quasar | f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
Size

3.1MB
MD5

df7b0e428b11f8aa5102168e65156a3b
SHA1

7a48d280aee1b17e8a2e36b21c7441d4670cc7bc
SHA256

f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
SHA512

c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
SSDEEP

49152:HvyI22SsaNYfdPBldt698dBcjH+a071Jv0oGdPZTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH+a0A/

Score

10^/10

quasar brouteur discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

BROUTEUR

voltazur.ddns.net:4789

Mutex

b435e96f-9e1a-4119-b07d-1ebccf7eb1b5

Attributes

encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
install_name
Clients.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsSystemTask
subdirectory
SubDare

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2940-1-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/files/0x0027000000015d6d-5.dat	family_quasar
behavioral1/memory/2876-7-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/2460-22-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/2308-64-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/1420-106-0x0000000001170000-0x0000000001494000-memory.dmp	family_quasar
behavioral1/memory/3004-117-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/3044-139-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/1728-150-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar
behavioral1/memory/2880-162-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/2600-173-0x0000000000A30000-0x0000000000D54000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2876	Clients.exe
2460	Clients.exe
2852	Clients.exe
584	Clients.exe
288	Clients.exe
2308	Clients.exe
876	Clients.exe
2348	Clients.exe
1672	Clients.exe
1420	Clients.exe
3004	Clients.exe
1244	Clients.exe
3044	Clients.exe
1728	Clients.exe
2880	Clients.exe
2600	Clients.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\SubDare\Clients.exe	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
File opened for modification	C:\Program Files\SubDare\Clients.exe	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2784	PING.EXE
1336	PING.EXE
2668	PING.EXE
540	PING.EXE
2148	PING.EXE
2200	PING.EXE
2692	PING.EXE
2880	PING.EXE
2608	PING.EXE
1540	PING.EXE
1872	PING.EXE
1580	PING.EXE
1396	PING.EXE
332	PING.EXE
2168	PING.EXE
476	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1540	PING.EXE
476	PING.EXE
1872	PING.EXE
2784	PING.EXE
2200	PING.EXE
1396	PING.EXE
540	PING.EXE
2608	PING.EXE
2148	PING.EXE
1580	PING.EXE
2692	PING.EXE
2668	PING.EXE
332	PING.EXE
1336	PING.EXE
2880	PING.EXE
2168	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe
2224	schtasks.exe
1040	schtasks.exe
1840	schtasks.exe
2932	schtasks.exe
2140	schtasks.exe
2032	schtasks.exe
2012	schtasks.exe
2920	schtasks.exe
1080	schtasks.exe
2704	schtasks.exe
1608	schtasks.exe
2516	schtasks.exe
2348	schtasks.exe
1072	schtasks.exe
1164	schtasks.exe
2520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
Token: SeDebugPrivilege	2876	Clients.exe
Token: SeDebugPrivilege	2460	Clients.exe
Token: SeDebugPrivilege	2852	Clients.exe
Token: SeDebugPrivilege	584	Clients.exe
Token: SeDebugPrivilege	288	Clients.exe
Token: SeDebugPrivilege	2308	Clients.exe
Token: SeDebugPrivilege	876	Clients.exe
Token: SeDebugPrivilege	2348	Clients.exe
Token: SeDebugPrivilege	1672	Clients.exe
Token: SeDebugPrivilege	1420	Clients.exe
Token: SeDebugPrivilege	3004	Clients.exe
Token: SeDebugPrivilege	1244	Clients.exe
Token: SeDebugPrivilege	3044	Clients.exe
Token: SeDebugPrivilege	1728	Clients.exe
Token: SeDebugPrivilege	2880	Clients.exe
Token: SeDebugPrivilege	2600	Clients.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2140	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	30
PID 2940 wrote to memory of 2140	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	30
PID 2940 wrote to memory of 2140	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	30
PID 2940 wrote to memory of 2876	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	32
PID 2940 wrote to memory of 2876	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	32
PID 2940 wrote to memory of 2876	2940	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	32
PID 2876 wrote to memory of 2348	2876	Clients.exe	33
PID 2876 wrote to memory of 2348	2876	Clients.exe	33
PID 2876 wrote to memory of 2348	2876	Clients.exe	33
PID 2876 wrote to memory of 2744	2876	Clients.exe	35
PID 2876 wrote to memory of 2744	2876	Clients.exe	35
PID 2876 wrote to memory of 2744	2876	Clients.exe	35
PID 2744 wrote to memory of 2660	2744	cmd.exe	37
PID 2744 wrote to memory of 2660	2744	cmd.exe	37
PID 2744 wrote to memory of 2660	2744	cmd.exe	37
PID 2744 wrote to memory of 1872	2744	cmd.exe	38
PID 2744 wrote to memory of 1872	2744	cmd.exe	38
PID 2744 wrote to memory of 1872	2744	cmd.exe	38
PID 2744 wrote to memory of 2460	2744	cmd.exe	39
PID 2744 wrote to memory of 2460	2744	cmd.exe	39
PID 2744 wrote to memory of 2460	2744	cmd.exe	39
PID 2460 wrote to memory of 1676	2460	Clients.exe	40
PID 2460 wrote to memory of 1676	2460	Clients.exe	40
PID 2460 wrote to memory of 1676	2460	Clients.exe	40
PID 2460 wrote to memory of 1636	2460	Clients.exe	42
PID 2460 wrote to memory of 1636	2460	Clients.exe	42
PID 2460 wrote to memory of 1636	2460	Clients.exe	42
PID 1636 wrote to memory of 1812	1636	cmd.exe	44
PID 1636 wrote to memory of 1812	1636	cmd.exe	44
PID 1636 wrote to memory of 1812	1636	cmd.exe	44
PID 1636 wrote to memory of 2784	1636	cmd.exe	45
PID 1636 wrote to memory of 2784	1636	cmd.exe	45
PID 1636 wrote to memory of 2784	1636	cmd.exe	45
PID 1636 wrote to memory of 2852	1636	cmd.exe	47
PID 1636 wrote to memory of 2852	1636	cmd.exe	47
PID 1636 wrote to memory of 2852	1636	cmd.exe	47
PID 2852 wrote to memory of 2032	2852	Clients.exe	48
PID 2852 wrote to memory of 2032	2852	Clients.exe	48
PID 2852 wrote to memory of 2032	2852	Clients.exe	48
PID 2852 wrote to memory of 2972	2852	Clients.exe	50
PID 2852 wrote to memory of 2972	2852	Clients.exe	50
PID 2852 wrote to memory of 2972	2852	Clients.exe	50
PID 2972 wrote to memory of 544	2972	cmd.exe	52
PID 2972 wrote to memory of 544	2972	cmd.exe	52
PID 2972 wrote to memory of 544	2972	cmd.exe	52
PID 2972 wrote to memory of 1580	2972	cmd.exe	53
PID 2972 wrote to memory of 1580	2972	cmd.exe	53
PID 2972 wrote to memory of 1580	2972	cmd.exe	53
PID 2972 wrote to memory of 584	2972	cmd.exe	54
PID 2972 wrote to memory of 584	2972	cmd.exe	54
PID 2972 wrote to memory of 584	2972	cmd.exe	54
PID 584 wrote to memory of 1072	584	Clients.exe	55
PID 584 wrote to memory of 1072	584	Clients.exe	55
PID 584 wrote to memory of 1072	584	Clients.exe	55
PID 584 wrote to memory of 2480	584	Clients.exe	57
PID 584 wrote to memory of 2480	584	Clients.exe	57
PID 584 wrote to memory of 2480	584	Clients.exe	57
PID 2480 wrote to memory of 1816	2480	cmd.exe	59
PID 2480 wrote to memory of 1816	2480	cmd.exe	59
PID 2480 wrote to memory of 1816	2480	cmd.exe	59
PID 2480 wrote to memory of 2200	2480	cmd.exe	60
PID 2480 wrote to memory of 2200	2480	cmd.exe	60
PID 2480 wrote to memory of 2200	2480	cmd.exe	60
PID 2480 wrote to memory of 288	2480	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
"C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Program Files\SubDare\Clients.exe
  "C:\Program Files\SubDare\Clients.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2348
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCS2fUji29Bf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2660
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1872
  - - C:\Program Files\SubDare\Clients.exe
      "C:\Program Files\SubDare\Clients.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qtqcVfJZsQST.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1812
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
      - C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LNH34hPurdvO.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIvBQxSo58sU.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2200
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P8YXvFk8okhf.bat" "
        11⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1336
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\trWzmlKCT1vT.bat" "
        13⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RirxFzIC11yA.bat" "
        15⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KueEzvbyrypN.bat" "
        17⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1tVdseD41V8u.bat" "
        19⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1396
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\e0AZmhWZlgil.bat" "
        21⤵
        
        PID:564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hrF4OvXycpb8.bat" "
        23⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:540
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pdTGVIiSNyJt.bat" "
        25⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKqNyKmYDnMO.bat" "
        27⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQj8PaSQT8lO.bat" "
        29⤵
        
        PID:1308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:332
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VTqsljt9FlWB.bat" "
        31⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2168
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sLoWyqPkCHq4.bat" "
        33⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SubDare\Clients.exe

Filesize
3.1MB

MD5
df7b0e428b11f8aa5102168e65156a3b

SHA1
7a48d280aee1b17e8a2e36b21c7441d4670cc7bc

SHA256
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9

SHA512
c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tVdseD41V8u.bat

Filesize
195B

MD5
9483dc480b30b6602e224f0d07539b50

SHA1
780027814a4c821ad459539f9674314f2b901076

SHA256
0e84f4eaf7040ac9f8244f085ead4b025c78d0fae631ae23b7d0328a24f2a379

SHA512
3173cbc16a381aff4dc3f9b6b569cd254c3725833f47f1b16b3385550c9fdb15f04dd5bb1f3e924d6e58c5005f3ead9a567f539ce61d27df055f3a3ca9b591a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKqNyKmYDnMO.bat

Filesize
195B

MD5
034596b0680c913665057b3ebe57aab4

SHA1
847b89be2f393857d887b885eda1cd9a3b7444a1

SHA256
c48b0424b03680488a4fc14eefc1d0a466e26d92e5e9aa1d7cc24f60b3b1eafd

SHA512
3f95dfe47bbaa632280c5c33ebc6614008648e4a9abca13bb867c92b830b1bbaae124fad1ff4b06f7d45aca78dfe2543b896c235f9f795319749294226f48c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\KueEzvbyrypN.bat

Filesize
195B

MD5
e863aec7fa120e491bbe2c57db765564

SHA1
f29738086298da69fafc9f6996e4f8694b2e0c9e

SHA256
a6315a6ec05850d2ae7e6883e2e70079ea86f1e01db6cb2028d30e60c410903c

SHA512
843b4c67144680c0d4d7dcb5f0db6799fcf124f16e6b3db792fd8ba8b8aca821a15be0feec68a45efdd23abadbc84da4a760407139dda8cd452ee398fb479b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNH34hPurdvO.bat

Filesize
195B

MD5
97042ff88308688e3f4393aefdadc4a8

SHA1
2ae621893a1a91b3ae5daf02b58b12f792b5a972

SHA256
abe8ea43d7a4e3c6a8abd2c685cbf5c17f543e256e8915890f219140ca3f913a

SHA512
03abb5e95c75ba814a5052795df88c5c423af2477677669c0a916c2d195da7ffab53ccadac1242582bf20c02d13ebd9b67a51fae2b80fc0f58d1c1f389de4576

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS2fUji29Bf.bat

Filesize
195B

MD5
3130a4a4398f54802f42647ba3f92fb3

SHA1
2e1e8292e444ce6497fa84853ad622a39895a0c0

SHA256
7dcf18690c65fc501948c3a3ffb425accf2b350c5bde6086d15873c8c87cd005

SHA512
35f61ee7f6728726df3f727cc3927e2454ace1e9c43fd7f45d41401783a17b0f271f12bad9c42272ae1c079e51fbe5455c0e449c4b38dd5dd454be1211c0c12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\P8YXvFk8okhf.bat

Filesize
195B

MD5
dd5da6a4cf3c0a8a29351cd737f25a35

SHA1
5cf758c48c82905d5c9843ed48bb97d8dbaa4c6d

SHA256
04e465de4d5038ae1cf644984bd1af36d18a8696e01c9d69a59d49ef18adf339

SHA512
0140c1d8494bc13f54d854c04dc3680819abe5b7ffd2765c4dddfc3aaf46b222c1da77ea0569f5d0448d5ee313cb43c47eda8ab6240d5797afee7c655e360074

Download Submit
C:\Users\Admin\AppData\Local\Temp\RirxFzIC11yA.bat

Filesize
195B

MD5
2defa5b733a501ba92191339cd73b29d

SHA1
b6b102ae211eb412787d44bd7e2daf5a837e5e9d

SHA256
5972ef335019e630a9164da6ab128a0d6b7079d3c05e36b5876de7f7e6c0cd1b

SHA512
8a9306c92ba631e69ad8feeac1c709d360ef5d832ce3ad082275a073ae5f03425fc0502d8b5357672217562aa0113b89ed31543946b54a90063015e5201ae106

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTqsljt9FlWB.bat

Filesize
195B

MD5
d657d1e57558db2754ff60013fb6f12f

SHA1
a984a44e458ac6fa7128e8a16b31eaef80f392b9

SHA256
414c0e0c685b4f82711e6ce017ee580a273bd05f574729d11891cb5bb6d3722f

SHA512
903132f20f0e6f623d4cefd7197dd41490506961bd0ca568ca56eed2c1bfd2511483bab23e3f1ef250947ed390f491639ca9c10e4373b9ccdf9243574c4017d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQj8PaSQT8lO.bat

Filesize
195B

MD5
2a037d9835383c22712b52d2db325579

SHA1
21e7754b5c77b92756f959ea89964fb9a9662a93

SHA256
3bb7c6f2f64e1bb82dc45ee1ed689282fa6af1e994f698ea664c974f79e6bd72

SHA512
cf33d5cb71b2c030b6dda0e1c68124bd7e3721ad1383a6a57ae842a05dbf2db4b91a0f58ca30de6c3d9ebdcc732043943f7c123e107f6115a03a84e58ee54286

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0AZmhWZlgil.bat

Filesize
195B

MD5
d7a0ee699c30c6198d6eb5837098358f

SHA1
3c304be5b49eef05390183472dd0b378aa2a2ffc

SHA256
f65fd26fa4181aaa4b25fa6204e295289428f5d6e6bfcac60e771a7f35c7bc66

SHA512
2717e9196bf3e32f465d8d96d7f7e34076b01f1a805cfb0818176d81cf7aae5fd4860b5f91be733ff217e50911c0999f83503a2dd36676b9f3c69ccbd5e8ac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrF4OvXycpb8.bat

Filesize
195B

MD5
f23d2deaef46959ec1e1ba74bc924b6c

SHA1
fe362f68ce6b2b3b19e5755da9ee9d4bf5e3449f

SHA256
3164df16d391bece752216e58a4880d12af24936b67a7f469edd74755053e32c

SHA512
b530ebf23f14dd03b18354823f1ad6ede991fc43f141b8ad81fa1f1f085757e74c895ea24899f7f5e789454d7188f9fe3baa4a5aac213b8f1ea97d5f37f8765b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdTGVIiSNyJt.bat

Filesize
195B

MD5
799f31878be117c7b5809b3af79d8597

SHA1
549a2bf2221a2f69fd3877918ce2c10ef7a4b929

SHA256
b1166dab2a807589d1d5ffbc473341a0b5ffbcad337081bda31a12ef7452d38d

SHA512
372a33100f8cafbd3d3a8f220dafa5abc1711832ebc0a3a662afe04e925f981d175646cd48f1256b8d68b78a5603399b6bb23ba6e46796c53a5d3dbb19618218

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtqcVfJZsQST.bat

Filesize
195B

MD5
adeb368400b1ef9721be393802afa7cf

SHA1
440f9050265dd519fa79247783940e98af4f6a66

SHA256
ce37e4f3208bff29fd5fa7083a2a788c5285266ae1a26c4cc897052d6ff8de3c

SHA512
6a4633d787f1170fc0351646de9808c9b34db13324e2953ec40a695caa83bc09e5abb7cd319a38cc42ddef795e082cb9d62e2f0f106c31f7dbff14709cea1b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIvBQxSo58sU.bat

Filesize
195B

MD5
0d89c5e808001649de073ac273032cc3

SHA1
2b1ca6d1fef32afa97999e6f1ecb8221784d5c2b

SHA256
f3db159904ed08bc14d4e9e7d34940accee6b4b7e55d19d0d9ff1f95e2c18b7e

SHA512
3b81ed00fc288ef2232c57ae8ade4bb7ab78e12b3e4a96f02d04db89f37661e20b8e8f2bb83c6c6f61d426ac03ee8ac76b6dc594d4788b80855331aa7aa2d3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sLoWyqPkCHq4.bat

Filesize
195B

MD5
167e8d5a3f7451c261c77f5919a6c4c4

SHA1
3f5edd7aa693e57b503cbdafc39fed595a5a890b

SHA256
7372a2bceb2a719ea3e4ae4759a4a908d097c57d6d43f9f7172ae88076ac37ea

SHA512
0e523d1bf65af8758607950cbc1f018b47face84567665db930edbf020fc5fd2a8b5c743db89d6f4fa346ffb524a5355283f4b0e72df1cd3f09ce92dca30735c

Download Submit
C:\Users\Admin\AppData\Local\Temp\trWzmlKCT1vT.bat

Filesize
195B

MD5
e25cdda713072edd16c7c042b96e59a4

SHA1
7405776041e275b35ed002465f4dca52e0ee3784

SHA256
61b0d7f02ce7771e662025b05c1ee030997d8d647999ca81c1397ae2b37ad7b0

SHA512
0859efc1403e43eb1b63b67f29d7371403a7e995d9f438c0a48b83debb4bd3e574b3c77f0d2b659c20cfa7bff5586088e254f0fc93c04525d0f34bd60f120dcb

Download Submit
memory/1420-106-0x0000000001170000-0x0000000001494000-memory.dmp

Filesize
3.1MB

Download
memory/1728-150-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/2308-64-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/2460-22-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/2600-173-0x0000000000A30000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download
memory/2876-7-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/2876-9-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-10-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-20-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-162-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/2940-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2940-8-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/3004-117-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/3044-139-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads