quasar | 8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 03:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe
Size

3.1MB
MD5

02130800d200407967cb08abbb0aeefe
SHA1

6df9a3b4879c3d34b51826bd1d9ad0f64c93d11e
SHA256

8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592
SHA512

dccf995ac63f9386c909608bd948fe41b64aae9df87c6db2cf158de933dd3d8eaabd3215da98911d51af48fab71b992ea72eed3d807c4ebe0d6ef9927c78a84d
SSDEEP

49152:nvrlL26AaNeWgPhlmVqvMQ7XSKvgEcqBxZCoGdYTHHB72eh2NT:nvRL26AaNeWgPhlmVqkQ7XSKHcd

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

suport24.ddns.net:4782

192.168.1.74:4782

Mutex

b4ad83f8-b608-477d-8395-2274bcaab6d1

Attributes

encryption_key
62EF51244AF3535A6A9C77206CD89D5BFECD7E4E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2796-1-0x0000000000A30000-0x0000000000D54000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023bb6-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2208	Client.exe
3192	Client.exe
1332	Client.exe
596	Client.exe
1552	Client.exe
4068	Client.exe
1444	Client.exe
2392	Client.exe
3836	Client.exe
4072	Client.exe
2264	Client.exe
5056	Client.exe
3684	Client.exe
3128	Client.exe
4652	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3992	PING.EXE
1880	PING.EXE
2720	PING.EXE
4672	PING.EXE
1032	PING.EXE
3880	PING.EXE
4964	PING.EXE
3772	PING.EXE
1320	PING.EXE
2960	PING.EXE
4348	PING.EXE
2984	PING.EXE
4584	PING.EXE
1740	PING.EXE
4976	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1032	PING.EXE
3880	PING.EXE
1880	PING.EXE
4584	PING.EXE
2720	PING.EXE
2960	PING.EXE
4964	PING.EXE
1740	PING.EXE
4672	PING.EXE
3992	PING.EXE
1320	PING.EXE
2984	PING.EXE
3772	PING.EXE
4348	PING.EXE
4976	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe
Token: SeDebugPrivilege	2208	Client.exe
Token: SeDebugPrivilege	3192	Client.exe
Token: SeDebugPrivilege	1332	Client.exe
Token: SeDebugPrivilege	596	Client.exe
Token: SeDebugPrivilege	1552	Client.exe
Token: SeDebugPrivilege	4068	Client.exe
Token: SeDebugPrivilege	1444	Client.exe
Token: SeDebugPrivilege	2392	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	4072	Client.exe
Token: SeDebugPrivilege	2264	Client.exe
Token: SeDebugPrivilege	5056	Client.exe
Token: SeDebugPrivilege	3684	Client.exe
Token: SeDebugPrivilege	3128	Client.exe
Token: SeDebugPrivilege	4652	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2208	2796	8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe	83
PID 2796 wrote to memory of 2208	2796	8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe	83
PID 2208 wrote to memory of 5056	2208	Client.exe	85
PID 2208 wrote to memory of 5056	2208	Client.exe	85
PID 5056 wrote to memory of 3112	5056	cmd.exe	87
PID 5056 wrote to memory of 3112	5056	cmd.exe	87
PID 5056 wrote to memory of 3992	5056	cmd.exe	88
PID 5056 wrote to memory of 3992	5056	cmd.exe	88
PID 5056 wrote to memory of 3192	5056	cmd.exe	96
PID 5056 wrote to memory of 3192	5056	cmd.exe	96
PID 3192 wrote to memory of 2104	3192	Client.exe	99
PID 3192 wrote to memory of 2104	3192	Client.exe	99
PID 2104 wrote to memory of 1100	2104	cmd.exe	101
PID 2104 wrote to memory of 1100	2104	cmd.exe	101
PID 2104 wrote to memory of 1032	2104	cmd.exe	102
PID 2104 wrote to memory of 1032	2104	cmd.exe	102
PID 2104 wrote to memory of 1332	2104	cmd.exe	110
PID 2104 wrote to memory of 1332	2104	cmd.exe	110
PID 1332 wrote to memory of 2316	1332	Client.exe	112
PID 1332 wrote to memory of 2316	1332	Client.exe	112
PID 2316 wrote to memory of 1376	2316	cmd.exe	114
PID 2316 wrote to memory of 1376	2316	cmd.exe	114
PID 2316 wrote to memory of 3880	2316	cmd.exe	115
PID 2316 wrote to memory of 3880	2316	cmd.exe	115
PID 2316 wrote to memory of 596	2316	cmd.exe	118
PID 2316 wrote to memory of 596	2316	cmd.exe	118
PID 596 wrote to memory of 4976	596	Client.exe	121
PID 596 wrote to memory of 4976	596	Client.exe	121
PID 4976 wrote to memory of 2004	4976	cmd.exe	123
PID 4976 wrote to memory of 2004	4976	cmd.exe	123
PID 4976 wrote to memory of 1320	4976	cmd.exe	124
PID 4976 wrote to memory of 1320	4976	cmd.exe	124
PID 4976 wrote to memory of 1552	4976	cmd.exe	125
PID 4976 wrote to memory of 1552	4976	cmd.exe	125
PID 1552 wrote to memory of 548	1552	Client.exe	127
PID 1552 wrote to memory of 548	1552	Client.exe	127
PID 548 wrote to memory of 3900	548	cmd.exe	129
PID 548 wrote to memory of 3900	548	cmd.exe	129
PID 548 wrote to memory of 2984	548	cmd.exe	130
PID 548 wrote to memory of 2984	548	cmd.exe	130
PID 548 wrote to memory of 4068	548	cmd.exe	132
PID 548 wrote to memory of 4068	548	cmd.exe	132
PID 4068 wrote to memory of 3892	4068	Client.exe	134
PID 4068 wrote to memory of 3892	4068	Client.exe	134
PID 3892 wrote to memory of 644	3892	cmd.exe	136
PID 3892 wrote to memory of 644	3892	cmd.exe	136
PID 3892 wrote to memory of 1880	3892	cmd.exe	137
PID 3892 wrote to memory of 1880	3892	cmd.exe	137
PID 3892 wrote to memory of 1444	3892	cmd.exe	138
PID 3892 wrote to memory of 1444	3892	cmd.exe	138
PID 1444 wrote to memory of 4984	1444	Client.exe	140
PID 1444 wrote to memory of 4984	1444	Client.exe	140
PID 4984 wrote to memory of 5068	4984	cmd.exe	142
PID 4984 wrote to memory of 5068	4984	cmd.exe	142
PID 4984 wrote to memory of 4964	4984	cmd.exe	143
PID 4984 wrote to memory of 4964	4984	cmd.exe	143
PID 4984 wrote to memory of 2392	4984	cmd.exe	144
PID 4984 wrote to memory of 2392	4984	cmd.exe	144
PID 2392 wrote to memory of 3024	2392	Client.exe	146
PID 2392 wrote to memory of 3024	2392	Client.exe	146
PID 3024 wrote to memory of 1548	3024	cmd.exe	148
PID 3024 wrote to memory of 1548	3024	cmd.exe	148
PID 3024 wrote to memory of 4584	3024	cmd.exe	149
PID 3024 wrote to memory of 4584	3024	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe
"C:\Users\Admin\AppData\Local\Temp\8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHcCEYC0BIPM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3112
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3992
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\In2KgbfrweUi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1100
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1032
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kj3GCLqQAwZM.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqSWBNHnpvXQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVODzsyRDjNS.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CZl2o6t4ivSr.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoEBvSaJCvL1.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXAahFrpP7KB.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\48OccjHMNugn.bat" "
        19⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRQCiI5H2IYC.bat" "
        21⤵
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9kXIXkjLiT6T.bat" "
        23⤵
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y1X7l4IqryBN.bat" "
        25⤵
        
        PID:1124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ltM8nojm0nE.bat" "
        27⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0qFhujbWSBsw.bat" "
        29⤵
        
        PID:324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB9Yt41lDHvM.bat" "
        31⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4348

Network

DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

suport24.ddns.net

Client.exe

Remote address:

8.8.8.8:53

Request

suport24.ddns.net

IN A

Response

suport24.ddns.net

IN A

0.0.0.0
DNS

suport24.ddns.net

Client.exe

Remote address:

8.8.8.8:53

Request

suport24.ddns.net

IN A
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

181.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

137.71.105.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.71.105.51.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

suport24.ddns.net

dns

Client.exe

126 B
79 B
2
1

DNS Request

suport24.ddns.net

DNS Request

suport24.ddns.net

DNS Response

0.0.0.0
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

137.71.105.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

137.71.105.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qFhujbWSBsw.bat

Filesize
207B

MD5
e01fb6bee0de8ab4b172c7e6a3ceccde

SHA1
ad372c740741b527ac216308c714dcb081500e46

SHA256
5c2b7a58468fde6a78059808201d1b02e0929650b521c8e1107b2045f13ad345

SHA512
6d72c0e5b9a2d82d42cfb9887cdb1946574425f41d7cc58d4c0b32900da62111d5e7f81a6b9de05213eb38154c56667afe205fb388c721121a296820eab83ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\48OccjHMNugn.bat

Filesize
207B

MD5
a5782db47e296915314b40be3bbbcec4

SHA1
869a634acbcbeb3492e46d68dd5ff66a8eebcbe0

SHA256
65c0611ce3f57b47e0219d33408124e4e6422b6efef896620c0b4d57887fa606

SHA512
9a8b9b0414bd6454ec6045a6fc9f95dc80aafb7b9a900e2209c5c83ef18a6667bd7555afa7fec6b917f58dc8068f3e844d2a65763b857183d445e1d0294f2609

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kXIXkjLiT6T.bat

Filesize
207B

MD5
d145d67d0263b8c4efc13744b535c532

SHA1
0702736808df36b67e04102f0df897b5fb181c8a

SHA256
d76af0c4fea5223225b9235d5ff33c4f13dba7294f978e08893b2dd40535a513

SHA512
cb2109c7a0114d942b0aad7dcb0676110e5d7ffe74aa6b79bb7e2ee6fe73a7be3ca11b4c10df37f59cfb457d1a061756e768540fd26375cd91ed427d96e0ab68

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ltM8nojm0nE.bat

Filesize
207B

MD5
706594f9a379b4b49e1e093120046aa2

SHA1
e774ba7a3c8eac74072e8ea2a1c94b69e1c64f36

SHA256
e4f1fc6ffd7d73c4710082736fd8952b28dc0a863cb844381c278256e391c5d4

SHA512
58046d4e20c220b2baa1b874546dd7b1058675872c58c9028e4e4c9413ea7ffbe1ca1db35ad7af31b74029a0adb94992982ce65251973492dadf3d3daa1c1a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB9Yt41lDHvM.bat

Filesize
207B

MD5
aa0d34d480a4627438dcaf9397a8fabe

SHA1
a50ac602f43d0ce9367c96709c45b72e9f4cce2c

SHA256
e66b1c95f1d268794a10021a57e2afebacbbaa0abde1d2c6985e44fe34d4205c

SHA512
c0ec0b2c2a8d29613f0646ffa8cc41c16d280fdce5ad5b0c80c708bd5462cff5f2c29db3b903bd802d955f0e695d0b4bc859d82639a7a9a9ac01e503464329e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZl2o6t4ivSr.bat

Filesize
207B

MD5
e005d78c6029c54b0a842cbca334dc6b

SHA1
0336c03eff317d7c97c97bed00be55bdb69bbfc6

SHA256
7f04019d55197acfc319c20077745fce4f7167fc2a83850ee2dbbf0e2e9c9160

SHA512
9bc1cc51bf0789b98d4fb7955a5f49e881981eba657f9fbe886a655e84e4a6e6f9275588fd3fa8cea054fdc9682cc9d66c269e135e7fa379fed249c50fda86ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\In2KgbfrweUi.bat

Filesize
207B

MD5
dd483d22bab10b2e6021cceaa2d896fb

SHA1
b0719122b675068fd75e27f8b898e4a8eaeccc55

SHA256
318252a00f135fc986eb0d53e05de66fd80eb2b58c45bdd68117018835e1a177

SHA512
b2dfc06ea19569b8b3c1f572420898247cbbbb381818aa0f9bc700a8ed0d974cefe035ee05ff33c0da8eb5a55445a0ac81d79d695f522ec8941e87f06e63ec0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kj3GCLqQAwZM.bat

Filesize
207B

MD5
0ffb1ca5d1a30ec952868f6482fb3b06

SHA1
9a1cc3f8a9bdb3e09aef3045bf92720d7170a451

SHA256
e8420964acc86c4a1947eff5bcf2e69bcbca69da0cf355d5ede5e8a6a123849e

SHA512
ec28e3dac97b00b69202a0090bd5419db4751429e41d9bae75bb61f4b125963faa1e5b7815f26d32aadb6634d9accbee70053c4a33df78c41048c4dcf69afac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHcCEYC0BIPM.bat

Filesize
207B

MD5
8311a86f1e5bf6790bcc93efec960e7a

SHA1
7930523ae5685756ff44b9e63b08392549e46cb0

SHA256
f00df0f76b778ab1616448698aab820c47594a823aaeb724a31faebbe91d6768

SHA512
004244ac392d38e5914fa324d58d718ccb9776790fb11970e49720a2627e776806c567ee0a61de00c5c1df313f48f883625299f88d49521b8f28dc126fcb7add

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRQCiI5H2IYC.bat

Filesize
207B

MD5
857e1f1054e80d62aeb63e8137a47eec

SHA1
84d1e796acab20814d01f2d7ac73d77720e45a05

SHA256
1422eaf8b65ee492f7e4540308d3f09ed78f088f193b6da50ecc953dba4a3504

SHA512
88938bc435a7788aca16bf3c41e9c5830a0b78917709635b5a6dcaf510ad0d87a3b0be7e6005a6238c17cd09525e71830833e8b8248673deb1e20127b8d41ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y1X7l4IqryBN.bat

Filesize
207B

MD5
77378dcc50f4da2772597c484bad4689

SHA1
09612980d7f0e894713c908ed2f0185e024d5ef4

SHA256
3fc0dd98adef6a0ef3127cfa9beae4904eba95b50f1a8e1c83792c7967381ffa

SHA512
d0c17cc1bba48e54836598e9f5341c9881f436df0af716f4224e3907893526a2777a171db92d1a80902db29ce02e55e72972db64b2f781732ce16e5f7a22cfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jVODzsyRDjNS.bat

Filesize
207B

MD5
886c3ab952e69c8085d2224e506774df

SHA1
accc4eb5aadf00a283378f18747197a8ccd200bf

SHA256
697ac09340a14b6da2cd1083e6649845d2b028e95a742e6cfd6762f3e48be67e

SHA512
98b6e84d88c61ee4e619723e2fc649a2a23f7d7aa873cb1dfb770cb967f64c4d582b7eb865dd34c3537fab71dd79e6dea19e24afbdd1e09bfc0f42eed0eb5cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqSWBNHnpvXQ.bat

Filesize
207B

MD5
3758d887e927be3946d58d8cfb0459d6

SHA1
f8bdf9d5de170415775edb5456470d9225965590

SHA256
989909369fe40f61f480c4aa87ef704e6cc0836aca3dbfcad0379ab24996d28a

SHA512
c56453c60ab9161519886b39d922e34997c4b72985f378449d0b9269cc81e2986467f4ea2e2577e7362501dfd30ea1f05f36f9168b296368a1718ded4f0932f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sXAahFrpP7KB.bat

Filesize
207B

MD5
a8fbf56224cbaf24f0f4e62ad6ffcb3d

SHA1
9841dd814315867000c967c43a5e137a78eb8dd8

SHA256
0806286f7814b81b8ffedf96578f5e05f74695462eb5745a9a6498e76fc417ad

SHA512
08e3d3b20416e03a4ffff083eae1fd695207a0eeecab8e32a72c472fefafb6d80f94c777bc0f3a8fd86f7c2c80689a07c39e115bb3957ee87158360dd5dd1768

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoEBvSaJCvL1.bat

Filesize
207B

MD5
0b278078e493be8e8d1d2af4ace67760

SHA1
c02ccf9528433082c78ac72f4bccf74f0429bb10

SHA256
22f95a056c5989dd4fc0baa14ff296b5549d0f22ce454d4d9aeef4bd64a7776b

SHA512
b1be93a68e43e1aacfbb2154ad8d496ba3c2d3837c313a1265baef99a7eca817a0d0759029e18d12021bb99dedc2078b3b1ebe60c71a5860819f4cec8bb4a9ba

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
02130800d200407967cb08abbb0aeefe

SHA1
6df9a3b4879c3d34b51826bd1d9ad0f64c93d11e

SHA256
8e5a34b932374eae6c3d0d71bef8d34f4f91cc31908ff596533f5fec1a5ff592

SHA512
dccf995ac63f9386c909608bd948fe41b64aae9df87c6db2cf158de933dd3d8eaabd3215da98911d51af48fab71b992ea72eed3d807c4ebe0d6ef9927c78a84d

Download Submit
memory/2208-18-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2208-13-0x000000001BE60000-0x000000001BF12000-memory.dmp

Filesize
712KB

Download
memory/2208-12-0x000000001B8E0000-0x000000001B930000-memory.dmp

Filesize
320KB

Download
memory/2208-11-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2208-9-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2796-0-0x00007FF8244B3000-0x00007FF8244B5000-memory.dmp

Filesize
8KB

Download
memory/2796-10-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2796-2-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2796-1-0x0000000000A30000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.