Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:25
Behavioral task
behavioral1
Sample
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe
Resource
win7-20240903-en
General
-
Target
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe
-
Size
3.1MB
-
MD5
2be44f2f5ea83cbc61fbd13b50c0f88c
-
SHA1
f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
-
SHA256
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
-
SHA512
95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK
Malware Config
Extracted
quasar
1.4.1
AUTRE
voltazur.ddns.net:4789
eddf685a-87b7-4f5a-9bac-e09fd56aab1e
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/2016-1-0x0000000001150000-0x0000000001474000-memory.dmp family_quasar behavioral1/files/0x0008000000016d2e-4.dat family_quasar behavioral1/memory/800-7-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar behavioral1/memory/1748-22-0x0000000001310000-0x0000000001634000-memory.dmp family_quasar behavioral1/memory/2644-94-0x0000000000050000-0x0000000000374000-memory.dmp family_quasar behavioral1/memory/852-105-0x0000000000230000-0x0000000000554000-memory.dmp family_quasar behavioral1/memory/2116-116-0x0000000000E90000-0x00000000011B4000-memory.dmp family_quasar behavioral1/memory/1852-138-0x0000000001050000-0x0000000001374000-memory.dmp family_quasar behavioral1/memory/280-159-0x0000000000300000-0x0000000000624000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 800 Clients.exe 1748 Clients.exe 1812 Clients.exe 2132 Clients.exe 2408 Clients.exe 1660 Clients.exe 2332 Clients.exe 2800 Clients.exe 2644 Clients.exe 852 Clients.exe 2116 Clients.exe 1452 Clients.exe 1852 Clients.exe 2904 Clients.exe 280 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe File opened for modification C:\Program Files\SubDare\Clients.exe cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2268 PING.EXE 1436 PING.EXE 968 PING.EXE 2732 PING.EXE 2648 PING.EXE 1016 PING.EXE 3016 PING.EXE 2892 PING.EXE 2140 PING.EXE 3004 PING.EXE 1716 PING.EXE 636 PING.EXE 2704 PING.EXE 2592 PING.EXE 876 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1436 PING.EXE 2592 PING.EXE 2140 PING.EXE 2648 PING.EXE 2268 PING.EXE 968 PING.EXE 1016 PING.EXE 3016 PING.EXE 2892 PING.EXE 636 PING.EXE 2704 PING.EXE 876 PING.EXE 2732 PING.EXE 3004 PING.EXE 1716 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2544 schtasks.exe 896 schtasks.exe 2884 schtasks.exe 1684 schtasks.exe 1736 schtasks.exe 2540 schtasks.exe 3008 schtasks.exe 2040 schtasks.exe 2672 schtasks.exe 2572 schtasks.exe 708 schtasks.exe 2060 schtasks.exe 2904 schtasks.exe 2748 schtasks.exe 492 schtasks.exe 2428 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe Token: SeDebugPrivilege 800 Clients.exe Token: SeDebugPrivilege 1748 Clients.exe Token: SeDebugPrivilege 1812 Clients.exe Token: SeDebugPrivilege 2132 Clients.exe Token: SeDebugPrivilege 2408 Clients.exe Token: SeDebugPrivilege 1660 Clients.exe Token: SeDebugPrivilege 2332 Clients.exe Token: SeDebugPrivilege 2800 Clients.exe Token: SeDebugPrivilege 2644 Clients.exe Token: SeDebugPrivilege 852 Clients.exe Token: SeDebugPrivilege 2116 Clients.exe Token: SeDebugPrivilege 1452 Clients.exe Token: SeDebugPrivilege 1852 Clients.exe Token: SeDebugPrivilege 2904 Clients.exe Token: SeDebugPrivilege 280 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2040 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 31 PID 2016 wrote to memory of 2040 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 31 PID 2016 wrote to memory of 2040 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 31 PID 2016 wrote to memory of 800 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 33 PID 2016 wrote to memory of 800 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 33 PID 2016 wrote to memory of 800 2016 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 33 PID 800 wrote to memory of 2672 800 Clients.exe 34 PID 800 wrote to memory of 2672 800 Clients.exe 34 PID 800 wrote to memory of 2672 800 Clients.exe 34 PID 800 wrote to memory of 2664 800 Clients.exe 36 PID 800 wrote to memory of 2664 800 Clients.exe 36 PID 800 wrote to memory of 2664 800 Clients.exe 36 PID 2664 wrote to memory of 2908 2664 cmd.exe 38 PID 2664 wrote to memory of 2908 2664 cmd.exe 38 PID 2664 wrote to memory of 2908 2664 cmd.exe 38 PID 2664 wrote to memory of 2648 2664 cmd.exe 39 PID 2664 wrote to memory of 2648 2664 cmd.exe 39 PID 2664 wrote to memory of 2648 2664 cmd.exe 39 PID 2664 wrote to memory of 1748 2664 cmd.exe 40 PID 2664 wrote to memory of 1748 2664 cmd.exe 40 PID 2664 wrote to memory of 1748 2664 cmd.exe 40 PID 1748 wrote to memory of 2544 1748 Clients.exe 41 PID 1748 wrote to memory of 2544 1748 Clients.exe 41 PID 1748 wrote to memory of 2544 1748 Clients.exe 41 PID 1748 wrote to memory of 1720 1748 Clients.exe 43 PID 1748 wrote to memory of 1720 1748 Clients.exe 43 PID 1748 wrote to memory of 1720 1748 Clients.exe 43 PID 1720 wrote to memory of 1392 1720 cmd.exe 45 PID 1720 wrote to memory of 1392 1720 cmd.exe 45 PID 1720 wrote to memory of 1392 1720 cmd.exe 45 PID 1720 wrote to memory of 1716 1720 cmd.exe 46 PID 1720 wrote to memory of 1716 1720 cmd.exe 46 PID 1720 wrote to memory of 1716 1720 cmd.exe 46 PID 1720 wrote to memory of 1812 1720 cmd.exe 47 PID 1720 wrote to memory of 1812 1720 cmd.exe 47 PID 1720 wrote to memory of 1812 1720 cmd.exe 47 PID 1812 wrote to memory of 492 1812 Clients.exe 48 PID 1812 wrote to memory of 492 1812 Clients.exe 48 PID 1812 wrote to memory of 492 1812 Clients.exe 48 PID 1812 wrote to memory of 1988 1812 Clients.exe 50 PID 1812 wrote to memory of 1988 1812 Clients.exe 50 PID 1812 wrote to memory of 1988 1812 Clients.exe 50 PID 1988 wrote to memory of 1764 1988 cmd.exe 52 PID 1988 wrote to memory of 1764 1988 cmd.exe 52 PID 1988 wrote to memory of 1764 1988 cmd.exe 52 PID 1988 wrote to memory of 636 1988 cmd.exe 53 PID 1988 wrote to memory of 636 1988 cmd.exe 53 PID 1988 wrote to memory of 636 1988 cmd.exe 53 PID 1988 wrote to memory of 2132 1988 cmd.exe 54 PID 1988 wrote to memory of 2132 1988 cmd.exe 54 PID 1988 wrote to memory of 2132 1988 cmd.exe 54 PID 2132 wrote to memory of 2572 2132 Clients.exe 55 PID 2132 wrote to memory of 2572 2132 Clients.exe 55 PID 2132 wrote to memory of 2572 2132 Clients.exe 55 PID 2132 wrote to memory of 2340 2132 Clients.exe 57 PID 2132 wrote to memory of 2340 2132 Clients.exe 57 PID 2132 wrote to memory of 2340 2132 Clients.exe 57 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 2408 2340 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe"C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2040
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QWZWFiXp85GN.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\L3lHsHgij9RN.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:492
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DcbwhKJePWj1.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XSGGPIJdThMP.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:708
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0uU6c1kWvuHq.bat" "11⤵PID:1740
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eq8U2DiAtIgk.bat" "13⤵PID:1576
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Q69C8UCIVrJz.bat" "15⤵PID:2320
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2128
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1436
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2540
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YbCsz7D1nP1W.bat" "17⤵PID:2188
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uXuM2BH4GxYY.bat" "19⤵PID:2584
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:896
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\25dXRJ8ViD2t.bat" "21⤵PID:1780
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2884
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mXDETjKuWRZT.bat" "23⤵PID:2088
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eziNP41OjmHP.bat" "25⤵PID:2268
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2140
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ajJ5YMEw1shS.bat" "27⤵PID:1908
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:876
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1736
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qc4lOcciED3j.bat" "29⤵PID:2992
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2732
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yb7nR2sP8elM.bat" "31⤵PID:2636
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52be44f2f5ea83cbc61fbd13b50c0f88c
SHA1f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
SHA256cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
SHA51295f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
Filesize
195B
MD511c69ed0ae73f79fa4e6b83dc4a346fb
SHA1e24ae6f0b1388c0b99fd3ba907ee94bbb650a999
SHA256ffdad7132b69b3dfc78e3902163739ea74cd83651fad8687417166ccbec5e36c
SHA512dd343509d55779de1af46cfa27601214e069df399c6cba1261ac6bcc38e079d0aecf6d3fe5a96e0dc56086c6def4a45f60066cadf6d47573f800fc032ecb4c9a
-
Filesize
195B
MD5c432c26bd8207fe1fac17ee7419ac413
SHA1a725288111d77a56d2aa9906ba6a399f6b83dbf6
SHA256291571347cb5618b2e74b4a20f2279cf6c9c609be84f970c7dcace340853518f
SHA5128593142a3d601d48600e0292a0f3c7904992f881dd00b276420a782c7a7c523eee67639eceed04169ee031f011ce872800130d8f16141bb73e685541b59f10a0
-
Filesize
195B
MD5d8466feb01e2e00b28819de236f6a19c
SHA1c52f0a0e2f28802c36c2831bed3602f650b157c7
SHA256237eb28aabb9d968a58154fdfed2c41bf5b5d4ce7339a2378d0abc4def02c20c
SHA512fe9cd0e587c322da3ddda69655c296d9cf858ab86dcdee4a77c2b987832fbe675b16b1880a3b8ee2f75354ddcf96fd811a7cd8d257d14f8f4d097cd2d1d16bed
-
Filesize
195B
MD53a6eba4b3d2959a71bac28dc5b0806a4
SHA1904b1c8a23e2423f580da8bb11bce415df582d4b
SHA256d4e325af575ae918e07d687533790b6e83befcd2f48ce6f994981afd2e26431f
SHA51253993f65e13315c4ceebd4545d58efb5d00c9343f999361790c4de4203c157198abd86205540d60faa7c671ba13944778e0cd664e9eb49a429ef4f928bb865ba
-
Filesize
195B
MD5c6a0136fc19d1e8b6b31d77b2bddb276
SHA19ec2e617cea7faabacb2b781c961cb0f6e0c9334
SHA256e226da82b1aca8895d5142cba5ec6781cf22ba2228105572881bff3eb49ff5b3
SHA51262bbabba42337a3a1363bb1556a627b7fbcd44611046d4a5b35fe1286003d9456ff1164587288544cc8df31cd9adca5358113d6767e2c80f7c4fd2fb80e3f3cc
-
Filesize
195B
MD52c8a0cbc0826080e3eb8dbe0264587a0
SHA1b1995353fb0ecc8780131c6fc53fabf453ad7c2c
SHA25631bfac750999ace8e3822bf211dfda7f1def664e933eb3d877ee2ff7d723a595
SHA5128c032886bc10e401a8351b26e0ca05ec742ae3360b7a8d6d6348dce005f389a1fe60da7ebfc011bb5a0d7d23da90d2a92e8ab94a9ed3205c252e988e38bae19a
-
Filesize
195B
MD55b962861b365163ba290a6cf771d81f9
SHA18bc746163b9544f1bcde6bdf6369391030e27f80
SHA256ae8f0ad95315320001970f2568b45e611a75aaca3cdb28c45b40405bd33f507d
SHA5124299f0b0d8d1e12b3dbb88a07f0a60021ed6b97d16150942d2cf793c81f7eef791cc2ae808d15e80d80a07a2b0fc412b2d299e8f27e4402f789791c23d8b127d
-
Filesize
195B
MD50b321320a8f6b0d7e1ae9e8b31c387eb
SHA1c45a24d8c626270cf45e17f288703059e9f87939
SHA256a17243b1c6212a564f5ff95d8da638f2bc1f22f4d1cad493ef727975be68f73a
SHA512bcd71e27fb51bd66f914e7a859ce480dd2d608f575a1c2a1f16e370c2eceab1010c35c1e976f2dc8c7c70962caa1457796e3164b229d0fd1108dabb673eced42
-
Filesize
195B
MD580b7e10b13b7e85b09ca32ae4c35d6fb
SHA19d334a51f116f1862de86bce7d73d7fb09313f9b
SHA25673193a45c8ed1c3676f38658f12f81ffe08374a2df60f8c57a9aad194d4ccb7d
SHA5123678aaa19f88517a8aaa450c7f8c9deea0f06a9d06a9c861929b99cc120a1aa37e808a91a5a03af868b0e60570e7e80e21f411abe207549a6070535f1104dd10
-
Filesize
195B
MD53ee44d0b58468a1a512816ced30c56f6
SHA198abf7c9f1e2ac089cd49733429b0f5b023afa8e
SHA256f4a11cd845aad8b0d042b34467e496202948b5edfb0490778a8972af19ce63ea
SHA5123e66d10859f747878881fc2ca09dda420db09d851c5124f8781363000f3063314f7f036355b8b0c49ddd28f2d27995b2a39413ccc8b201cece250f430391d920
-
Filesize
195B
MD5e6fb6022a3d7a97c8440df1145be0d37
SHA161f977a2aa613bd6616087beaa7471c9ddb4d0cc
SHA256ab2b2f387532e2b968757d801764fc91b8d3f4f9885002bab043966782bfbf2b
SHA512e00399d65732efba41f8f64635c74014962d6ceb2b6ae3b087787b1ee40f9b54d37f362e8a9f5d97f1bbe8596b8ee3ba564cf4bc7d7099fec0cae561eca56e83
-
Filesize
195B
MD5aa10f5ee0e1eb037b3761488603e3e9d
SHA11bc36880fc532ccb7c5894b1496d1e2d2dc61dad
SHA256639155faefb7ba437caff0a9a0471777e5a5e8d88200ec389bb266512fc35fa3
SHA5126f3ece23228209aa5e4ff6384344ed7e73d535ca6708335177094398c97df9fc84434c08fb35130b38f6a28dbfafc6f9bf988c97ce13c1e9bcb5274b5a1b09cb
-
Filesize
195B
MD5e5a08fef06616181eebb0092f3dc592a
SHA10d24b3e0199f6c6f9f9854d0ac322af8e7a916be
SHA2564c3492927257ee9a8728540b1ca60654a4181bfbdc1e3e282ce53cd088a86b7e
SHA512d7f5dc755d690c15374579d8b8d7f4641d4bc1e826a58847a041d10b88b6791428955ca5e5d048b9f067299a50873d2b0496c40a5d4295f9afa0fe7858e4326b
-
Filesize
195B
MD5e0bb7d5ba3453daa7898671147aa9b46
SHA112a74100fa04c0066183c7d3d33b89fa324b9e8e
SHA25699512e7f7ac0dec7566df89b6da9771f82f724845435609637608228fa133113
SHA5122f4a86bb1b4dce0ac8ba9d4f50af1291d122168ca2da72646fa3f1bd5d0ed70b02e77feb6c78da40fb66c8ad69013ba31e6ebe0d678d95f14876b103b5f9b8c6
-
Filesize
195B
MD58d43cbcd045e83404f46379457660133
SHA18a70c7fee8ed35abdcd8fdb52ecccecafbc2b5c2
SHA25696e4bf1581d62bbcaed271b649a18200f19a48148f56909bae7e7a9991fc38c2
SHA512af33e72b0a6358bd6e38bd7f95f94db8da160fc0969eeb8f94d797c59e4ca942c2fa316bf21f26f8e12beabf213b5864b6157d493f5243d451c507603607d76b