quasar | cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quas_Autre_ncrypt.exe
Size

3.1MB
MD5

2be44f2f5ea83cbc61fbd13b50c0f88c
SHA1

f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
SHA256

cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
SHA512

95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
SSDEEP

49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK

Score

10^/10

quasar autre discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

AUTRE

voltazur.ddns.net:4789

Mutex

eddf685a-87b7-4f5a-9bac-e09fd56aab1e

Attributes

encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
install_name
Clients.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsSystemTask
subdirectory
SubDare

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3400-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c99-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Clients.exe

Executes dropped EXE 14 IoCs

pid	Process
3440	Clients.exe
3944	Clients.exe
1460	Clients.exe
1156	Clients.exe
5108	Clients.exe
2704	Clients.exe
2584	Clients.exe
3980	Clients.exe
3312	Clients.exe
2776	Clients.exe
3704	Clients.exe
1392	Clients.exe
4712	Clients.exe
3020	Clients.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\SubDare\Clients.exe	Quas_Autre_ncrypt.exe
File opened for modification	C:\Program Files\SubDare\Clients.exe	Quas_Autre_ncrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4764	PING.EXE
1080	PING.EXE
2592	PING.EXE
4212	PING.EXE
4944	PING.EXE
3028	PING.EXE
5052	PING.EXE
2560	PING.EXE
3004	PING.EXE
2504	PING.EXE
2672	PING.EXE
3264	PING.EXE
820	PING.EXE
4972	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3264	PING.EXE
5052	PING.EXE
2592	PING.EXE
2672	PING.EXE
4212	PING.EXE
3028	PING.EXE
820	PING.EXE
2560	PING.EXE
3004	PING.EXE
1080	PING.EXE
4972	PING.EXE
4764	PING.EXE
4944	PING.EXE
2504	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3928	schtasks.exe
1424	schtasks.exe
4312	schtasks.exe
2672	schtasks.exe
1404	schtasks.exe
3440	schtasks.exe
3156	schtasks.exe
2408	schtasks.exe
4244	schtasks.exe
2996	schtasks.exe
836	schtasks.exe
4432	schtasks.exe
1964	schtasks.exe
988	schtasks.exe
4236	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	Quas_Autre_ncrypt.exe
Token: SeDebugPrivilege	3440	Clients.exe
Token: SeDebugPrivilege	3944	Clients.exe
Token: SeDebugPrivilege	1460	Clients.exe
Token: SeDebugPrivilege	1156	Clients.exe
Token: SeDebugPrivilege	5108	Clients.exe
Token: SeDebugPrivilege	2704	Clients.exe
Token: SeDebugPrivilege	2584	Clients.exe
Token: SeDebugPrivilege	3980	Clients.exe
Token: SeDebugPrivilege	3312	Clients.exe
Token: SeDebugPrivilege	2776	Clients.exe
Token: SeDebugPrivilege	3704	Clients.exe
Token: SeDebugPrivilege	1392	Clients.exe
Token: SeDebugPrivilege	4712	Clients.exe
Token: SeDebugPrivilege	3020	Clients.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3928	3400	Quas_Autre_ncrypt.exe	82
PID 3400 wrote to memory of 3928	3400	Quas_Autre_ncrypt.exe	82
PID 3400 wrote to memory of 3440	3400	Quas_Autre_ncrypt.exe	84
PID 3400 wrote to memory of 3440	3400	Quas_Autre_ncrypt.exe	84
PID 3440 wrote to memory of 2672	3440	Clients.exe	85
PID 3440 wrote to memory of 2672	3440	Clients.exe	85
PID 3440 wrote to memory of 3452	3440	Clients.exe	87
PID 3440 wrote to memory of 3452	3440	Clients.exe	87
PID 3452 wrote to memory of 3188	3452	cmd.exe	89
PID 3452 wrote to memory of 3188	3452	cmd.exe	89
PID 3452 wrote to memory of 4944	3452	cmd.exe	90
PID 3452 wrote to memory of 4944	3452	cmd.exe	90
PID 3452 wrote to memory of 3944	3452	cmd.exe	95
PID 3452 wrote to memory of 3944	3452	cmd.exe	95
PID 3944 wrote to memory of 2408	3944	Clients.exe	96
PID 3944 wrote to memory of 2408	3944	Clients.exe	96
PID 3944 wrote to memory of 3992	3944	Clients.exe	99
PID 3944 wrote to memory of 3992	3944	Clients.exe	99
PID 3992 wrote to memory of 4500	3992	cmd.exe	101
PID 3992 wrote to memory of 4500	3992	cmd.exe	101
PID 3992 wrote to memory of 3264	3992	cmd.exe	102
PID 3992 wrote to memory of 3264	3992	cmd.exe	102
PID 3992 wrote to memory of 1460	3992	cmd.exe	105
PID 3992 wrote to memory of 1460	3992	cmd.exe	105
PID 1460 wrote to memory of 1404	1460	Clients.exe	106
PID 1460 wrote to memory of 1404	1460	Clients.exe	106
PID 1460 wrote to memory of 2824	1460	Clients.exe	108
PID 1460 wrote to memory of 2824	1460	Clients.exe	108
PID 2824 wrote to memory of 3148	2824	cmd.exe	110
PID 2824 wrote to memory of 3148	2824	cmd.exe	110
PID 2824 wrote to memory of 3028	2824	cmd.exe	111
PID 2824 wrote to memory of 3028	2824	cmd.exe	111
PID 2824 wrote to memory of 1156	2824	cmd.exe	114
PID 2824 wrote to memory of 1156	2824	cmd.exe	114
PID 1156 wrote to memory of 4432	1156	Clients.exe	115
PID 1156 wrote to memory of 4432	1156	Clients.exe	115
PID 1156 wrote to memory of 4716	1156	Clients.exe	117
PID 1156 wrote to memory of 4716	1156	Clients.exe	117
PID 4716 wrote to memory of 632	4716	cmd.exe	119
PID 4716 wrote to memory of 632	4716	cmd.exe	119
PID 4716 wrote to memory of 5052	4716	cmd.exe	120
PID 4716 wrote to memory of 5052	4716	cmd.exe	120
PID 4716 wrote to memory of 5108	4716	cmd.exe	121
PID 4716 wrote to memory of 5108	4716	cmd.exe	121
PID 5108 wrote to memory of 1964	5108	Clients.exe	122
PID 5108 wrote to memory of 1964	5108	Clients.exe	122
PID 5108 wrote to memory of 4316	5108	Clients.exe	124
PID 5108 wrote to memory of 4316	5108	Clients.exe	124
PID 4316 wrote to memory of 660	4316	cmd.exe	126
PID 4316 wrote to memory of 660	4316	cmd.exe	126
PID 4316 wrote to memory of 2504	4316	cmd.exe	127
PID 4316 wrote to memory of 2504	4316	cmd.exe	127
PID 4316 wrote to memory of 2704	4316	cmd.exe	128
PID 4316 wrote to memory of 2704	4316	cmd.exe	128
PID 2704 wrote to memory of 4244	2704	Clients.exe	129
PID 2704 wrote to memory of 4244	2704	Clients.exe	129
PID 2704 wrote to memory of 3572	2704	Clients.exe	131
PID 2704 wrote to memory of 3572	2704	Clients.exe	131
PID 3572 wrote to memory of 1740	3572	cmd.exe	133
PID 3572 wrote to memory of 1740	3572	cmd.exe	133
PID 3572 wrote to memory of 820	3572	cmd.exe	134
PID 3572 wrote to memory of 820	3572	cmd.exe	134
PID 3572 wrote to memory of 2584	3572	cmd.exe	135
PID 3572 wrote to memory of 2584	3572	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Quas_Autre_ncrypt.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3928
- C:\Program Files\SubDare\Clients.exe
  "C:\Program Files\SubDare\Clients.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3bSwhMh8p9UR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3188
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4944
  - - C:\Program Files\SubDare\Clients.exe
      "C:\Program Files\SubDare\Clients.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuRVcjASbZUL.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4500
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3264
      - C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oH2Q4HtuAtIZ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cd9qtOauHEga.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yVtrS95rnJqw.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5PYyQOgOxbI8.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:820
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7OCbAweneMx.bat" "
        15⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4764
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7HEqfHoNwxrH.bat" "
        17⤵
        
        PID:1432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1080
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jy3jTVlKoySh.bat" "
        19⤵
        
        PID:3560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DchytLbOn1Dq.bat" "
        21⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85u1Wtlc2bz2.bat" "
        23⤵
        
        PID:3224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2592
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFOwMxkmDahn.bat" "
        25⤵
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2672
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W9lGorLwh45T.bat" "
        27⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zE2h8eOOmJjM.bat" "
        29⤵
        
        PID:4500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SubDare\Clients.exe

Filesize
3.1MB

MD5
2be44f2f5ea83cbc61fbd13b50c0f88c

SHA1
f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9

SHA256
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a

SHA512
95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Clients.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bSwhMh8p9UR.bat

Filesize
195B

MD5
23e187a40647f4aec0693f13f00c1769

SHA1
a92bb4831a4d47bef3d2058f0f3b5b890f908961

SHA256
b4c736fea707a6088168d68e576203507845c4e2f501c5d6fa3e9fd112824c30

SHA512
f4c9c6ccf65542bc02dc3a5433c1e06d4334766b00ff471ec73727e7d6f6447244b4cf06261960c2213e32217cc52fa9b7d2deefba79e38cbf5d8ec51e37e042

Download Submit
C:\Users\Admin\AppData\Local\Temp\5PYyQOgOxbI8.bat

Filesize
195B

MD5
e645b6e1bc059796635b675b98a0959c

SHA1
ab32b3225cfe0cc396e5a515d82db4b6aaf004c9

SHA256
2eee448bf453e398755d3b96238979ced0da2e305b2651e0f5d0de475a00efcd

SHA512
3bf9c21a751a92a60d1c44bd9d92a8790daafe21d31b622f1b121de87060d85f7438bfc7a8d4cb77498e0c16a042478703e39aab9660b6c2d1d805b63fa391a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7HEqfHoNwxrH.bat

Filesize
195B

MD5
e58ade3e3223bb87a40d77976a120e83

SHA1
d6a88dee477175fcc97f6e3d2672ae971215e234

SHA256
9b48cbb26cd74bad5911848500e3e002006b203fbe6e5141b5261ae640c78907

SHA512
75232afc07c253b8ce6dbb4a2ebb073902786397754297a7f6bc214ae5b63b944dcb7fe3c54e7470ecacb59ca122b3a9bc3cc557a0d649b9083db99f06b67646

Download Submit
C:\Users\Admin\AppData\Local\Temp\85u1Wtlc2bz2.bat

Filesize
195B

MD5
8fab66ee34002ec37dd774298d0148e8

SHA1
a4c5c72b0b1ef34d00cc2f588c40c5ddd444fca6

SHA256
51cb086351ad1b2018fff68c6ea405aefe081c1c47d8518ac172e70952d8df0c

SHA512
2f72ab1295a6fd9f1608a6da8b527a7a66bafac91f14c27bd837c41165c20532592b27840960e6e844cae70e963a7309cf2d1fbbae6317b917f3fbced47540ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cd9qtOauHEga.bat

Filesize
195B

MD5
9600a9e58d66a1f9cf87ea5d5180a663

SHA1
9c6342c8fedc993dad421ae583fe045831992e97

SHA256
8fa3a1c431cc313352dba03f7f5a22417ac6a0035e10dc643a301dcfa6c2f670

SHA512
07073e24942dcec09921c5f1e2d3d480f5731fe205c617d3cfe603a0a8677764f6ce4c62207c4db889caf8d57c403f13968f762a179590413c03028920d1d13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DchytLbOn1Dq.bat

Filesize
195B

MD5
e5b2e3b8217576d27ed90dbe53915267

SHA1
1fb52114f8cffc064b7a6e6a646dbadd11404542

SHA256
fc4e03d96da8ab463f2a8c1c086af3e20fe1082d86221af08d69b435d2523748

SHA512
2103fc4c6ac29cd3f5a1e50ef3e978aee1399a9c3fbf5ba672e2f669359167f8877505adc4d1a3892b7a964bb48e02daf494f5dc1723cbd1cf3bb7119ecd48f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFOwMxkmDahn.bat

Filesize
195B

MD5
9a30ecc4b81fbf8f9c5de6842a946d4a

SHA1
79deabb42e5dedd94bbf7d1ca9b2ffbd3b2624aa

SHA256
493b2a4bd188824fcc8aee8b51846b06075b0b5c2b09ca65817f04ca94836a66

SHA512
de884ffb9fee112f7ce7ac77861ba9f7acc18b3a07e74f0b720ec91d720d0fdb97c42be4c19f0d66528d667bea48730be4b48822b691f491c5f243279c39f7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuRVcjASbZUL.bat

Filesize
195B

MD5
536ffe2dce94f183ca7a5c4894c6863d

SHA1
a84e2757c4e0b2859c07e1996b73a4f36b74fdcd

SHA256
a02202d8e2db567bdfeef991804faf0777974ba3d66420ce9621adb137320a0e

SHA512
dc7876cbc95881ce761aafbcfb1768be8c3b24643b489ac6a6708b590c1740549f75268a5bb5d234e5e5786d151c9dac06260b082bbc597a5f89fa0271114db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\K7OCbAweneMx.bat

Filesize
195B

MD5
fc689d91d6c61e23ddf92acc59e85905

SHA1
8d850fd56ebcfb0b7a3a8974289ea374cc052c1c

SHA256
9cf27ea7ea470b682d8c74ac2d425404c02635d871459c12018cd27d95ad560f

SHA512
04a878d092fad2c794e142314ffe513e683035c9b89f558cae5650f9d4c9bd08825aa1d4645ef2d9431738351694d82c571707d0f1b50bfa5fc487b6bcd05d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\W9lGorLwh45T.bat

Filesize
195B

MD5
bef76fe8143516c0e07779fd7913b048

SHA1
8d5cd07d5bad83b40b15d8f3e5961b5e33cb47ec

SHA256
95990bd95102c776689c7d8975c5bf5046b0fb77cc0746b3d6e2d5f965127c96

SHA512
455b6f0a64e21b3a5d4c7891577f8b7ea19cf08b40379c3778f32e5531487602bb487f8f35813bb1e953a857f8a04b5191d344ab0525484830f49aae565937c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jy3jTVlKoySh.bat

Filesize
195B

MD5
c488191c29aaac9c3df0fa48eb4b4716

SHA1
c35805b8a136f01b71ef91e79a45b8e6d02e3a8d

SHA256
56e348fe5a60c96e9b03c07914499bb7ed89345091a038eaddba246e8100b9ba

SHA512
cd9e2895514d248f33aaa96c91f0acd3e687e29400fc8c273bc064d36b295e8b148eab74553df5bbf19e4aa55a871fc58d61191de48d17fb74ed66398bec3c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oH2Q4HtuAtIZ.bat

Filesize
195B

MD5
4cc163e63086b8f1ade7aa33d371e86f

SHA1
1883b71632a5ad77632e05fc255a8588884c5b71

SHA256
3d94f58590bd8b73bbf1dcc1426d5137f30f91b042493cac5ac98314bece042d

SHA512
008a6250414929e875e6b35652d8db369b722d39cc78736379b3aaa5085f76c1331fb75847c5c3e05b88b12c0973ffff69677ba31690a0d10031b9d9940aaf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVtrS95rnJqw.bat

Filesize
195B

MD5
bf403cebac7a5f61d5dc8ddcfe98d0db

SHA1
3a5fa661657fa7c8e139fa63b036fff457398a27

SHA256
8e56f1058f7109939398ac95f7ef0fec8f6b43cb4a32b5dba56221c89e230b47

SHA512
4f4d59ed3272d0a83efdda316895f062e3299d0023ea3d92b52bb9f0d8c3cb4e08afb7d46ad28563588ddfd964d6e885ee8a87118046d859522466fb0681c1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zE2h8eOOmJjM.bat

Filesize
195B

MD5
57f15afadeb33292678b7b6a09f2899a

SHA1
21ad6a4d9047f20600d195cf824204332485e011

SHA256
9e91a00bf723e3b37c3c713d18535163df0e041157f255fb8c2b00b49aaed6b7

SHA512
8ceffa77614bcb5e4760004e727ea0cf97925c79a36a672e59d2302b169353f29fa63ccfd9b56ca9f6c7d4ece27c78cd244166b628d5472b67aefccf3210343a

Download Submit
memory/3400-8-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3400-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

Filesize
8KB

Download
memory/3400-2-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3400-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/3440-11-0x000000001D3F0000-0x000000001D440000-memory.dmp

Filesize
320KB

Download
memory/3440-10-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3440-17-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3440-9-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3440-12-0x000000001D500000-0x000000001D5B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads