quasar | f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
Size

3.1MB
MD5

df7b0e428b11f8aa5102168e65156a3b
SHA1

7a48d280aee1b17e8a2e36b21c7441d4670cc7bc
SHA256

f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
SHA512

c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
SSDEEP

49152:HvyI22SsaNYfdPBldt698dBcjH+a071Jv0oGdPZTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH+a0A/

Score

10^/10

quasar brouteur discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

BROUTEUR

voltazur.ddns.net:4789

Mutex

b435e96f-9e1a-4119-b07d-1ebccf7eb1b5

Attributes

encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
install_name
Clients.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsSystemTask
subdirectory
SubDare

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4932-1-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b88-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Clients.exe

Executes dropped EXE 15 IoCs

pid	Process
4660	Clients.exe
3644	Clients.exe
5044	Clients.exe
4584	Clients.exe
3476	Clients.exe
1348	Clients.exe
5036	Clients.exe
3604	Clients.exe
2560	Clients.exe
3044	Clients.exe
1688	Clients.exe
1128	Clients.exe
3168	Clients.exe
724	Clients.exe
3120	Clients.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubDare\Clients.exe	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
File created	C:\Program Files\SubDare\Clients.exe	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1156	PING.EXE
4580	PING.EXE
4040	PING.EXE
1584	PING.EXE
3640	PING.EXE
3432	PING.EXE
3728	PING.EXE
2400	PING.EXE
1752	PING.EXE
4472	PING.EXE
4752	PING.EXE
3348	PING.EXE
3816	PING.EXE
1740	PING.EXE
3888	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4472	PING.EXE
1584	PING.EXE
1740	PING.EXE
3640	PING.EXE
1156	PING.EXE
3432	PING.EXE
3728	PING.EXE
1752	PING.EXE
3348	PING.EXE
4040	PING.EXE
3888	PING.EXE
2400	PING.EXE
4752	PING.EXE
4580	PING.EXE
3816	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe
2036	schtasks.exe
4920	schtasks.exe
4780	schtasks.exe
2148	schtasks.exe
4276	schtasks.exe
2288	schtasks.exe
1048	schtasks.exe
3220	schtasks.exe
4252	schtasks.exe
2612	schtasks.exe
2088	schtasks.exe
3348	schtasks.exe
4744	schtasks.exe
1140	schtasks.exe
3684	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
Token: SeDebugPrivilege	4660	Clients.exe
Token: SeDebugPrivilege	3644	Clients.exe
Token: SeDebugPrivilege	5044	Clients.exe
Token: SeDebugPrivilege	4584	Clients.exe
Token: SeDebugPrivilege	3476	Clients.exe
Token: SeDebugPrivilege	1348	Clients.exe
Token: SeDebugPrivilege	5036	Clients.exe
Token: SeDebugPrivilege	3604	Clients.exe
Token: SeDebugPrivilege	2560	Clients.exe
Token: SeDebugPrivilege	3044	Clients.exe
Token: SeDebugPrivilege	1688	Clients.exe
Token: SeDebugPrivilege	1128	Clients.exe
Token: SeDebugPrivilege	3168	Clients.exe
Token: SeDebugPrivilege	724	Clients.exe
Token: SeDebugPrivilege	3120	Clients.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 2612	4932	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	83
PID 4932 wrote to memory of 2612	4932	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	83
PID 4932 wrote to memory of 4660	4932	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	85
PID 4932 wrote to memory of 4660	4932	f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe	85
PID 4660 wrote to memory of 2088	4660	Clients.exe	86
PID 4660 wrote to memory of 2088	4660	Clients.exe	86
PID 4660 wrote to memory of 2064	4660	Clients.exe	88
PID 4660 wrote to memory of 2064	4660	Clients.exe	88
PID 2064 wrote to memory of 4904	2064	cmd.exe	90
PID 2064 wrote to memory of 4904	2064	cmd.exe	90
PID 2064 wrote to memory of 1156	2064	cmd.exe	91
PID 2064 wrote to memory of 1156	2064	cmd.exe	91
PID 2064 wrote to memory of 3644	2064	cmd.exe	93
PID 2064 wrote to memory of 3644	2064	cmd.exe	93
PID 3644 wrote to memory of 4780	3644	Clients.exe	94
PID 3644 wrote to memory of 4780	3644	Clients.exe	94
PID 3644 wrote to memory of 4848	3644	Clients.exe	97
PID 3644 wrote to memory of 4848	3644	Clients.exe	97
PID 4848 wrote to memory of 5020	4848	cmd.exe	99
PID 4848 wrote to memory of 5020	4848	cmd.exe	99
PID 4848 wrote to memory of 2400	4848	cmd.exe	100
PID 4848 wrote to memory of 2400	4848	cmd.exe	100
PID 4848 wrote to memory of 5044	4848	cmd.exe	109
PID 4848 wrote to memory of 5044	4848	cmd.exe	109
PID 5044 wrote to memory of 3348	5044	Clients.exe	110
PID 5044 wrote to memory of 3348	5044	Clients.exe	110
PID 5044 wrote to memory of 4328	5044	Clients.exe	112
PID 5044 wrote to memory of 4328	5044	Clients.exe	112
PID 4328 wrote to memory of 1828	4328	cmd.exe	115
PID 4328 wrote to memory of 1828	4328	cmd.exe	115
PID 4328 wrote to memory of 4752	4328	cmd.exe	116
PID 4328 wrote to memory of 4752	4328	cmd.exe	116
PID 4328 wrote to memory of 4584	4328	cmd.exe	124
PID 4328 wrote to memory of 4584	4328	cmd.exe	124
PID 4584 wrote to memory of 4744	4584	Clients.exe	125
PID 4584 wrote to memory of 4744	4584	Clients.exe	125
PID 4584 wrote to memory of 1164	4584	Clients.exe	127
PID 4584 wrote to memory of 1164	4584	Clients.exe	127
PID 1164 wrote to memory of 4436	1164	cmd.exe	130
PID 1164 wrote to memory of 4436	1164	cmd.exe	130
PID 1164 wrote to memory of 4580	1164	cmd.exe	131
PID 1164 wrote to memory of 4580	1164	cmd.exe	131
PID 1164 wrote to memory of 3476	1164	cmd.exe	134
PID 1164 wrote to memory of 3476	1164	cmd.exe	134
PID 3476 wrote to memory of 2148	3476	Clients.exe	135
PID 3476 wrote to memory of 2148	3476	Clients.exe	135
PID 3476 wrote to memory of 3836	3476	Clients.exe	138
PID 3476 wrote to memory of 3836	3476	Clients.exe	138
PID 3836 wrote to memory of 3364	3836	cmd.exe	140
PID 3836 wrote to memory of 3364	3836	cmd.exe	140
PID 3836 wrote to memory of 3432	3836	cmd.exe	141
PID 3836 wrote to memory of 3432	3836	cmd.exe	141
PID 3836 wrote to memory of 1348	3836	cmd.exe	143
PID 3836 wrote to memory of 1348	3836	cmd.exe	143
PID 1348 wrote to memory of 1140	1348	Clients.exe	144
PID 1348 wrote to memory of 1140	1348	Clients.exe	144
PID 1348 wrote to memory of 2400	1348	Clients.exe	146
PID 1348 wrote to memory of 2400	1348	Clients.exe	146
PID 2400 wrote to memory of 1688	2400	cmd.exe	149
PID 2400 wrote to memory of 1688	2400	cmd.exe	149
PID 2400 wrote to memory of 3348	2400	cmd.exe	150
PID 2400 wrote to memory of 3348	2400	cmd.exe	150
PID 2400 wrote to memory of 5036	2400	cmd.exe	153
PID 2400 wrote to memory of 5036	2400	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
"C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2612
- C:\Program Files\SubDare\Clients.exe
  "C:\Program Files\SubDare\Clients.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6tHVWkQsabp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4904
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1156
  - - C:\Program Files\SubDare\Clients.exe
      "C:\Program Files\SubDare\Clients.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKIamaTFI9yL.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5020
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
      - C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5LDR5tZt8q2K.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWyPtZyxjs7g.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4580
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a9BntEDn72PM.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3432
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BxW00lrNZCai.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3348
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQIwj01h63Wg.bat" "
        15⤵
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\irsBwP6Zc2LD.bat" "
        17⤵
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1752
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxzVDKHTDXZQ.bat" "
        19⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUKODhIqwSvY.bat" "
        21⤵
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4472
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2pRROO2ZWZQd.bat" "
        23⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obsFjq1DDT9i.bat" "
        25⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3816
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sLZ3uCC0ZINo.bat" "
        27⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7lXoLBW3bYoF.bat" "
        29⤵
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3640
        
        C:\Program Files\SubDare\Clients.exe
        
        "C:\Program Files\SubDare\Clients.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omZZ1QZvKLkN.bat" "
        31⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SubDare\Clients.exe

Filesize
3.1MB

MD5
df7b0e428b11f8aa5102168e65156a3b

SHA1
7a48d280aee1b17e8a2e36b21c7441d4670cc7bc

SHA256
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9

SHA512
c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Clients.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pRROO2ZWZQd.bat

Filesize
195B

MD5
2c881eacd56bd46629813991c3b2aca0

SHA1
24b7202c9d372ad4f06a451a864688711bd3332c

SHA256
4537a5a0dcddb8657c27e2a0244f480f36b876d65bf058b263c91d8dab4a6a25

SHA512
dc41b27ce43f987c0a1ab11080e9920af7ee05f00f84f7765472e7f2145a18423c16c6bef42418c93caa47c48d526b282c9125d2462a11857a971462c18b4536

Download Submit
C:\Users\Admin\AppData\Local\Temp\5LDR5tZt8q2K.bat

Filesize
195B

MD5
9eaf02fcd19953f17b6ff33817658767

SHA1
22a4a18d612f38743653c408c26de2b097c8161e

SHA256
71befb8e42ca3d131ba015b96f59467d13784154c8a6384fe7c3117cce81684e

SHA512
69280d6e360d3c32e45514bab1c135ff0e647247312184f860dcd61af59e754d56861bb4b3f04449aa1f84075a4af48d34c34aa2750cc22282bb1f5664e7da3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lXoLBW3bYoF.bat

Filesize
195B

MD5
3fd28a5efac91b6bfd4090057c406f34

SHA1
eee1d91b1daad9ec8b6814175b4d5ebeee298684

SHA256
aa0abf80321c1f1d063fd53805ed5e8862a20d50c47452a3fd72e98a707ee861

SHA512
1683e2dbe132d118bffa3ab34a9bbb5e8388525d37f77035673fec77da51ba48e5022ed0ea6e6d853977a8263115f21e1a8030617ac0300e9052e3cf5db43191

Download Submit
C:\Users\Admin\AppData\Local\Temp\BxW00lrNZCai.bat

Filesize
195B

MD5
f229d32d08ef8e54c19258e2fd38eaa4

SHA1
d53642bd82457a4a95e220f9f6a69d9a6d1bf90c

SHA256
aa973f8340154d4f42aff76b24f5239fd868a2068c6ff81c1b737038b97ee848

SHA512
f3f5df184111bc12589998a3d501b0cd506a7cedb81b541f903e7c87ec064a68ff4ffbf8fa85452af8e5dc3b5c2b6a45d940477d98d6e8d6e573fb726c64902c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQIwj01h63Wg.bat

Filesize
195B

MD5
9e4e7c8ebc955ea9f280e9ac6b1c713e

SHA1
83193c8441bcdc9e368a9c5b748157392dbc1241

SHA256
21b73c2adb5fa34e7fdfb977ba41f53525fe626b5083455224bbc305f7753852

SHA512
948d34ffa3a402f83e62ff509e24c8cca28ae74695625c99d675d2503b0251feaeb49bf01a2f930d614598691b42241cf534712141314ffcf3a8d64eb91faf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxzVDKHTDXZQ.bat

Filesize
195B

MD5
45274b9c23822f7aaa34e09f918898c3

SHA1
e2b1492f8216455974d07ec014bf80ec65237354

SHA256
0588df6bbcf941fb0d22097fb3ffff7ab7c1ba4e7464547d6acaa3bc423af87e

SHA512
b49499e4a9cb2d5550b9f543ba4e383f6d98fe765d896a2bd09d538cf8e4d79ccdbe9b8e0596731ab1e1d1ee9ef2a966ee990e0a72e8f6cc1fd752e7bc580904

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKIamaTFI9yL.bat

Filesize
195B

MD5
994810c4d9b00c03d1010c8c99714a94

SHA1
b04661c0fdad1d0a00b5477e7a4db1e45668d879

SHA256
d1587833ed96b1061ae88ca27bd6bddcceecafbea5f29d03e912989378e94d60

SHA512
25024e84cbc02940438a45d02ffbb7eb166df1e9aa44a4284630f141d91de6377e744b52264e02f03ea85373f491ed27ebd24ede307eeaf5ee4977f52f56bb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWyPtZyxjs7g.bat

Filesize
195B

MD5
c0dc8bdc12a8334829bd2b45d198ab36

SHA1
38e5bafc14094ceb8b9cc93d24c81b8dd83cfe22

SHA256
ec633afcd6e6324fdfb74bf47b901d801ecd5f634e73692213d4828035b872c1

SHA512
c239bbaf3c72175b22833382c4f611a55231663fecdd890a2dee5064797ca82223e27cd20a7c5cc1a09f23f12acd3e5311682b11527a7518f01e2952865847f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6tHVWkQsabp.bat

Filesize
195B

MD5
d5fdec6f93a536db604650bfb8368ba9

SHA1
6ed842bc57fa7a234f88a16bbc4061f51574c3bd

SHA256
aa8be3329030b137448ffb37cf261a7bccd9e3d41cc7787dd9cdc4159a09cd7a

SHA512
34df30b9e8bb75302cc0a6fb8946917c04f8f6964394b3f51ad8b469d9008ab7b6ca6a9125eb9a0af8039a499fcf7f7a80c4178b3b0bc5d7e048bed5f9c47d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9BntEDn72PM.bat

Filesize
195B

MD5
2c8c2c596693567d68fc429144cdb8c0

SHA1
ebcc4998ba9fa4c093b4a4d04709ee1ac9728d70

SHA256
ed0b02cb1c536707b0e3bb9c1fca983a6acd95e9b7842458dde028efe3f49a40

SHA512
5b688a116b73fc9aa08f4502d98e0a88cf6535c37fb352cce724ac5fdaf4d649cad674c85de18dd94aeb1e321d98ffb97680a47ba2b3fe65a47a0eed1d2d6d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsBwP6Zc2LD.bat

Filesize
195B

MD5
1e4b9a2886164d924d740bfadf3d02dd

SHA1
d8018d2819ba5481b976ce9d0c6f886bcb49951e

SHA256
3a6adadfa9170d8e8d1e2ef90d66fb7bef1437b0b076124d76e11259a9b05d3e

SHA512
c26973bed7266d7712dbd2df0db09431b3e95e7c0449f29e94cd40bd3560a2fcd6fb92c0d86945a2b982f5cb2e6da52113314ea0cae6f2fe87c7ed2015925fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\obsFjq1DDT9i.bat

Filesize
195B

MD5
3cbffc8e29531991c5810ee789c3ed2c

SHA1
fdd348066cc1caf5e4858b7ca440cf81fdb0a0af

SHA256
44dd4936eb3d020804ab8ecec7fdabba46731cd6496c5bd0f7806a165c4cd452

SHA512
591978614ceb26793fe71ff2eae10ce3e9b7a37be134788e2eb40a03523354774cbb39834a9aec65c4be30c4475b8578a4654e041f82d8c50bd4a2a0de91aada

Download Submit
C:\Users\Admin\AppData\Local\Temp\omZZ1QZvKLkN.bat

Filesize
195B

MD5
79d2d020d9257ed4a8af3896ecd59412

SHA1
21fbe42d2df28c76921c48d87ba0e9ea0793d790

SHA256
a1d8f7df1bfb9958db3ce5502bb0fd30600afe367dfca8dcfff433b726c03bc7

SHA512
2d2259180412a602211a57f265ec032454d29147dfded847d8c52807dcf0c4ab0961e1041c6bfe694d39e659e34d5daeef922ca55d7a1d93e766a05cf529172b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sLZ3uCC0ZINo.bat

Filesize
195B

MD5
5629549d633a5ee2b22fc825e3a658df

SHA1
782371d5268653e39efbdabc4739660d9cfab776

SHA256
dad317b389c3499631d1bbc990dcdee13515542ccc403bdd59badb58c85256b7

SHA512
edb8010b5758d80481daaf0ee32af7f2bfd0826940184d411ad5f8b08e312e32c950d12414eb9a3809c758a14c4fec36c5513cc3bd8a02bec7750597e74937a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUKODhIqwSvY.bat

Filesize
195B

MD5
306eeb630da79b156e37bd9696b3b71c

SHA1
5503cf29c64824d60edfb004790ca06202f2968f

SHA256
7c17cb12d7a00cc41fce5dbfa5cfed6ad4a408a865ce4ba414b2fabe1cc30169

SHA512
96e09b8c13de27763f9c37daa7642f726a377d4f947b45d05eb3a3ec1c84a030407d31a7b376a13b2c3e3458dcf0a84dbf4143a4bc613e80b450c65369e40057

Download Submit
memory/4660-10-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/4660-9-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/4660-18-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/4660-11-0x000000001B790000-0x000000001B7E0000-memory.dmp

Filesize
320KB

Download
memory/4660-12-0x000000001B8A0000-0x000000001B952000-memory.dmp

Filesize
712KB

Download
memory/4932-0-0x00007FFA20943000-0x00007FFA20945000-memory.dmp

Filesize
8KB

Download
memory/4932-8-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/4932-2-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/4932-1-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads