Analysis
-
max time kernel
146s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 17:52
Behavioral task
behavioral1
Sample
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Resource
win7-20240729-en
General
-
Target
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
-
Size
3.1MB
-
MD5
a29d070abe87b2be24892421e0c763bb
-
SHA1
383104c7c6956a98ae5f63c743250f737700f509
-
SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
-
SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
-
SSDEEP
49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/memory/528-1-0x0000000000E30000-0x0000000001154000-memory.dmp family_quasar behavioral1/files/0x0007000000019608-5.dat family_quasar behavioral1/memory/2332-8-0x00000000013D0000-0x00000000016F4000-memory.dmp family_quasar behavioral1/memory/3048-33-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar behavioral1/memory/2012-45-0x00000000002D0000-0x00000000005F4000-memory.dmp family_quasar behavioral1/memory/2056-57-0x0000000000DD0000-0x00000000010F4000-memory.dmp family_quasar behavioral1/memory/1572-78-0x00000000013A0000-0x00000000016C4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2332 Client.exe 2752 Client.exe 3048 Client.exe 2012 Client.exe 2056 Client.exe 1708 Client.exe 1572 Client.exe 2952 Client.exe 1636 Client.exe 1292 Client.exe 536 Client.exe 2664 Client.exe 2668 Client.exe 1680 Client.exe 776 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1768 PING.EXE 1216 PING.EXE 1936 PING.EXE 1576 PING.EXE 1960 PING.EXE 1976 PING.EXE 1040 PING.EXE 2448 PING.EXE 2344 PING.EXE 2712 PING.EXE 636 PING.EXE 1168 PING.EXE 3060 PING.EXE 2408 PING.EXE 2876 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1040 PING.EXE 1936 PING.EXE 2448 PING.EXE 2344 PING.EXE 2712 PING.EXE 636 PING.EXE 3060 PING.EXE 2876 PING.EXE 1168 PING.EXE 1960 PING.EXE 1768 PING.EXE 1976 PING.EXE 2408 PING.EXE 1216 PING.EXE 1576 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 656 schtasks.exe 844 schtasks.exe 2420 schtasks.exe 1672 schtasks.exe 2864 schtasks.exe 2204 schtasks.exe 924 schtasks.exe 2860 schtasks.exe 576 schtasks.exe 2432 schtasks.exe 2536 schtasks.exe 2160 schtasks.exe 756 schtasks.exe 2868 schtasks.exe 1032 schtasks.exe 1684 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe Token: SeDebugPrivilege 2332 Client.exe Token: SeDebugPrivilege 2752 Client.exe Token: SeDebugPrivilege 3048 Client.exe Token: SeDebugPrivilege 2012 Client.exe Token: SeDebugPrivilege 2056 Client.exe Token: SeDebugPrivilege 1708 Client.exe Token: SeDebugPrivilege 1572 Client.exe Token: SeDebugPrivilege 2952 Client.exe Token: SeDebugPrivilege 1636 Client.exe Token: SeDebugPrivilege 1292 Client.exe Token: SeDebugPrivilege 536 Client.exe Token: SeDebugPrivilege 2664 Client.exe Token: SeDebugPrivilege 2668 Client.exe Token: SeDebugPrivilege 1680 Client.exe Token: SeDebugPrivilege 776 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2332 Client.exe 2752 Client.exe 3048 Client.exe 2012 Client.exe 2056 Client.exe 1708 Client.exe 1572 Client.exe 2952 Client.exe 1636 Client.exe 1292 Client.exe 536 Client.exe 2664 Client.exe 2668 Client.exe 1680 Client.exe 776 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2332 Client.exe 2752 Client.exe 3048 Client.exe 2012 Client.exe 2056 Client.exe 1708 Client.exe 1572 Client.exe 2952 Client.exe 1636 Client.exe 1292 Client.exe 536 Client.exe 2664 Client.exe 2668 Client.exe 1680 Client.exe 776 Client.