Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 16:55
Behavioral task
behavioral1
Sample
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Resource
win7-20240903-en
General
-
Target
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
-
Size
3.1MB
-
MD5
f67e6aafbd9c86771f11c05ae83ae83e
-
SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0
-
SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
-
SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/2084-1-0x0000000001140000-0x0000000001464000-memory.dmp family_quasar behavioral1/files/0x00070000000186d2-6.dat family_quasar behavioral1/memory/2704-10-0x00000000010C0000-0x00000000013E4000-memory.dmp family_quasar behavioral1/memory/2064-34-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/3016-78-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/2604-89-0x0000000001290000-0x00000000015B4000-memory.dmp family_quasar behavioral1/memory/2232-120-0x0000000000180000-0x00000000004A4000-memory.dmp family_quasar behavioral1/memory/1208-132-0x0000000000960000-0x0000000000C84000-memory.dmp family_quasar behavioral1/memory/1572-144-0x0000000001180000-0x00000000014A4000-memory.dmp family_quasar behavioral1/memory/2692-155-0x00000000013E0000-0x0000000001704000-memory.dmp family_quasar behavioral1/memory/2580-167-0x0000000000080000-0x00000000003A4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2704 Client.exe 2464 Client.exe 2064 Client.exe 2376 Client.exe 696 Client.exe 1704 Client.exe 3016 Client.exe 2604 Client.exe 2296 Client.exe 1972 Client.exe 2232 Client.exe 1208 Client.exe 1572 Client.exe 2692 Client.exe 2580 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3068 PING.EXE 996 PING.EXE 2324 PING.EXE 2620 PING.EXE 764 PING.EXE 2192 PING.EXE 1400 PING.EXE 664 PING.EXE 1504 PING.EXE 2676 PING.EXE 928 PING.EXE 1624 PING.EXE 2360 PING.EXE 2616 PING.EXE 1844 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2360 PING.EXE 2616 PING.EXE 1844 PING.EXE 1400 PING.EXE 2620 PING.EXE 664 PING.EXE 928 PING.EXE 1624 PING.EXE 2324 PING.EXE 1504 PING.EXE 2192 PING.EXE 2676 PING.EXE 764 PING.EXE 3068 PING.EXE 996 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 960 schtasks.exe 2148 schtasks.exe 2112 schtasks.exe 1888 schtasks.exe 1348 schtasks.exe 1876 schtasks.exe 3032 schtasks.exe 2972 schtasks.exe 2728 schtasks.exe 2144 schtasks.exe 2056 schtasks.exe 2524 schtasks.exe 1536 schtasks.exe 1496 schtasks.exe 408 schtasks.exe 2784 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe Token: SeDebugPrivilege 2704 Client.exe Token: SeDebugPrivilege 2464 Client.exe Token: SeDebugPrivilege 2064 Client.exe Token: SeDebugPrivilege 2376 Client.exe Token: SeDebugPrivilege 696 Client.exe Token: SeDebugPrivilege 1704 Client.exe Token: SeDebugPrivilege 3016 Client.exe Token: SeDebugPrivilege 2604 Client.exe Token: SeDebugPrivilege 2296 Client.exe Token: SeDebugPrivilege 1972 Client.exe Token: SeDebugPrivilege 2232 Client.exe Token: SeDebugPrivilege 1208 Client.exe Token: SeDebugPrivilege 1572 Client.exe Token: SeDebugPrivilege 2692 Client.exe Token: SeDebugPrivilege 2580 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2704 Client.exe 2464 Client.exe 2064 Client.exe 2376 Client.exe 696 Client.exe 1704 Client.exe 3016 Client.exe 2604 Client.exe 2296 Client.exe 1972 Client.exe 2232 Client.exe 1208 Client.exe 1572 Client.exe 2692 Client.exe 2580 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2704 Client.exe 2464 Client.exe 2064 Client.exe 2376 Client.exe 696 Client.exe 1704 Client.exe 3016 Client.exe 2604 Client.exe 2296 Client.exe 1972 Client.exe 2232 Client.exe 1208 Client.exe 1572 Client.exe 2692 Client.exe 2580 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2784 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 31 PID 2084 wrote to memory of 2784 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 31 PID 2084 wrote to memory of 2784 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 31 PID 2084 wrote to memory of 2704 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 33 PID 2084 wrote to memory of 2704 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 33 PID 2084 wrote to memory of 2704 2084 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe 33 PID 2704 wrote to memory of 2144 2704 Client.exe 34 PID 2704 wrote to memory of 2144 2704 Client.exe 34 PID 2704 wrote to memory of 2144 2704 Client.exe 34 PID 2704 wrote to memory of 2548 2704 Client.exe 36 PID 2704 wrote to memory of 2548 2704 Client.exe 36 PID 2704 wrote to memory of 2548 2704 Client.exe 36 PID 2548 wrote to memory of 2612 2548 cmd.exe 38 PID 2548 wrote to memory of 2612 2548 cmd.exe 38 PID 2548 wrote to memory of 2612 2548 cmd.exe 38 PID 2548 wrote to memory of 2620 2548 cmd.exe 39 PID 2548 wrote to memory of 2620 2548 cmd.exe 39 PID 2548 wrote to memory of 2620 2548 cmd.exe 39 PID 2548 wrote to memory of 2464 2548 cmd.exe 40 PID 2548 wrote to memory of 2464 2548 cmd.exe 40 PID 2548 wrote to memory of 2464 2548 cmd.exe 40 PID 2464 wrote to memory of 2056 2464 Client.exe 41 PID 2464 wrote to memory of 2056 2464 Client.exe 41 PID 2464 wrote to memory of 2056 2464 Client.exe 41 PID 2464 wrote to memory of 2976 2464 Client.exe 43 PID 2464 wrote to memory of 2976 2464 Client.exe 43 PID 2464 wrote to memory of 2976 2464 Client.exe 43 PID 2976 wrote to memory of 2440 2976 cmd.exe 45 PID 2976 wrote to memory of 2440 2976 cmd.exe 45 PID 2976 wrote to memory of 2440 2976 cmd.exe 45 PID 2976 wrote to memory of 664 2976 cmd.exe 46 PID 2976 wrote to memory of 664 2976 cmd.exe 46 PID 2976 wrote to memory of 664 2976 cmd.exe 46 PID 2976 wrote to memory of 2064 2976 cmd.exe 47 PID 2976 wrote to memory of 2064 2976 cmd.exe 47 PID 2976 wrote to memory of 2064 2976 cmd.exe 47 PID 2064 wrote to memory of 1876 2064 Client.exe 48 PID 2064 wrote to memory of 1876 2064 Client.exe 48 PID 2064 wrote to memory of 1876 2064 Client.exe 48 PID 2064 wrote to memory of 1776 2064 Client.exe 50 PID 2064 wrote to memory of 1776 2064 Client.exe 50 PID 2064 wrote to memory of 1776 2064 Client.exe 50 PID 1776 wrote to memory of 1972 1776 cmd.exe 52 PID 1776 wrote to memory of 1972 1776 cmd.exe 52 PID 1776 wrote to memory of 1972 1776 cmd.exe 52 PID 1776 wrote to memory of 764 1776 cmd.exe 53 PID 1776 wrote to memory of 764 1776 cmd.exe 53 PID 1776 wrote to memory of 764 1776 cmd.exe 53 PID 1776 wrote to memory of 2376 1776 cmd.exe 54 PID 1776 wrote to memory of 2376 1776 cmd.exe 54 PID 1776 wrote to memory of 2376 1776 cmd.exe 54 PID 2376 wrote to memory of 2148 2376 Client.exe 55 PID 2376 wrote to memory of 2148 2376 Client.exe 55 PID 2376 wrote to memory of 2148 2376 Client.exe 55 PID 2376 wrote to memory of 2472 2376 Client.exe 57 PID 2376 wrote to memory of 2472 2376 Client.exe 57 PID 2376 wrote to memory of 2472 2376 Client.exe 57 PID 2472 wrote to memory of 3040 2472 cmd.exe 59 PID 2472 wrote to memory of 3040 2472 cmd.exe 59 PID 2472 wrote to memory of 3040 2472 cmd.exe 59 PID 2472 wrote to memory of 3068 2472 cmd.exe 60 PID 2472 wrote to memory of 3068 2472 cmd.exe 60 PID 2472 wrote to memory of 3068 2472 cmd.exe 60 PID 2472 wrote to memory of 696 2472 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2784
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QaHH9GBEFH0U.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2620
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HlJyGCS5qzY6.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:664
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1876
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XynNegKorrYd.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bzumsdhVlw0T.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3068
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:696 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:960
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gJnHk64nJSaq.bat" "11⤵PID:2248
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:928
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2524
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kyPe0Gjudkb5.bat" "13⤵PID:956
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1536
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BtRcYyHJQ90n.bat" "15⤵PID:2656
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:996
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\q3lYWEM72GRI.bat" "17⤵PID:2988
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1496
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BVDZBdoKVj4D.bat" "19⤵PID:568
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2616
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1348
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eIm9UXCWlQWq.bat" "21⤵PID:2768
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2232 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:408
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SjWPSMHLMZt1.bat" "23⤵PID:2416
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1132
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kgkH9jtXQ3js.bat" "25⤵PID:1584
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2972
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ENPSn6HSRjUJ.bat" "27⤵PID:1264
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2192
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qroNpKEEuS9X.bat" "29⤵PID:2144
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fuktNGsRoJRz.bat" "31⤵PID:2848
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5ad39dc9a4f52e58b41dd4099339e43f8
SHA1473baeb473c1c2ee9eacf3603715eda531a58571
SHA256112eb5f767c90dbf68b485473fcd72988c9286caebf528e093f1db198556c252
SHA51289c20c787e48190dd61b1b0c61617555777009e897300ba3f9a6c660d3f3444e78bdf5ad0aadb230cfa2125765a0f970cea14913df2bd56712f072cd6a7274cb
-
Filesize
207B
MD51b9a3ecaf0396eb344c33e3d4bb0d518
SHA17b33957dd17c8edaa1dd8ee4b1787d20e98ce6a4
SHA256cc9794f1641da811660bbc17478d26db08b4d47bf3cf764a28778b210bdf8e7e
SHA512f886c7a33951625e043cf6b39c7423b745b5057b6cb65009840eb57dff82bbf052e8fa8e04fb17267ec88daf46e721ac4d3b4483530a240607532b20ac61a64a
-
Filesize
207B
MD583f0f4bb25d76c6200f569ef5f1a4fa2
SHA10f8704a1ca491b386e5a303a679f6b22f7371187
SHA256370ba1e2d03792c4ac9c0a4932321c6d0c3cff341801b18690356836b8fec1da
SHA512fa5edd152d05737a4c2a0c606e62e1cea0713114e9f2acad732798b02a7ce950f1ec99ea75fec072411851449d464b0057afe65e0075907912f9c971258c67b6
-
Filesize
207B
MD567498a1bb093dc9b7af405abf24ad223
SHA16204975ec29a17c503b9eca692b00862b1dc1995
SHA25687fb984248baaf5ff1899d2203f7cab692d6a8a19782e763f738abf3c47c5e2f
SHA51269be13d9c6f5a16a294d8625fc623ea3331f58d00ed4253c7cf8f10a895520a75be4af16664c7e2c47eb16447a83bf5bcf24ac5d80c34aa91daa70d61dd1561c
-
Filesize
207B
MD54771417e5f3e3e0e89601c98f5382644
SHA125ac9dfbe1c673be7b89880d36b8a2b5d79a27fd
SHA256468b3a0132baf896b006f774f26f420c09d55f87fa185cb934f497b80bbfa575
SHA512e769e6c54ece8227ebbfdd8479493e1412f48510b68125c1356d655c1c2c12e0bf3ffde09bdbde089e7d88bc5babf65af1cc7c4d70aec553f23193c696f6a823
-
Filesize
207B
MD56fcc0d7a3e281bbe58b58437ead70a5c
SHA1f4be3381a66debc916d5eeb97418c4712743ae3a
SHA256209f868b4ca18aa4815b501558051363dfe8b3902638c762ceb89476cec075a1
SHA5123c7270c3059690ad59d835aa0c6c8556e9667191ee09fbd9d9042f4afc038dcb802012643b5ec349f69b2f5bb6de1ac2002a289c425ded622a8093d6e96d37d6
-
Filesize
207B
MD525d95862576e5f25c375e9dbcf0a7c75
SHA17755613a4fd86f7bf79bd5f9f98bbd8483f9e84b
SHA256ba89a097fafae289b58b8b14da0e97e0840034235ec06a7aa3c529858be905a9
SHA512bbfc7309a096c14a4eecf8cc07166924fc30acf7294c5a9a696711363c3f7a45ee5248112cedd4973445181057f71a64dc33130aa8d1a785202e6754464cb657
-
Filesize
207B
MD5c875cfaf95ab48e5f7e4f68416d3f80d
SHA128a3de52d8e5c196285c9721fe3f24053b48cd26
SHA2568c1a3bfe4cd379fbe9790a40d1dff9bfd473d1248860d89b4143194deb1c8204
SHA512c9f43eaf807814acb0a9b35f72bb3e5806a899aec6e8462002348f47c16e37df062aeade35f1b62a4fb01864021a976eb739f5fa1283365478ea37b50537c24d
-
Filesize
207B
MD55238e9170d9e2d6368574e7010527c0f
SHA1519dda5ea5c5a3d87a84ae3391b4733d30f9040f
SHA256271733dac0e356fa86dcdcd5d6ef165ef6e47fc46921772256e6d87bc8758a3c
SHA51202e4d67be005e2a6dd52ba3728211ef9b10cfa3d7536ad10ace357974c18d78de8d1288d69293d7ecfcdfa647ea83bc605814611a30b6fefaa50c03861c3dc45
-
Filesize
207B
MD53ea131da658ad9869f76f4daffd73623
SHA1b421099588fb85ee9d146af4e511d9cb78aba974
SHA256b5397eaa6eff1092e48baace6e04ee2b9ac10a165ac9de78dacea7e68cd79465
SHA512f9222abe5bf6b75db892acefd8073af52fd0739af89554217ccb2954a059898baa48025cfe0b09e3135e60d40ea90c2ca0ab8d90c19adc1189815260b2b7557d
-
Filesize
207B
MD505113de141f8404dac8a11320e65f2eb
SHA116c30d014c232ebfbed3c050ae1a83f17b2166e5
SHA2566a2054894eb49760e4d97d6d2a90a9c1d9e7c1633b15ba34dd0dc68dc5081b05
SHA5120c00411a6adb867412acf50833ba3e9a6b2cc95310f3c7211ceeb20a5f66c0897c7e1d8accf23fb0e2bab8d23b51dd81069996732a86a19048d3f13979a2d8c1
-
Filesize
207B
MD52ef73ff11a55210875cebb5b80c991d3
SHA16563d54ab33d1398f4b415573ce7411bc9fbaf59
SHA256f7355410f5bfe841de656518d60e6edb0f29cc3521c3a5c497aac386d9cd6001
SHA512c53166ce8cbbb4a40ddd47d9a511e658c3163acc43830444367612620b48a15e19439c66b70d22b9852967e1e34e0c15eb792419739b159ebe14c97a14af80d5
-
Filesize
207B
MD581ae68b3acecb9446cfdbe568f2f6678
SHA1dac05c4f7e8a47a6b775d87c2458da7f2a6e8aa3
SHA25600baa84b89c059f84044da908c57d4fdfa9aad99cb7dfdbc93213fec005fc960
SHA5128cefecff23d916e7722bf48aa9c190906d37bc096bf076e1f499a69b18ee8a766c1bdeab60794a9da41fb556f474a5183fd66ea00654655258015f84fc4e286b
-
Filesize
207B
MD5cfcf8b27cd041b2bf3b4d849fbac4209
SHA158e87a8bd080621b40e6938bca5051770c5bb434
SHA2568104bfd6bfad462c880bfe31813cdb9846d234e7f10bb0354364e77fa6921ed2
SHA512f2908dece1790237857cb7263b4da116b049739ca5fd38c242116d0125f376304d10f61bda0f7c16a5c1faaf130938cf5726a2184930c66ae20e11dc86de2a3c
-
Filesize
207B
MD5c7fc5c8403bb7d94bc997833d9cdcc03
SHA1e23e180c87f74f64ea28b59b149db0246e07ab8e
SHA256b2cb484da3cb612106c3691dbaf336f86175888a44f26b97005f41abda5ad460
SHA5125a551a2ecddc80f4a710c65df0664ebbfc72482b74202225e13a032e2530ad286833dad68b3676f1a4d7b51ad8266c478490685bd6c79ab7aa74200f5bb19318
-
Filesize
3.1MB
MD5f67e6aafbd9c86771f11c05ae83ae83e
SHA1c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a