Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 17:52
Behavioral task
behavioral1
Sample
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
Resource
win7-20240729-en
General
-
Target
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe
-
Size
3.1MB
-
MD5
a29d070abe87b2be24892421e0c763bb
-
SHA1
383104c7c6956a98ae5f63c743250f737700f509
-
SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
-
SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
-
SSDEEP
49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/372-1-0x0000000000A10000-0x0000000000D34000-memory.dmp family_quasar behavioral2/files/0x0007000000023cd5-7.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 1480 Client.exe 2344 Client.exe 2248 Client.exe 1492 Client.exe 1264 Client.exe 4260 Client.exe 2652 Client.exe 5052 Client.exe 1540 Client.exe 4016 Client.exe 1756 Client.exe 628 Client.exe 2328 Client.exe 224 Client.exe 468 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4788 PING.EXE 2540 PING.EXE 1248 PING.EXE 456 PING.EXE 4900 PING.EXE 3048 PING.EXE 1420 PING.EXE 1556 PING.EXE 4736 PING.EXE 908 PING.EXE 4940 PING.EXE 4308 PING.EXE 4948 PING.EXE 5076 PING.EXE 1104 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 3048 PING.EXE 456 PING.EXE 4308 PING.EXE 4900 PING.EXE 1420 PING.EXE 4788 PING.EXE 1556 PING.EXE 4940 PING.EXE 5076 PING.EXE 1104 PING.EXE 908 PING.EXE 1248 PING.EXE 4948 PING.EXE 4736 PING.EXE 2540 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3896 schtasks.exe 4540 schtasks.exe 2452 schtasks.exe 4252 schtasks.exe 3988 schtasks.exe 4504 schtasks.exe 4232 schtasks.exe 3528 schtasks.exe 4692 schtasks.exe 2160 schtasks.exe 4148 schtasks.exe 2552 schtasks.exe 2156 schtasks.exe 3884 schtasks.exe 760 schtasks.exe 1108 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 372 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe Token: SeDebugPrivilege 1480 Client.exe Token: SeDebugPrivilege 2344 Client.exe Token: SeDebugPrivilege 2248 Client.exe Token: SeDebugPrivilege 1492 Client.exe Token: SeDebugPrivilege 1264 Client.exe Token: SeDebugPrivilege 4260 Client.exe Token: SeDebugPrivilege 2652 Client.exe Token: SeDebugPrivilege 5052 Client.exe Token: SeDebugPrivilege 1540 Client.exe Token: SeDebugPrivilege 4016 Client.exe Token: SeDebugPrivilege 1756 Client.exe Token: SeDebugPrivilege 628 Client.exe Token: SeDebugPrivilege 2328 Client.exe Token: SeDebugPrivilege 224 Client.exe Token: SeDebugPrivilege 468 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1480 Client.exe 2344 Client.exe 2248 Client.exe 1492 Client.exe 1264 Client.exe 4260 Client.exe 2652 Client.exe 5052 Client.exe 1540 Client.exe 4016 Client.exe 1756 Client.exe 628 Client.exe 2328 Client.exe 224 Client.exe 468 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1480 Client.exe 2344 Client.exe 2248 Client.exe 1492 Client.exe 1264 Client.exe 4260 Client.exe 2652 Client.exe 5052 Client.exe 1540 Client.exe 4016 Client.exe 1756 Client.exe 628 Client.exe 2328 Client.exe 224 Client.exe 468 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 4148 372 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 85 PID 372 wrote to memory of 4148 372 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 85 PID 372 wrote to memory of 1480 372 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 87 PID 372 wrote to memory of 1480 372 00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe 87 PID 1480 wrote to memory of 3988 1480 Client.exe 88 PID 1480 wrote to memory of 3988 1480 Client.exe 88 PID 1480 wrote to memory of 4344 1480 Client.exe 90 PID 1480 wrote to memory of 4344 1480 Client.exe 90 PID 4344 wrote to memory of 1872 4344 cmd.exe 92 PID 4344 wrote to memory of 1872 4344 cmd.exe 92 PID 4344 wrote to memory of 3048 4344 cmd.exe 93 PID 4344 wrote to memory of 3048 4344 cmd.exe 93 PID 4344 wrote to memory of 2344 4344 cmd.exe 102 PID 4344 wrote to memory of 2344 4344 cmd.exe 102 PID 2344 wrote to memory of 760 2344 Client.exe 103 PID 2344 wrote to memory of 760 2344 Client.exe 103 PID 2344 wrote to memory of 4804 2344 Client.exe 105 PID 2344 wrote to memory of 4804 2344 Client.exe 105 PID 4804 wrote to memory of 4612 4804 cmd.exe 108 PID 4804 wrote to memory of 4612 4804 cmd.exe 108 PID 4804 wrote to memory of 908 4804 cmd.exe 109 PID 4804 wrote to memory of 908 4804 cmd.exe 109 PID 4804 wrote to memory of 2248 4804 cmd.exe 113 PID 4804 wrote to memory of 2248 4804 cmd.exe 113 PID 2248 wrote to memory of 1108 2248 Client.exe 114 PID 2248 wrote to memory of 1108 2248 Client.exe 114 PID 2248 wrote to memory of 516 2248 Client.exe 117 PID 2248 wrote to memory of 516 2248 Client.exe 117 PID 516 wrote to memory of 3452 516 cmd.exe 119 PID 516 wrote to memory of 3452 516 cmd.exe 119 PID 516 wrote to memory of 1248 516 cmd.exe 120 PID 516 wrote to memory of 1248 516 cmd.exe 120 PID 516 wrote to memory of 1492 516 cmd.exe 125 PID 516 wrote to memory of 1492 516 cmd.exe 125 PID 1492 wrote to memory of 2552 1492 Client.exe 126 PID 1492 wrote to memory of 2552 1492 Client.exe 126 PID 1492 wrote to memory of 3164 1492 Client.exe 128 PID 1492 wrote to memory of 3164 1492 Client.exe 128 PID 3164 wrote to memory of 2108 3164 cmd.exe 131 PID 3164 wrote to memory of 2108 3164 cmd.exe 131 PID 3164 wrote to memory of 4948 3164 cmd.exe 132 PID 3164 wrote to memory of 4948 3164 cmd.exe 132 PID 3164 wrote to memory of 1264 3164 cmd.exe 134 PID 3164 wrote to memory of 1264 3164 cmd.exe 134 PID 1264 wrote to memory of 3896 1264 Client.exe 135 PID 1264 wrote to memory of 3896 1264 Client.exe 135 PID 1264 wrote to memory of 2180 1264 Client.exe 138 PID 1264 wrote to memory of 2180 1264 Client.exe 138 PID 2180 wrote to memory of 4016 2180 cmd.exe 140 PID 2180 wrote to memory of 4016 2180 cmd.exe 140 PID 2180 wrote to memory of 456 2180 cmd.exe 141 PID 2180 wrote to memory of 456 2180 cmd.exe 141 PID 2180 wrote to memory of 4260 2180 cmd.exe 143 PID 2180 wrote to memory of 4260 2180 cmd.exe 143 PID 4260 wrote to memory of 2156 4260 Client.exe 144 PID 4260 wrote to memory of 2156 4260 Client.exe 144 PID 4260 wrote to memory of 4340 4260 Client.exe 146 PID 4260 wrote to memory of 4340 4260 Client.exe 146 PID 4340 wrote to memory of 1052 4340 cmd.exe 149 PID 4340 wrote to memory of 1052 4340 cmd.exe 149 PID 4340 wrote to memory of 4940 4340 cmd.exe 150 PID 4340 wrote to memory of 4940 4340 cmd.exe 150 PID 4340 wrote to memory of 2652 4340 cmd.exe 152 PID 4340 wrote to memory of 2652 4340 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"C:\Users\Admin\AppData\Local\Temp\00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4148
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7quglq61jKgw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LJ5tGpZmzZaO.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:908
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zy40XH2cp3zd.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaStWqjPrnqF.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n9KIpEAN2zjU.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YpHst4tsAvCm.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4940
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j7NAj8auAMm9.bat" "15⤵PID:5112
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4308
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5STtr5WnBx0Z.bat" "17⤵PID:4312
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sn4PtoFCyD2e.bat" "19⤵PID:4968
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:656
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1420
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dvQplaGw4zP0.bat" "21⤵PID:2964
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4788
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2KdyFT1k9qa0.bat" "23⤵PID:1244
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z4tBNLn2nbn1.bat" "25⤵PID:2336
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3088
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebD54sj1FmF4.bat" "27⤵PID:1376
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ODCMtObY44Bj.bat" "29⤵PID:5040
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2540
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:468 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hdWzC3mSvhiy.bat" "31⤵PID:4328
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5edffa238b7f6c5f5073e30fb2d84e8b5
SHA1d6ee0c78e5a295f8b5bc871de5d3fe83f8db4ff2
SHA25692a6b5d5d470bcd42387d10ea53f71644e89427c8d8d3befcda8f2bafba8e2d9
SHA512819a212dc651f6efd80255519d9e21040bd6d34a9c96a7fcbad8b7614567ede1b69b798330556edd520b745d3678b8898a6f2ba28a6aae8414983af6f2060d98
-
Filesize
207B
MD53d5c39f466e3d92ebfe20de0b28f683d
SHA1972e9580e003d57208d7dfb8905638bba225b811
SHA2569f14330d79d6eda0d65bcd114db550577f5b2f68730fe8b5ce85f41388847f2e
SHA512079a506a188c8fcbb1767a3780b11c3fc72f1c4f0ca397847d388a3df6fb5a925711faf923d45ac754e313d903bbb236de398a0a4058e5558a1eead19db558de
-
Filesize
207B
MD5089f5f69601aaaaaaf05f6a184cabcf3
SHA13cbaba711ef0518a6dfe077ce8f95cf5942978a7
SHA2567106a07c102dbea88eb91c691eb20c36ac99b1e1d52703c924dc6632bc17f085
SHA51216b682c340c693ea02c2ec93e60818abe642a0b0c05cfaf33aa869680c68e6d73985ca4adf11def4316e8f1d824edc902254246d37a0324a52504b28f691bcb4
-
Filesize
207B
MD5d9aeac1a4189808d9451563a1dd5685d
SHA1ba88bb8ce24a292358c0d612cefc2478813da8c5
SHA25687e9ef00e328103ca81e2bf95447b485d32548312228ea395c703f46b4ecaee5
SHA5121c3935a3596e3703c961740a2c69a46464d6b4eb8bdb970b9b4540519fe3fc25ff0e4d832c17ccbf4cb1e5747957f6fc96878c853e8d75fb8b163a4658421cef
-
Filesize
207B
MD578cb167ab5094a65c07cea785fe4f050
SHA13e3e78912220e0733873081e974233067f2d3ec9
SHA25620cee78af709c29f7c4c90e5c381f538607fa6c74e4739bd78556b5b3a561f25
SHA5121354acb11b608f1814b3da61cda1a5a95adc9a187178995e03ff5596718bb61e95f9045c96a822725c3ce2ae49f022019ad0fac8eb0807981b207e69470c59a0
-
Filesize
207B
MD573299a926280681278857639d4cdf077
SHA19666231d02698c4f4d5a2f49c7458945330adb10
SHA256f96e172ac40662007162d269f2675663d026918ceac2d7dfa7f17d797c7b1a5b
SHA5129149178b224b16b499a8fa330a566e0d748a0325731c4cef9835e1c8a7f4501cc35be2b066894c91778dbe36ca7e2af9a883437c71849bf05082504ae8f2a15a
-
Filesize
207B
MD5183c35c091c66837fcb3d181471f283a
SHA1481e8608336c8fb26637d2fe2ed813acc2fc10be
SHA25623a1a1c81000d21a7fe9d7fdf3f8f3e8ac2070f6835de2f966f1251ada881c41
SHA512379a1526fe41618cfc0aa75604c7a618abbcbc9c33e7c22fec6af7c21a78c018aef055a4e4e38d0223665487a15f5ced743a49a8603d36ccf1d2dc3d7d07b8e5
-
Filesize
207B
MD5e27516c696a4e2eac200316d4b6181db
SHA11b7f644cf89fec226cde49a2ab0ae069c6455842
SHA256ca52444a8cd2f02b27e1400f39dd5788a1a30f1edb51633314c00d34e84a316f
SHA512711908f6447611101341c3acbcef1463f2fd2e494a7790cb695f4594d1e019c593ba1314d6381799bbeeddf9060ccbda6958805cfafa632085f9196751cb2e98
-
Filesize
207B
MD59d9ceb0affe922789dde26e2f67d4864
SHA19520ea40abe180ed029f5d304cf7fb69a8782e11
SHA256fa9c27aaa87660b8ae60adb19fad3c9607fabade087cd7705b006a50740dac4b
SHA512999567279d2afcba81f1f70203d22bd4dc5fd82231557691bfafd23609ce1c188186986641e0ac26fc3fd9358fddc2bc0f18a39d2c344be50b3b3509c09ec380
-
Filesize
207B
MD55061cacef1f573d2a7b9056dd0abc45c
SHA16156a8174077e78940f786f030dde1dda345b8ff
SHA2566fb55e936a7f7ee1c26d52a2cb0c7516bca73d0d041751da164f975344af8e6a
SHA51270ce23a46e1a6a45a16ad8770530999786304e881cf46b6e4f332e86fd92d871232146813c47dfc54f2eaaefa08a640627f76b05372c5067dec575e0853c7b78
-
Filesize
207B
MD59b8bd7f57c102f4226f5b82e02a12d06
SHA10431ed0778f8653b7f814320083f1830cbc203a0
SHA256db0ac1e8ea180a1a37668b705f6ebeeecbf0a863ebf7e452959b38b0384f966a
SHA512b3a37b479b01ec2a0065484c4b9a77959bc2a6fa2eb6c017922c9426c356a42b6b78a13cccc54ceced725b4431a76eb85594c0a3413ce654760888106f9bb154
-
Filesize
207B
MD55807172f4a775b78ebe81ffe9f25c046
SHA12060a7bfe9dec04cd49d0574be05bd84893c2356
SHA256a3712455c8f177c691188934fa9f35d5887101784909209b1551236c827281a5
SHA5129e6c7360ae1d0e4d48691aac274df4bcd0bb907967fc0b5dd5e3e911f05a7cd8708d15ab51a3b4249089433b115610cde28dd02a009050112190cb9352b4882b
-
Filesize
207B
MD56502abd00933eee48268fc5a84ca256e
SHA169503560d9600c0165e51dd9a11b0e4ec63e53e6
SHA256ecf6cf8b4a611c1b970386133d30094be2a527d0d7546257f64c23b7e19b4eab
SHA51227e7302ac0f6724f894fd3934063fff576fdd1dd668e3a44c53471f92ca3a1b04f1b266b6e9c94123566fb6caa7bbc1c6bec77fb009aad574be7d492e1b0ae7d
-
Filesize
207B
MD589f44d18d640c68d6ae55de514cdfb64
SHA127cfe22bd6965e3506e4a274fb309a8702c87731
SHA2561c37b503df631ac387ce8d048817076803b26c120971b8c9468eb48c63fe90c1
SHA512a77fb9292d446d5b5fbfe52c689f7cc03b64fd3ae79c69050da68a04bcdd648a732ba69b81d8fbc9e98c92dadf1ebc8cc83d058417daf606973e41f32b86984b
-
Filesize
207B
MD5864bab7378ebadc47b4749312a2d2c29
SHA1752b2114472fdbd8ae00386522d6b584f23cac42
SHA25671dab8bc6f2e14516a0870c8cb6675dba3dc3ee07f995fc5b21fa437e991e29d
SHA5123c07991b87e7a9c70e6db7ad69853b3c5727e6c632c2ced22194d4edfba639fdef6b6940068319405649c5d9674c292969ca509043a6f1b1f90b993e45e392bc
-
Filesize
3.1MB
MD5a29d070abe87b2be24892421e0c763bb
SHA1383104c7c6956a98ae5f63c743250f737700f509
SHA25600bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA5126d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969