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2332 Client.exe 2752 Client.exe 2664 Client.exe 1680 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 576 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 30 PID 528 wrote to memory of 576 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 30 PID 528 wrote to memory of 576 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 30 PID 528 wrote to memory of 2332 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 32 PID 528 wrote to memory of 2332 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 32 PID 528 wrote to memory of 2332 528 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 32 PID 2332 wrote to memory of 2864 2332 Client.exe 33 PID 2332 wrote to memory of 2864 2332 Client.exe 33 PID 2332 wrote to memory of 2864 2332 Client.exe 33 PID 2332 wrote to memory of 3064 2332 Client.exe 35 PID 2332 wrote to memory of 3064 2332 Client.exe 35 PID 2332 wrote to memory of 3064 2332 Client.exe 35 PID 3064 wrote to memory of 3000 3064 cmd.exe 37 PID 3064 wrote to memory of 3000 3064 cmd.exe 37 PID 3064 wrote to memory of 3000 3064 cmd.exe 37 PID 3064 wrote to memory of 2876 3064 cmd.exe 38 PID 3064 wrote to memory of 2876 3064 cmd.exe 38 PID 3064 wrote to memory of 2876 3064 cmd.exe 38 PID 3064 wrote to memory of 2752 3064 cmd.exe 39 PID 3064 wrote to memory of 2752 3064 cmd.exe 39 PID 3064 wrote to memory of 2752 3064 cmd.exe 39 PID 2752 wrote to memory of 656 2752 Client.exe 40 PID 2752 wrote to memory of 656 2752 Client.exe 40 PID 2752 wrote to memory of 656 2752 Client.exe 40 PID 2752 wrote to memory of 1700 2752 Client.exe 42 PID 2752 wrote to memory of 1700 2752 Client.exe 42 PID 2752 wrote to memory of 1700 2752 Client.exe 42 PID 1700 wrote to memory of 1032 1700 cmd.exe 44 PID 1700 wrote to memory of 1032 1700 cmd.exe 44 PID 1700 wrote to memory of 1032 1700 cmd.exe 44 PID 1700 wrote to memory of 1168 1700 cmd.exe 45 PID 1700 wrote to memory of 1168 1700 cmd.exe 45 PID 1700 wrote to memory of 1168 1700 cmd.exe 45 PID 1700 wrote to memory of 3048 1700 cmd.exe 46 PID 1700 wrote to memory of 3048 1700 cmd.exe 46 PID 1700 wrote to memory of 3048 1700 cmd.exe 46 PID 3048 wrote to memory of 2204 3048 Client.exe 47 PID 3048 wrote to memory of 2204 3048 Client.exe 47 PID 3048 wrote to memory of 2204 3048 Client.exe 47 PID 3048 wrote to memory of 3040 3048 Client.exe 49 PID 3048 wrote to memory of 3040 3048 Client.exe 49 PID 3048 wrote to memory of 3040 3048 Client.exe 49 PID 3040 wrote to memory of 1924 3040 cmd.exe 51 PID 3040 wrote to memory of 1924 3040 cmd.exe 51 PID 3040 wrote to memory of 1924 3040 cmd.exe 51 PID 3040 wrote to memory of 1960 3040 cmd.exe 52 PID 3040 wrote to memory of 1960 3040 cmd.exe 52 PID 3040 wrote to memory of 1960 3040 cmd.exe 52 PID 3040 wrote to memory of 2012 3040 cmd.exe 53 PID 3040 wrote to memory of 2012 3040 cmd.exe 53 PID 3040 wrote to memory of 2012 3040 cmd.exe 53 PID 2012 wrote to memory of 844 2012 Client.exe 54 PID 2012 wrote to memory of 844 2012 Client.exe 54 PID 2012 wrote to memory of 844 2012 Client.exe 54 PID 2012 wrote to memory of 2088 2012 Client.exe 56 PID 2012 wrote to memory of 2088 2012 Client.exe 56 PID 2012 wrote to memory of 2088 2012 Client.exe 56 PID 2088 wrote to memory of 2316 2088 cmd.exe 58 PID 2088 wrote to memory of 2316 2088 cmd.exe 58 PID 2088 wrote to memory of 2316 2088 cmd.exe 58 PID 2088 wrote to memory of 1040 2088 cmd.exe 59 PID 2088 wrote to memory of 1040 2088 cmd.exe 59 PID 2088 wrote to memory of 1040 2088 cmd.exe 59 PID 2088 wrote to memory of 2056 2088 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:576
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2864
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0bvp5rHTvYnd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2876
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:656
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rz2hZcMMcoJ5.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1168
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2204
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DvPjAknwQNWn.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1960
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3mF0N1S5SdHp.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1040
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:756
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UdAYyzJIBnoA.bat" "11⤵PID:692
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1768
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\R43e31jApJ9c.bat" "13⤵PID:1724
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1216
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2536
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\u6NgttnrLxKL.bat" "15⤵PID:2968
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rNxl9mxEksLg.bat" "17⤵PID:2728
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:656
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UV9H8wym86WU.bat" "19⤵PID:1744
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2420
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5fPgZate0gV2.bat" "21⤵PID:1960
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iXXSEnxPslCi.bat" "23⤵PID:2364
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:924
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pobJQJYLJTXe.bat" "25⤵PID:2008
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zvFsAmjwmRLn.bat" "27⤵PID:376
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rb7o4D4HxSQp.bat" "29⤵PID:2844
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2712
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bawN0RZq90KB.bat" "31⤵PID:2552
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1524
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD56872cb595e12709188d7bc78644c1bd1
SHA19522da8670a05ea81ca6d8865bc53ed35b161b2c
SHA256adecb209471d5bb4f809e96b7aa6a05d6b4faa7212afc92797c73a0b22c788b6
SHA5126a9a9b9abaaf652a3c84bf9aef6403209838023547290707a4f836a0d8981a3369283048dc1e275ccb71972245508e1fcc24ec8ee9f703ae4f96acb20e58d8f6
-
Filesize
207B
MD5150194c0db6e89f13922e920f29f2fa8
SHA1403e9bbcff6d15582555e2ddbc4eb9b46c55b951
SHA256c935ef4abfdcca05d09322c51052aa2c9c5b393dff01de209e265bb9751df3e0
SHA512568dcf92d7b9355405931c52c8bba26b21a0e2f09fa6d51eeb510284da4ab2a2be7f2cfb264e834a0e9b616e2d6bf159e8b8852cd1508ad6156ce977645ecc0d
-
Filesize
207B
MD5991fc02054ec725c444b3223061ead20
SHA1ace1176955c55c7228e6d8ff4fa48ac1feee4d7a
SHA256a38f3d2b17a1ed7e4f31136a70da1c98ac44388be1a2bf9c79aec8929b036201
SHA512c5cca363b1f8a7e0f4756b6304ceb0671e8f8a7a8f42d9c8fdbf11fdfe57dd8fcf25be0882311d7ab6adee1e240c8222d3a26634530d5768030a6ed5d47946bc
-
Filesize
207B
MD5932a926dc9ca8be2c01838d2fbbff728
SHA1528339338df892fe76a57438b1f860128384a2df
SHA256edb326ac82dc52b93e56e6e01799e32bba539c3a6eba668fdc9a40795e15bee8
SHA512c910be90c30f8f9b9aae5aa899f7155a6f8c43a9950e73daf199f235189a71c9fe5884f447fa0e1f570f5c44b1582b084efb34d81f1767da7aa7dbd93e4fa96e
-
Filesize
207B
MD5de2d6a83c8b722c67144cf83e85de1e9
SHA152d730b977080a33bb1a7a441f471bf8a7f2aa5f
SHA25688d6d99e88bb34667af6698b9998822b414ad38d742f4c3fd9eb03efe8485fb1
SHA512d51040915651fac22691d63352b988933770b02be14550bca80aaaa0bd4a674f0ffd38c4697a804563ce7ab9de55285964d43cbf23d6ce2aa08c63d967d5c091
-
Filesize
207B
MD599edc3c94222d2fbfe0c10e733ee99c4
SHA1c300f6cbb0191a2c34a92b408cbb02312f3d115d
SHA256ab4d4999dac70f570eddef0138f8ba532d4e92ec5ac2f8cae44050874d621118
SHA5121b953fd73b66feaade8840a971ab6410ec79d695a54e2f777315000f17aa2e960fc0821eafde83bbad943e91c9a9afdbcd4b983c1324001e4a329cd27e53091f
-
Filesize
207B
MD5aedb80734013e7dbf5a748fb5ea70e55
SHA1f141012d2e783221d4d4194ed71934ab367eaae9
SHA256576a0d4a41a245c37e71aabcfbb1ad6d068696c6e57dbca984c49997769567fa
SHA512bfa1162dbc2af6ebdcde8059ae7a7a3a6a4fc98a35e7184053a46ea4abf44fdccb76152f04c9a2a37d5133fd5163d9fab307a31e3a89faa9834741b80a4d0598
-
Filesize
207B
MD5fbb51547bee5b670f993d32fecbf44d5
SHA1a6b3ae05aa7ca37345bb8d0b18c81aa4a2a943e2
SHA2562bf7cd8a99b198cba8dcca4b8163fe27857bca87490d5472c023d98d6c8c12a4
SHA5121a62d1e91514d232dd9d88f5b29f7cc294541dd1d12618c4236d97f700fe29ba2d8a6abf47a8c7add1395114194fbad6d8d8b54a3452bc0df31b8517fcbc0800
-
Filesize
207B
MD58c2e6e96f6470b6b6352d16059072695
SHA18aabe38162919056275b201450dcd15b8e2fce30
SHA2561221d966805d11441a7ee4ec30938a26d6dc23dbb8a7844481f4c3c217cbb157
SHA51239e63a157aa3313ab71a03d17966fbfe47fc2478c159a83f8ff803402d3388f3c56da8ab161bde9fc25071d99b2dc061edbb56532262ce0834f392fe603b1dc7
-
Filesize
207B
MD52e7f338fa69a674bed3eb7e5f292415f
SHA1b495bd8188a9ef88a1594baac153e1e3c8f1bfff
SHA2568c9c98b2953d78bf94b86bcf5350f40092be9c0cedf15a38ae0c79fe89183f70
SHA51240ddd91d16cb2a02e2b98a3dc3d34c1e09b9ff5bbc5d3c87773aebee5c52139dcc76f3b273048cb31aa1024ad600e406a6cf5db1a342fbfe3b208a2407437856
-
Filesize
207B
MD58521564b96fbdc1044d03431994c257a
SHA17effcd02148e88a18045979ecf2d9f71cdffc9d2
SHA256b2e04b3244b23ed73ec9127ca7da0f412c3f027e1f2a559294d76264f245d6c7
SHA5125f0deb5980be629e3f03f1f909d12dc02dd1b718aecabe39ef5cb3d7389c474096f6f1bfb828ac4778aa2d4fe7a0b2344de63d0de876c77ea09f559307fd0bd2
-
Filesize
207B
MD540b0ea42d79b46376893cf730171d435
SHA1eb43fb73efdb0070de95c7b663acee105093aa18
SHA256ec1d5640bd52af35e37466e882b73c467d37cc501259970b59eaafc7b17e5d57
SHA512484308763d63f5fc51b2f6f61da78d3f32cab6aade3bec060a7a5da42ce6ef5220d49dfa4d82eb9e87b9dba3e1c1761eace6eb413243590e56390a10e99df890
-
Filesize
207B
MD5f31768ddccbeed135293501c39ab4505
SHA1233790f8581aa10ecf1fcabad136e06e1c20c20f
SHA256572eb81ca20b2bb35df3756d38680d576ad416039c13cdbbacaac7105ba24313
SHA51211515dd25eb0e8125e110fc619623be307db687f57de65c7563b116d26c8642a7f07088070cd6ebbeb6384ff34426257a5276ff238eea45b5b21232b80c83dc8
-
Filesize
207B
MD57b48e7fcf8139cc0716e44a6ecff0c0a
SHA10c766e741a03cc0470d8546b494b7f883b89ec70
SHA256744f1c8e4b7646bac91d022655c789b54f2acf016c17a10965e1bb96454f857d
SHA5122dcfd68e267ea8ee2d6b8e1bda81bdb88382eb57995e8451d4c4364f4865480a71a3f96b3240d3ae565a66533035cfe5edce8c80b463377e8bde27efe0cfeed3
-
Filesize
207B
MD5404ef087de474cc9f2dc99b2a87b36e0
SHA1296a5cfc0c7ebdf58affc7423c209e9bc9b61cfd
SHA25611b0c245711efa15ced6aa6b98bfaa499ec30acedd5a8b1faa36b750e2a5278e
SHA5126682333b21cc8082822334be6595b51550c95edf5bce793a863dc3f3a8810805fb23749144e99fc98d6da0c4dc1fbb93abe65a1df2601de4ab23829246e1bcdd
-
Filesize
3.1MB
MD5a29d070abe87b2be24892421e0c763bb
SHA1383104c7c6956a98ae5f63c743250f737700f509
SHA25600bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA5126d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969