quasar | 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Size

286KB
MD5

b988c49b9654ec30906a781cac1ebaaf
SHA1

85f7f7274e6a134870f309c2b3d06b71807e7626
SHA256

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512

c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
SSDEEP

6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho

Score

10^/10

quasar fakecreal discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	2	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
	10	ip-api.com	Process not Found
	16	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/1728-1-0x00000000013C0000-0x000000000140E000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ace-4.dat	family_quasar
behavioral1/memory/2804-9-0x0000000000DD0000-0x0000000000E1E000-memory.dmp	family_quasar
behavioral1/memory/2260-25-0x0000000000F40000-0x0000000000F8E000-memory.dmp	family_quasar
behavioral1/memory/2632-37-0x0000000000FA0000-0x0000000000FEE000-memory.dmp	family_quasar
behavioral1/memory/1248-49-0x0000000000FA0000-0x0000000000FEE000-memory.dmp	family_quasar
behavioral1/memory/1592-72-0x0000000000250000-0x000000000029E000-memory.dmp	family_quasar
behavioral1/memory/2636-84-0x00000000009B0000-0x00000000009FE000-memory.dmp	family_quasar
behavioral1/memory/568-96-0x00000000009B0000-0x00000000009FE000-memory.dmp	family_quasar
behavioral1/memory/1920-108-0x0000000000040000-0x000000000008E000-memory.dmp	family_quasar
behavioral1/memory/848-120-0x0000000000C10000-0x0000000000C5E000-memory.dmp	family_quasar
behavioral1/memory/2400-132-0x0000000001370000-0x00000000013BE000-memory.dmp	family_quasar
behavioral1/memory/2828-144-0x0000000001370000-0x00000000013BE000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2804	Client.exe
2260	Client.exe
2632	Client.exe
1248	Client.exe
1932	Client.exe
1592	Client.exe
2636	Client.exe
568	Client.exe
1920	Client.exe
848	Client.exe
2400	Client.exe
2828	Client.exe

Loads dropped DLL 12 IoCs

pid	Process
1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
2768	cmd.exe
2968	cmd.exe
2084	cmd.exe
2228	cmd.exe
2148	cmd.exe
2300	cmd.exe
2372	cmd.exe
804	cmd.exe
3012	cmd.exe
1092	cmd.exe
884	cmd.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3044	PING.EXE
2792	PING.EXE
2112	PING.EXE
1480	PING.EXE
2604	PING.EXE
516	PING.EXE
2616	PING.EXE
2716	PING.EXE
2788	PING.EXE
1308	PING.EXE
2424	PING.EXE
2312	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2112	PING.EXE
1480	PING.EXE
2788	PING.EXE
2604	PING.EXE
1308	PING.EXE
2616	PING.EXE
2716	PING.EXE
3044	PING.EXE
2792	PING.EXE
516	PING.EXE
2424	PING.EXE
2312	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1620	schtasks.exe
2200	schtasks.exe
948	schtasks.exe
2428	schtasks.exe
1396	schtasks.exe
2704	schtasks.exe
1804	schtasks.exe
1300	schtasks.exe
2892	schtasks.exe
2808	schtasks.exe
3036	schtasks.exe
2272	schtasks.exe
1900	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Token: SeDebugPrivilege	2804	Client.exe
Token: SeDebugPrivilege	2260	Client.exe
Token: SeDebugPrivilege	2632	Client.exe
Token: SeDebugPrivilege	1248	Client.exe
Token: SeDebugPrivilege	1932	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	2636	Client.exe
Token: SeDebugPrivilege	568	Client.exe
Token: SeDebugPrivilege	1920	Client.exe
Token: SeDebugPrivilege	848	Client.exe
Token: SeDebugPrivilege	2400	Client.exe
Token: SeDebugPrivilege	2828	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1300	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	32
PID 1728 wrote to memory of 1300	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	32
PID 1728 wrote to memory of 1300	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	32
PID 1728 wrote to memory of 1300	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	32
PID 1728 wrote to memory of 2804	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	34
PID 1728 wrote to memory of 2804	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	34
PID 1728 wrote to memory of 2804	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	34
PID 1728 wrote to memory of 2804	1728	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	34
PID 2804 wrote to memory of 2892	2804	Client.exe	35
PID 2804 wrote to memory of 2892	2804	Client.exe	35
PID 2804 wrote to memory of 2892	2804	Client.exe	35
PID 2804 wrote to memory of 2892	2804	Client.exe	35
PID 2804 wrote to memory of 2768	2804	Client.exe	37
PID 2804 wrote to memory of 2768	2804	Client.exe	37
PID 2804 wrote to memory of 2768	2804	Client.exe	37
PID 2804 wrote to memory of 2768	2804	Client.exe	37
PID 2768 wrote to memory of 2660	2768	cmd.exe	39
PID 2768 wrote to memory of 2660	2768	cmd.exe	39
PID 2768 wrote to memory of 2660	2768	cmd.exe	39
PID 2768 wrote to memory of 2660	2768	cmd.exe	39
PID 2768 wrote to memory of 2716	2768	cmd.exe	40
PID 2768 wrote to memory of 2716	2768	cmd.exe	40
PID 2768 wrote to memory of 2716	2768	cmd.exe	40
PID 2768 wrote to memory of 2716	2768	cmd.exe	40
PID 2768 wrote to memory of 2260	2768	cmd.exe	41
PID 2768 wrote to memory of 2260	2768	cmd.exe	41
PID 2768 wrote to memory of 2260	2768	cmd.exe	41
PID 2768 wrote to memory of 2260	2768	cmd.exe	41
PID 2260 wrote to memory of 1620	2260	Client.exe	42
PID 2260 wrote to memory of 1620	2260	Client.exe	42
PID 2260 wrote to memory of 1620	2260	Client.exe	42
PID 2260 wrote to memory of 1620	2260	Client.exe	42
PID 2260 wrote to memory of 2968	2260	Client.exe	44
PID 2260 wrote to memory of 2968	2260	Client.exe	44
PID 2260 wrote to memory of 2968	2260	Client.exe	44
PID 2260 wrote to memory of 2968	2260	Client.exe	44
PID 2968 wrote to memory of 2932	2968	cmd.exe	46
PID 2968 wrote to memory of 2932	2968	cmd.exe	46
PID 2968 wrote to memory of 2932	2968	cmd.exe	46
PID 2968 wrote to memory of 2932	2968	cmd.exe	46
PID 2968 wrote to memory of 3044	2968	cmd.exe	47
PID 2968 wrote to memory of 3044	2968	cmd.exe	47
PID 2968 wrote to memory of 3044	2968	cmd.exe	47
PID 2968 wrote to memory of 3044	2968	cmd.exe	47
PID 2968 wrote to memory of 2632	2968	cmd.exe	48
PID 2968 wrote to memory of 2632	2968	cmd.exe	48
PID 2968 wrote to memory of 2632	2968	cmd.exe	48
PID 2968 wrote to memory of 2632	2968	cmd.exe	48
PID 2632 wrote to memory of 2200	2632	Client.exe	49
PID 2632 wrote to memory of 2200	2632	Client.exe	49
PID 2632 wrote to memory of 2200	2632	Client.exe	49
PID 2632 wrote to memory of 2200	2632	Client.exe	49
PID 2632 wrote to memory of 2084	2632	Client.exe	51
PID 2632 wrote to memory of 2084	2632	Client.exe	51
PID 2632 wrote to memory of 2084	2632	Client.exe	51
PID 2632 wrote to memory of 2084	2632	Client.exe	51
PID 2084 wrote to memory of 2052	2084	cmd.exe	53
PID 2084 wrote to memory of 2052	2084	cmd.exe	53
PID 2084 wrote to memory of 2052	2084	cmd.exe	53
PID 2084 wrote to memory of 2052	2084	cmd.exe	53
PID 2084 wrote to memory of 2792	2084	cmd.exe	54
PID 2084 wrote to memory of 2792	2084	cmd.exe	54
PID 2084 wrote to memory of 2792	2084	cmd.exe	54
PID 2084 wrote to memory of 2792	2084	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
"C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pbn8xS0JjyGj.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2716
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hu5Jd2xn6vnT.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmxVS31KjHJp.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\frTFmEhltx5R.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\npKM6JVeED0r.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcpFRDWRtbGs.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0kmB7chpch8D.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QrvO1HiuozId.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KfMOT4HTtviH.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pby5AIflv9tC.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QS2YBZYy2hie.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kRN6mQfM0Hl7.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0kmB7chpch8D.bat

Filesize
210B

MD5
b6dc58b44aec98cf3bceb3f4836a67c1

SHA1
130b32db166cc9547ec69bbc5589abf1647fa7f3

SHA256
5732a90795018261987671c7e8d77e4c684567ffd8c9a4547858af1116fbf30c

SHA512
b5f821d04e51016e61a9675e5d045c6b7ab845e6c3f5445d490c630097a070e5b8a4c680910add5fef62b01434176ca9d69f8d0c943cf79d88b29e9722805598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hu5Jd2xn6vnT.bat

Filesize
210B

MD5
01ec80edbf62fd7f7461b9dfef179bb6

SHA1
27d318017a8a305273f6c6497fd67022e5348e6a

SHA256
bc92f7b9ae9a53d5cb14edc498e4007989dba5b0f58add24944b5675a156638a

SHA512
9a0937f260757311551293af2fe4de13585d17f75ab1e8531ab5b86f068af60e4261b95fa1b3b4364d60d11289010ec432de5b7bb9a0efbecd58e89704155605

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfMOT4HTtviH.bat

Filesize
210B

MD5
ec7681dfcdb6debc8927a82c540b61b3

SHA1
edc332b7b504a38bd39ac0c9dd408e1b60ddc084

SHA256
5895b77ecd504935db6bb882b3253e1e2c2c2c9613b772129ce810243f91b4d7

SHA512
bdfc3b3038db744fc39aab926a91383102a4021fd79e100aac12ccf7a8a374d4ee96c21710eafc21b5cd54ee40e4f2444ab7136ba31649be13667ad85101a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmxVS31KjHJp.bat

Filesize
210B

MD5
02d94c433707caa590b8f7524f10fc9f

SHA1
a9088ad6bb9687eb51b25f2c92e96897a2256bc8

SHA256
855d330c87f6a83b63f6528fd9a2f675e763cd71966c0c0a6d8a029ad5584ee6

SHA512
96c2a2ac05a86570bd9e8075ed446a3403aa960f21a3a9ee92d889c54d7b55b4d47c1c33fafafecbfacc2635dca80372f25ab29269c9fffc0c6ad0ca410f1817

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn8xS0JjyGj.bat

Filesize
210B

MD5
030374423abf96fd80a78a06f12b99e8

SHA1
6ac6b6f2ccfd1a3bc659dfb406ba4993344de74a

SHA256
c2660ebb0fd26b060ca2a3bc70a524e6bf71052b943a05d0c90e530eb585d876

SHA512
0eaefc1f41898c628356e003f88623f2518747e745f3b5c31a8a65f9430d27c3ef136a6e0f87b44d2ef7690e10f72d9826f34924d276d9c7eb613171ce8516cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pby5AIflv9tC.bat

Filesize
210B

MD5
f358fe3d67b6a253b44f18d67a733c4e

SHA1
2870d13d0b3c676719520348586404011e8d4a4c

SHA256
b3576e36912b6a1d2d93593e20f5fb1b930b88db9f97a4cc48721dd3a589b34e

SHA512
6ac1e3d41937f86fdee9ba4b7a75a27fced7a6c983e9ea3c3ba1833009e76ffa4875d11f2024bcbeff76374989a3640fdc6c4034944b2b478fc2ad1fcf0d9212

Download Submit
C:\Users\Admin\AppData\Local\Temp\QS2YBZYy2hie.bat

Filesize
210B

MD5
3058ecf47a59672ab807c842aef83ab0

SHA1
39057f1baf2c77e37f89d1afcf3b628606c2d462

SHA256
4a7e6514bf983bb4640eb6200f9849ea7a05e1eb69d239583d34c6d2f2880d64

SHA512
3250e1228d85df63e3bb31a4655c084f4a0a82fc015e447c62d8c5676673210c1a8d1fd3b1e6c36e2e2f5784d6d0c9a42d7bda855d51d98cf1873213d30bb09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QrvO1HiuozId.bat

Filesize
210B

MD5
47ed102247fdb3d5fdba4479fa32e089

SHA1
0c67bd3484b754749ac20088a1a8c236f71cee1e

SHA256
7fac71016cae0e1c7d6df81902b8d46cf495127656b0770b307ccb5f737becfa

SHA512
cdf0458a0000ed128be3b11913722d649e92f727ace66eb78b0cfd5609a8201b70f6f65cf78f4802edd44e6073377d94fe376b2c022fb64d107593c8938261b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcpFRDWRtbGs.bat

Filesize
210B

MD5
bdf8c7228d50142ab438884f3d99121b

SHA1
0afc8099b9dd11baa46e8a28c887068e2a055192

SHA256
c74b6138cef9c5cf89012d512fc26562f64091b2a515813666f823a51656fb56

SHA512
6fbee17dbddff9868f797d00ac5bb1ca5110574b7a6dae66cfde1fc598166ac3eeff63cf3f14e9c9b6212a6d3166a4d3953cfb428b93e6efe951b4cfb517011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\frTFmEhltx5R.bat

Filesize
210B

MD5
2193f7c3ac112b7b0c9f84aa9dd298a8

SHA1
7ec237eadc321cdc83ab8564cd06e3d2638d2766

SHA256
3b53db1500578ef391420050a813929c3f45312cb1cfe9c77b68f910d6aa2c77

SHA512
152246e8ecd0da0f9d10ec54be29fa068389f87360a155e924b37d2701176b00cd166aa5c7907c9452cd77c6db930ffb74a6b55b3c7e41cb9f0ac3337ee7cff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRN6mQfM0Hl7.bat

Filesize
210B

MD5
2b19e65c2aa09097bcc68138652b473d

SHA1
931af3d93169b1a9c091568b36c963b34cbd57b8

SHA256
1b2e62b89f589129e142cbf66f7c22d2120be50d8920725982f4cfeeb31401ed

SHA512
0d4baa449480e76509cc2b5d9d27071b07bcedd7551fac573b3e892cff12992f22b761b0a489a58289a1f7d973a5b001ec6749db21723deb535373ecd50a1fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\npKM6JVeED0r.bat

Filesize
210B

MD5
bbfc6f8c48ec6492c3dc20891102ce4a

SHA1
7e1d2cf4a968320f6ff4f0da9deef696cc76a282

SHA256
2b507e8a067b4bad826485e17ccf86a4258050074bb0f7cab2af117e019c3a9a

SHA512
c7d82db3b497016800706725b4f525ccd83a591299d73f49aae9823e823fc158f0c137cb53086c04f2d03455fb4f05eaca78a574fe038523826aeb070d1f3224

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Client.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
memory/568-96-0x00000000009B0000-0x00000000009FE000-memory.dmp

Filesize
312KB

Download
memory/848-120-0x0000000000C10000-0x0000000000C5E000-memory.dmp

Filesize
312KB

Download
memory/1248-49-0x0000000000FA0000-0x0000000000FEE000-memory.dmp

Filesize
312KB

Download
memory/1592-72-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/1728-0-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000013C0000-0x000000000140E000-memory.dmp

Filesize
312KB

Download
memory/1728-12-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-2-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-108-0x0000000000040000-0x000000000008E000-memory.dmp

Filesize
312KB

Download
memory/2260-25-0x0000000000F40000-0x0000000000F8E000-memory.dmp

Filesize
312KB

Download
memory/2400-132-0x0000000001370000-0x00000000013BE000-memory.dmp

Filesize
312KB

Download
memory/2632-37-0x0000000000FA0000-0x0000000000FEE000-memory.dmp

Filesize
312KB

Download
memory/2636-84-0x00000000009B0000-0x00000000009FE000-memory.dmp

Filesize
312KB

Download
memory/2804-9-0x0000000000DD0000-0x0000000000E1E000-memory.dmp

Filesize
312KB

Download
memory/2804-10-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-11-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-22-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-144-0x0000000001370000-0x00000000013BE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads