.exe 42 PID 2824 wrote to memory of 2716 2824 Clients.exe 42 PID 2716 wrote to memory of 2632 2716 cmd.exe 44 PID 2716 wrote to memory of 2632 2716 cmd.exe 44 PID 2716 wrote to memory of 2632 2716 cmd.exe 44 PID 2716 wrote to memory of 2576 2716 cmd.exe 45 PID 2716 wrote to memory of 2576 2716 cmd.exe 45 PID 2716 wrote to memory of 2576 2716 cmd.exe 45 PID 2716 wrote to memory of 1500 2716 cmd.exe 46 PID 2716 wrote to memory of 1500 2716 cmd.exe 46 PID 2716 wrote to memory of 1500 2716 cmd.exe 46 PID 1500 wrote to memory of 2628 1500 Clients.exe 47 PID 1500 wrote to memory of 2628 1500 Clients.exe 47 PID 1500 wrote to memory of 2628 1500 Clients.exe 47 PID 1500 wrote to memory of 1804 1500 Clients.exe 49 PID 1500 wrote to memory of 1804 1500 Clients.exe 49 PID 1500 wrote to memory of 1804 1500 Clients.exe 49 PID 1804 wrote to memory of 1972 1804 cmd.exe 51 PID 1804 wrote to memory of 1972 1804 cmd.exe 51 PID 1804 wrote to memory of 1972 1804 cmd.exe 51 PID 1804 wrote to memory of 2328 1804 cmd.exe 52 PID 1804 wrote to memory of 2328 1804 cmd.exe 52 PID 1804 wrote to memory of 2328 1804 cmd.exe 52 PID 1804 wrote to memory of 1624 1804 cmd.exe 53 PID 1804 wrote to memory of 1624 1804 cmd.exe 53 PID 1804 wrote to memory of 1624 1804 cmd.exe 53 PID 1624 wrote to memory of 316 1624 Clients.exe 54 PID 1624 wrote to memory of 316 1624 Clients.exe 54 PID 1624 wrote to memory of 316 1624 Clients.exe 54 PID 1624 wrote to memory of 2564 1624 Clients.exe 56 PID 1624 wrote to memory of 2564 1624 Clients.exe 56 PID 1624 wrote to memory of 2564 1624 Clients.exe 56 PID 2564 wrote to memory of 2948 2564 cmd.exe 58 PID 2564 wrote to memory of 2948 2564 cmd.exe 58 PID 2564 wrote to memory of 2948 2564 cmd.exe 58 PID 2564 wrote to memory of 2916 2564 cmd.exe 59 PID 2564 wrote to memory of 2916 2564 cmd.exe 59 PID 2564 wrote to memory of 2916 2564 cmd.exe 59 PID 2564 wrote to memory of 2936 2564 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe"C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1664
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:936
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FnTUg8CKpsPt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2436
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vTZm7DJ4RlCL.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sNXrt4AVj30H.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2328
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\g4bN0t7jMFcr.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2916
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0eSRIR2FmDcz.bat" "11⤵PID:1332
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:348
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NV1bD277PY8W.bat" "13⤵PID:1100
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:768
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:484
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Di4dBEyMNhrj.bat" "15⤵PID:1596
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1668
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2256
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1280
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4YJuJzz1EHoF.bat" "17⤵PID:2840
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2276
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2848
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EIyQBINMsLyO.bat" "19⤵PID:2600
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aubfps5gmZ7b.bat" "21⤵PID:548
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2316
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EQtkO7nm9cWP.bat" "23⤵PID:304
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\m8HAD8dtMXrg.bat" "25⤵PID:2016
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1912
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:832
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xqXaEAkl8COa.bat" "27⤵PID:468
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1320
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\i4H6D5yixqGj.bat" "29⤵PID:1984
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:912
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iUM3x5bpl13U.bat" "31⤵PID:1704
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52be44f2f5ea83cbc61fbd13b50c0f88c
SHA1f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
SHA256cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
SHA51295f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
Filesize
195B
MD5d6ee557ea1245833a8dedef41495772c
SHA1e67f1597a5f8526f46a094ff877b69e3ac4dd621
SHA256c3138350b0965dd0360ae50f6ee75daa58160418ed2a47057748e6a7124cd6be
SHA512d204b3ee484de4c6bfe8cbacdefd071437791bcf04c35df460474955a0b867c7f4dc7c60f7e9b5a88c1636ed4b90bc3f36057f6c7bc0d611c73552bcfb32276b
-
Filesize
195B
MD55f7d1d35a6e826ec2b78aa130dadb3eb
SHA1966cd0d4d1f229bc0167bfbc73511ed8a9db1e16
SHA256f39a40c5dbf9342c1f5f69d5ee3554fa76c130aeec55b57d6f18209e917c288d
SHA5125088100d4a2ff6d8cb6542d4086ef58b5d8bf3ce57af149366b401126b1d97d7a64154da502dc0212f89aea23cee33289df1b7b0592142cbac5743fa7c227da0
-
Filesize
195B
MD5322cce08045133241f82dec7f0c6a0b3
SHA13822380557449df002425454a9abedbba610571e
SHA2568be07e25b16aa7c69eea05b60351ef07b5c7aee207870d9b259d5ffc98874fbf
SHA512942a493245af5ff81349735a8d14ec1a6a517949c7735e609f36b202e1beb0dcd104c5450189f5ae4d8e79035a2a9ce120e2b307fb7834eb186d0b29eebb50ac
-
Filesize
195B
MD5911dbec55765215be75b589403a7d330
SHA1198356b62b98fbb45f97f86e2538b0afc4b18a7f
SHA256405ae10c9e300a36ba0c6dd34c835b66ba41980bab1f71fb3f725a1421b3b56d
SHA512f1b284b3b757248878ac4ceb5c050060c5c8aca591a1c1457880b01e824f331738fca11a73d34f5ead546a0ae00778f560fcf67c7a040efc547be3351da8ca8a
-
Filesize
195B
MD5b26e1fa9a11d069756256b3e50db64dd
SHA17191724202aa8cb8070881c83b106d692384844c
SHA256565bc50a0405481511472c23d876212e553b2017ae22ffc36e99c4f260d1e85c
SHA5126cb4194fd39953a9e5fbfeb1f03cacdfaee9227cdb721dbbdd8b6943192604d4c362d6e7c0822a49993e74f945a3f284207182a0759a911399bfba617aaa4f5e
-
Filesize
195B
MD57c768f83c83568da722248e02f3c1c21
SHA1a4f862e06e0b5e0e21e27b052c82b005b6067e4b
SHA25620fb8fa9b00a3b1b60dd1908759f6514d9c379efc174fd70cfc1ea58ff22225a
SHA512c5e73aa67f134fc2c6204a1870df8900b81b7370a97d38769705a76736ac426c98e6b7831c98d17d4abe25d3f9e1fd0ab8dc980ecb0755219d9cc69e4b444925
-
Filesize
195B
MD5121e88c303b30a178f9b10610ba66707
SHA14ffd397a22e27db4451c9d753f5f1823b5a841fc
SHA256976fb30fe358da24f1da8a270279d4a2f4a68953659f82e1adeaaec1123af9ae
SHA51292a44d6274e836b0b36f4b9d59582920d7d3209c2ede28c4182d28ad3747ef659d033e36be9b3df2af31f23657f9dacaf922428698c7f8db3b7fc2a919d9ed13
-
Filesize
195B
MD5c807068511b7d1dbb2a363cc6e2454da
SHA108b7e3a0fa109d8ef0800908d3d4c7b90fb73af4
SHA2565e77ef231c1db1b5495f14a28dbda5dc5f2581ad813e3f020fb9fb9eb879c6ee
SHA5121319a946efacc2aab9a1f3e2e005889f0e6f8aa6fe1411e730ad439c57ec62e2d9a949c095348d5a1232e2b3c2a0fe7cd09b63353d0344561616fa62ebb8ea44
-
Filesize
195B
MD55fc9d23ef8aa7087913d97c4ed0e94dc
SHA16a88c76a32c74e74a7d93ae7b2de223bcd132afb
SHA256e7123cf1c90e5e8aa5c7e2f5b67a1657836fafdb89f4648def76120624dcc962
SHA512a5fff04769b3dda054a1e66e38f8faaa992b07b68d11075e27a30d9ca8d90fe85fa57f473576f09060466d4dbd250c5327ed5b5dec0e483f0ccd8064b1d70eac
-
Filesize
195B
MD5149ffce0a7e5af83d581ecf26f49383f
SHA14a9bab87f50bff3a8d1293306b037eb7e31d752e
SHA256230efc410b6390bfebe4d9c63f222939f3d51ba9f406ae66c84a49a0f01a575c
SHA5126b58f58ce83f3a8f327488931b04607a284f8f71b1480f9672307881fccd8ebda6dcec0b0d5d77d3658f4c58deabdc734d548269147473c6691c4d9e6f9b42d8
-
Filesize
195B
MD56bdff0402036045f229796d6fff9a89f
SHA1dd5d5d3bf771fbc2218278bc8221ac4fbb94cbc7
SHA25627b763ef661cf3e8da7f12cf9f630360bf15ae22b4e2a36894ab11771ebe1288
SHA512e6acfb9ff836573f5e33231d311e31f3488376cd2fc1ea1be400ba55f0689c7f2cc3f1202d740166d245654b5ddde086252218a1c40c502890dff78472363f3f
-
Filesize
195B
MD5faaaf2d09e0921feeef5efecc71f07b3
SHA1347184258689fe75ea0d268e185d530531dbc6a1
SHA256ff4bb2525589e224cb1324403acbaf9e459d0cdc3eb9977533e56d1f58217036
SHA512d0d0189a9373eedfda06b376dd800cc3d4238fbeeab41776d0a4e5d80f7d793825ca73b136c9bd7a876f40acdd32e9db92d11429874aad7531aaf69ddf753039
-
Filesize
195B
MD55deb352b3f2d0515ceba200af2304378
SHA17064f6fc4ab2250ea959a31d9f898ad2dcdb68d7
SHA256ba033bb73bda432df6925fab4445798536eda685c5d9dbfbb93c444ec7d17103
SHA51228575023938b17f2840cba4d6b9e97385c0332dab898a4270dcbc3773e9b5753bd81746f07e38b3537cd081a6fd35cae918be0161db850dd86e3627e4a63f101
-
Filesize
195B
MD535c9f8c304c91afb485f068aae63eba5
SHA194f1ce8a8f99ae4423277837d03560174ddb6a51
SHA256b205ed3d11be19eddb42b2bdd3501a7c5326248b0cfbcf5459199ce065aae857
SHA51224fa9211f7de608f7c40f81963fd31ace1f8189aafea78ffea97d199123394e183570bf46156e080a737e48766809fc3892d690f7d081717e1b219f720676315
-
Filesize
195B
MD5c34b1cdf366b9a55a83a81a8f2845d12
SHA10fd98796f756f24a3e894c85e19d9bde413748a8
SHA256edb88b7fa7a504f34e96af7cad9610b409ae8a94021d0fb592982c38bceefebc
SHA512747b74b5536dfcf34a08d3195aaae404047f40b444b754f2e4585d5366eed97cc3a515d121c1ad73e5c1fd0b91baaa9156604c98b6838ac938720c9012b2fd69