quasar | 534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Size

3.1MB
MD5

f67e6aafbd9c86771f11c05ae83ae83e
SHA1

c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256

534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512

f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
SSDEEP

49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4156-1-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b9d-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
1324	Client.exe
2668	Client.exe
4568	Client.exe
900	Client.exe
1648	Client.exe
2204	Client.exe
5016	Client.exe
2072	Client.exe
5060	Client.exe
3900	Client.exe
3860	Client.exe
1672	Client.exe
2400	Client.exe
1868	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2656	PING.EXE
1352	PING.EXE
3960	PING.EXE
624	PING.EXE
2504	PING.EXE
1160	PING.EXE
4424	PING.EXE
4420	PING.EXE
4992	PING.EXE
2996	PING.EXE
696	PING.EXE
4212	PING.EXE
3564	PING.EXE
8	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4992	PING.EXE
3564	PING.EXE
1352	PING.EXE
624	PING.EXE
4424	PING.EXE
696	PING.EXE
4212	PING.EXE
1160	PING.EXE
2996	PING.EXE
2504	PING.EXE
3960	PING.EXE
2656	PING.EXE
4420	PING.EXE
8	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4760	schtasks.exe
4288	schtasks.exe
4852	schtasks.exe
4712	schtasks.exe
3100	schtasks.exe
2376	schtasks.exe
968	schtasks.exe
4428	schtasks.exe
2212	schtasks.exe
4712	schtasks.exe
3200	schtasks.exe
2472	schtasks.exe
1836	schtasks.exe
1068	schtasks.exe
5096	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
Token: SeDebugPrivilege	1324	Client.exe
Token: SeDebugPrivilege	2668	Client.exe
Token: SeDebugPrivilege	4568	Client.exe
Token: SeDebugPrivilege	900	Client.exe
Token: SeDebugPrivilege	1648	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	5016	Client.exe
Token: SeDebugPrivilege	2072	Client.exe
Token: SeDebugPrivilege	5060	Client.exe
Token: SeDebugPrivilege	3900	Client.exe
Token: SeDebugPrivilege	3860	Client.exe
Token: SeDebugPrivilege	1672	Client.exe
Token: SeDebugPrivilege	2400	Client.exe
Token: SeDebugPrivilege	1868	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1324	Client.exe
2668	Client.exe
4568	Client.exe
900	Client.exe
1648	Client.exe
2204	Client.exe
5016	Client.exe
2072	Client.exe
5060	Client.exe
3900	Client.exe
3860	Client.exe
1672	Client.exe
2400	Client.exe
1868	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1324	Client.exe
2668	Client.exe
4568	Client.exe
900	Client.exe
1648	Client.exe
2204	Client.exe
5016	Client.exe
2072	Client.exe
5060	Client.exe
3900	Client.exe
3860	Client.exe
1672	Client.exe
2400	Client.exe
1868	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 968	4156	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	82
PID 4156 wrote to memory of 968	4156	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	82
PID 4156 wrote to memory of 1324	4156	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	84
PID 4156 wrote to memory of 1324	4156	534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe	84
PID 1324 wrote to memory of 2212	1324	Client.exe	85
PID 1324 wrote to memory of 2212	1324	Client.exe	85
PID 1324 wrote to memory of 2384	1324	Client.exe	87
PID 1324 wrote to memory of 2384	1324	Client.exe	87
PID 2384 wrote to memory of 2616	2384	cmd.exe	89
PID 2384 wrote to memory of 2616	2384	cmd.exe	89
PID 2384 wrote to memory of 3564	2384	cmd.exe	90
PID 2384 wrote to memory of 3564	2384	cmd.exe	90
PID 2384 wrote to memory of 2668	2384	cmd.exe	98
PID 2384 wrote to memory of 2668	2384	cmd.exe	98
PID 2668 wrote to memory of 4428	2668	Client.exe	99
PID 2668 wrote to memory of 4428	2668	Client.exe	99
PID 2668 wrote to memory of 3864	2668	Client.exe	101
PID 2668 wrote to memory of 3864	2668	Client.exe	101
PID 3864 wrote to memory of 2072	3864	cmd.exe	103
PID 3864 wrote to memory of 2072	3864	cmd.exe	103
PID 3864 wrote to memory of 1352	3864	cmd.exe	104
PID 3864 wrote to memory of 1352	3864	cmd.exe	104
PID 3864 wrote to memory of 4568	3864	cmd.exe	105
PID 3864 wrote to memory of 4568	3864	cmd.exe	105
PID 4568 wrote to memory of 1068	4568	Client.exe	106
PID 4568 wrote to memory of 1068	4568	Client.exe	106
PID 4568 wrote to memory of 2720	4568	Client.exe	108
PID 4568 wrote to memory of 2720	4568	Client.exe	108
PID 2720 wrote to memory of 4252	2720	cmd.exe	110
PID 2720 wrote to memory of 4252	2720	cmd.exe	110
PID 2720 wrote to memory of 696	2720	cmd.exe	111
PID 2720 wrote to memory of 696	2720	cmd.exe	111
PID 2720 wrote to memory of 900	2720	cmd.exe	114
PID 2720 wrote to memory of 900	2720	cmd.exe	114
PID 900 wrote to memory of 4712	900	Client.exe	115
PID 900 wrote to memory of 4712	900	Client.exe	115
PID 900 wrote to memory of 3940	900	Client.exe	117
PID 900 wrote to memory of 3940	900	Client.exe	117
PID 3940 wrote to memory of 2780	3940	cmd.exe	119
PID 3940 wrote to memory of 2780	3940	cmd.exe	119
PID 3940 wrote to memory of 4420	3940	cmd.exe	120
PID 3940 wrote to memory of 4420	3940	cmd.exe	120
PID 3940 wrote to memory of 1648	3940	cmd.exe	121
PID 3940 wrote to memory of 1648	3940	cmd.exe	121
PID 1648 wrote to memory of 4288	1648	Client.exe	122
PID 1648 wrote to memory of 4288	1648	Client.exe	122
PID 1648 wrote to memory of 1432	1648	Client.exe	124
PID 1648 wrote to memory of 1432	1648	Client.exe	124
PID 1432 wrote to memory of 4900	1432	cmd.exe	126
PID 1432 wrote to memory of 4900	1432	cmd.exe	126
PID 1432 wrote to memory of 4212	1432	cmd.exe	127
PID 1432 wrote to memory of 4212	1432	cmd.exe	127
PID 1432 wrote to memory of 2204	1432	cmd.exe	128
PID 1432 wrote to memory of 2204	1432	cmd.exe	128
PID 2204 wrote to memory of 4852	2204	Client.exe	129
PID 2204 wrote to memory of 4852	2204	Client.exe	129
PID 2204 wrote to memory of 2640	2204	Client.exe	131
PID 2204 wrote to memory of 2640	2204	Client.exe	131
PID 2640 wrote to memory of 1472	2640	cmd.exe	133
PID 2640 wrote to memory of 1472	2640	cmd.exe	133
PID 2640 wrote to memory of 4992	2640	cmd.exe	134
PID 2640 wrote to memory of 4992	2640	cmd.exe	134
PID 2640 wrote to memory of 5016	2640	cmd.exe	135
PID 2640 wrote to memory of 5016	2640	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
"C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:968
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6yzenjtlLQp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2616
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3564
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0lxQ8TZ5eSqK.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2072
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiyyNlUPSr64.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M0vdcmNNdp3D.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqeWdHCtlxRc.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z2ZAaH1XkAvQ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4fg3roKUFQua.bat" "
        15⤵
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cVvRkTbtd5RB.bat" "
        17⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0OndpfyOT87S.bat" "
        19⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ELjQcSaJrapB.bat" "
        21⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyhGZCFmbsgp.bat" "
        23⤵
        
        PID:2828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taUuolKsrDJv.bat" "
        25⤵
        
        PID:1240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fd0v2QkPvrNR.bat" "
        27⤵
        
        PID:3416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2JG5OLsGwft.bat" "
        29⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0OndpfyOT87S.bat

Filesize
207B

MD5
f5449a17f0a6091a970defb3249b470e

SHA1
1915140c221b3cc83f93a937a48c4767738331cc

SHA256
9f15727551e9dc18ad5ec2bbb761a16abf3b55dbb80f13347d67dc87299ad112

SHA512
939e282f2c0786dac6b0f582015ed07a392557ee3d709e0f948c7cb580da551e3c8207a0d74bd205f22489fd8b9502e70189d22f5339b548372caa980024ebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lxQ8TZ5eSqK.bat

Filesize
207B

MD5
3053221c12308ca7b807ca3bc38bc96b

SHA1
d05def65f0b7556ead84f52043cf0bd8feca8abe

SHA256
8a44baec858277fec2991aa0c8bd62cacaa8c7fb531efae2633da1334cd6d74b

SHA512
510ff1c6f2e2f7f14b14a361895931ccc597cddc60768d507b429bac3a75950d506d2b2c1715732319f2ba5e006feeae43bceafbfdeea4567bc2933556e5cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fg3roKUFQua.bat

Filesize
207B

MD5
2e580a2682526748444c1448ac998aef

SHA1
f7fc14dd72d9a8f60f54aacf493bc0f28af9c576

SHA256
73f482ea22d7bf08c9ac6c8211a44e7615b02c33b9339d5c90bc3b626c7ae72c

SHA512
390c23374a24a409ead89ca37ac76ac960da1e2a9291ff4045516f50e64c78f4ab026fee74749b90712a6206124e83d61b6bab9b5731ed9a81cc915582acc781

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6yzenjtlLQp.bat

Filesize
207B

MD5
a0f9695f3fd3761580ba679e369103b1

SHA1
7aa9d0d7e685bfc4f614ef15398ea1af923ebc51

SHA256
8ce34cce05a4b19b819d8af44e6300139bba83dc4d0c96db53025d695e898c18

SHA512
98e4101cbd28868d3413bc56f787258b6f65eefb861070d01993b49f6c99daf53e2c1c810c74fbb7afe87343b0144bf32808ff4ba4e5eed5b95fec106f3b183d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjQcSaJrapB.bat

Filesize
207B

MD5
12144d2f1acc55a3b46bf6b019855add

SHA1
01b266a2e71c04de0712921a97f45491a03b4da2

SHA256
dd633360b1bda16ba0b0f35b30ea0c82c3b4fdd3abcda4451e211a1edcfa0b68

SHA512
7789cb0a914d0fdcc5e059879aaa567299370838ceb4528c188dbf0153ddb64115bbc6881a750b193622631d03a7f3c71cc29895a3c5eb1eb9da054558a4d7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2JG5OLsGwft.bat

Filesize
207B

MD5
b174aef5eb2841eef8698eebde361a3a

SHA1
ffe1766c11cc9f87529f86252977fbbd1e6747fa

SHA256
4b4e842700fb8fabde59e60a019b03e4cd75164127c3925cd662ffc634c8dd51

SHA512
55073d9485d886825bf0b346965682ccfaa1ee268888670f8b19dc20f96b039073aba56f1454289d14747f5bd2374b2537e37dba6ce448859726a45ee158dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyhGZCFmbsgp.bat

Filesize
207B

MD5
5c990bd8dd661355fe34a14ed699e87e

SHA1
3c3288b6ac4a2d66f50d10a551f0509a1f07d4be

SHA256
0dc29c4564812d1ceabc350bfe3d8c656aa0b6301b33b6b3e3d9b6c40d393d52

SHA512
3c5a42c712647d39fa168c3a5c6f77fcbd3f23dbd87e1695ef02ffa36659aa6afcbf8329e6770a9a5001136c2dd20c8e43b19b570b53eddc212f7f919bef96cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiyyNlUPSr64.bat

Filesize
207B

MD5
3377f6bb96693719c6f8638d00797aae

SHA1
0b00e02a43424fa3a2a3e8ddc590a8975febcdfb

SHA256
03b57c6e46c600e92460b585308b6a441d01b29e086fcfc3effbffe25af6cefd

SHA512
3fec029b3c4bc64e09a761b08ce5036d7481c783dab051762067ed4a0d70b65966cabf7387d0d0ee32180afbdfd25789dd601bf252996ad4079bbcefb4d74c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\M0vdcmNNdp3D.bat

Filesize
207B

MD5
7ead1ad8fcf7a835995e9732d3f80154

SHA1
735b6579bfe50a139bb67ddc90e05959bd5a2966

SHA256
3816079f042f2cb6f64eac750338d551e39b8b7cabdfccf497dd055aeefbe543

SHA512
bc50e98c1dcb553abdf8c804bf0e669744fa5fae8eb47c3bc1e4e5e96fbbabddbfdad3c03994f4cefb0121b2b2d2e575a945f148759ae67965e91087ef28152f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqeWdHCtlxRc.bat

Filesize
207B

MD5
e15eeaff0dab1d7257c61c2b17eb810f

SHA1
a5ef0a35405eee6557b97b8289c35a7a48bf4943

SHA256
7d528ec94e687ca66fd8c3ac9ee63db0a38d4069347b38dee4abb50c88a4f4f3

SHA512
9c865103779c248ff0b2ace15d92e491c470e34ec95922ffd940381cd54fc115eb4fd868d1d0091b82eaeee193aa84cae8a219f6be9a407c60dbe8a14f3f8287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2ZAaH1XkAvQ.bat

Filesize
207B

MD5
a73635d2a5ca4bf471a0aa6ac1d074a3

SHA1
1ffc78048ae632910119158e2f2671badd3e51c7

SHA256
912f6b64d279c4e2726f80226b34d79ae9ffea63dcedd7ee222274c40d200428

SHA512
0e552dc5a118131c38be6f575b6ab07d97b90cfa521c3d26e1d391d7eade5612b4ab4e42656e00fb5369df2bff532736a45f00954e94adb1da530ae8ec9043ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cVvRkTbtd5RB.bat

Filesize
207B

MD5
320f0eb3519f28d51f424a5cfb9882ef

SHA1
08a559d516c43ba09305038e70c7b8952197c073

SHA256
7a89e5ddeb19ec1488aff0c2ea321476614db446edbbdbdcc8c932b78edab431

SHA512
5a7507fbc777817b213dfeb72af26b73ee24b253b5561e5c03ec92fa7c97556bad8107a9d20811c761092eb304e3100bdcaa8a4b36a0b1884677cbf48c7b3d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd0v2QkPvrNR.bat

Filesize
207B

MD5
0a8532fda178cce00b87ed43b6b95856

SHA1
beaf5145c01359c76a86647b548f6ff6f981f442

SHA256
6eddaedebad72e92e88b066b54f7ad93915d542f539c687ac4132aac0453580d

SHA512
d126b4f557236d96bb0eb1d62a53bc8342893986ff291e12132a6b612804f8bd39d5012ffc96bfc976fd3f3757c08b87757a8df8719af3b91be89c71d921f2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taUuolKsrDJv.bat

Filesize
207B

MD5
fe73a24d1b6f91f1ab9a6460406ab3e9

SHA1
a51da628e7a5958cc67bb9add735ddf6ecccd292

SHA256
1f042d847a3fc77d97e71f43cbad78292712e894d8fc11dadba60b555f84e91c

SHA512
f51f7f2dad388c2d8c0d4d870ab07bea536e6ba3de8d3cbc6dbed6756887370829b5014210ce01813cc509017384d8750a7eedba24c99d146caa0acba707a21c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
f67e6aafbd9c86771f11c05ae83ae83e

SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0

SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

Download Submit
memory/1324-18-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1324-13-0x000000001DD50000-0x000000001DE02000-memory.dmp

Filesize
712KB

Download
memory/1324-12-0x000000001DC40000-0x000000001DC90000-memory.dmp

Filesize
320KB

Download
memory/1324-11-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/1324-10-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/4156-0-0x00007FF96A283000-0x00007FF96A285000-memory.dmp

Filesize
8KB

Download
memory/4156-9-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/4156-2-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

Filesize
10.8MB

Download
memory/4156-1-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads