quasar | e19ec4fa8dcc4d92b63bf6e5d4b9c519032799fec8fb7d5634adf34d954f067b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

3.1MB
MD5

bc14ab48b3cc300a8a2c14b9fe6b185a
SHA1

3fa377bf0f2cf8a5dab914eb0f224d2ca6b90c78
SHA256

e19ec4fa8dcc4d92b63bf6e5d4b9c519032799fec8fb7d5634adf34d954f067b
SHA512

5f34a257f7cb4511359708a243b15bedcac2d65911ecd4c168a97068c6f1aa77973bd9dffa9e496828883c067205865af159710d0d40e1d0317786fca421bf10
SSDEEP

49152:3vCI22SsaNYfdPBldt698dBcjHqpgzMvbRwLoGdcETHHB72eh2NT:3vP22SsaNYfdPBldt6+dBcjHqpgzMs

Score

10^/10

quasar rat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Rat

AMNSALKSamongus-47679.portmap.host:4782

Mutex

d3bc3858-ff4a-4aa8-97ec-67721ddcdeeb

Attributes

encryption_key
C8D618C9B5D2F91FFC94B6E9C868ECF80EB774F8
install_name
Client.exe
log_directory
ratted client
reconnect_delay
3000
startup_key
hello son
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2196-1-0x0000000000C80000-0x0000000000FA4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c75-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
1296	Client.exe
2268	Client.exe
4500	Client.exe
3140	Client.exe
1872	Client.exe
2124	Client.exe
1708	Client.exe
912	Client.exe
4220	Client.exe
3504	Client.exe
1652	Client.exe
1560	Client.exe
2260	Client.exe
1360	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
924	PING.EXE
3640	PING.EXE
996	PING.EXE
2364	PING.EXE
4532	PING.EXE
1104	PING.EXE
2616	PING.EXE
740	PING.EXE
4948	PING.EXE
2260	PING.EXE
4660	PING.EXE
4584	PING.EXE
2896	PING.EXE
3660	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4532	PING.EXE
924	PING.EXE
4660	PING.EXE
1104	PING.EXE
4584	PING.EXE
4948	PING.EXE
2364	PING.EXE
3640	PING.EXE
996	PING.EXE
2616	PING.EXE
740	PING.EXE
2260	PING.EXE
3660	PING.EXE
2896	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe
4360	schtasks.exe
4400	schtasks.exe
3616	schtasks.exe
3736	schtasks.exe
4300	schtasks.exe
4056	schtasks.exe
1796	schtasks.exe
2464	schtasks.exe
3432	schtasks.exe
4952	schtasks.exe
2404	schtasks.exe
2264	schtasks.exe
1136	schtasks.exe
4952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	Bootstrapper.exe
Token: SeDebugPrivilege	1296	Client.exe
Token: SeDebugPrivilege	2268	Client.exe
Token: SeDebugPrivilege	4500	Client.exe
Token: SeDebugPrivilege	3140	Client.exe
Token: SeDebugPrivilege	1872	Client.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	1708	Client.exe
Token: SeDebugPrivilege	912	Client.exe
Token: SeDebugPrivilege	4220	Client.exe
Token: SeDebugPrivilege	3504	Client.exe
Token: SeDebugPrivilege	1652	Client.exe
Token: SeDebugPrivilege	1560	Client.exe
Token: SeDebugPrivilege	2260	Client.exe
Token: SeDebugPrivilege	1360	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1296	Client.exe
2268	Client.exe
4500	Client.exe
3140	Client.exe
1872	Client.exe
2124	Client.exe
1708	Client.exe
912	Client.exe
4220	Client.exe
3504	Client.exe
1652	Client.exe
1560	Client.exe
2260	Client.exe
1360	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1296	Client.exe
2268	Client.exe
4500	Client.exe
3140	Client.exe
1872	Client.exe
2124	Client.exe
1708	Client.exe
912	Client.exe
4220	Client.exe
3504	Client.exe
1652	Client.exe
1560	Client.exe
2260	Client.exe
1360	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1360	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4360	2196	Bootstrapper.exe	83
PID 2196 wrote to memory of 4360	2196	Bootstrapper.exe	83
PID 2196 wrote to memory of 1296	2196	Bootstrapper.exe	85
PID 2196 wrote to memory of 1296	2196	Bootstrapper.exe	85
PID 1296 wrote to memory of 4952	1296	Client.exe	86
PID 1296 wrote to memory of 4952	1296	Client.exe	86
PID 1296 wrote to memory of 4300	1296	Client.exe	88
PID 1296 wrote to memory of 4300	1296	Client.exe	88
PID 4300 wrote to memory of 4584	4300	cmd.exe	90
PID 4300 wrote to memory of 4584	4300	cmd.exe	90
PID 4300 wrote to memory of 4532	4300	cmd.exe	91
PID 4300 wrote to memory of 4532	4300	cmd.exe	91
PID 4300 wrote to memory of 2268	4300	cmd.exe	106
PID 4300 wrote to memory of 2268	4300	cmd.exe	106
PID 2268 wrote to memory of 4400	2268	Client.exe	107
PID 2268 wrote to memory of 4400	2268	Client.exe	107
PID 2268 wrote to memory of 3604	2268	Client.exe	110
PID 2268 wrote to memory of 3604	2268	Client.exe	110
PID 3604 wrote to memory of 4780	3604	cmd.exe	112
PID 3604 wrote to memory of 4780	3604	cmd.exe	112
PID 3604 wrote to memory of 1104	3604	cmd.exe	113
PID 3604 wrote to memory of 1104	3604	cmd.exe	113
PID 3604 wrote to memory of 4500	3604	cmd.exe	114
PID 3604 wrote to memory of 4500	3604	cmd.exe	114
PID 4500 wrote to memory of 2264	4500	Client.exe	115
PID 4500 wrote to memory of 2264	4500	Client.exe	115
PID 4500 wrote to memory of 4984	4500	Client.exe	118
PID 4500 wrote to memory of 4984	4500	Client.exe	118
PID 4984 wrote to memory of 3592	4984	cmd.exe	120
PID 4984 wrote to memory of 3592	4984	cmd.exe	120
PID 4984 wrote to memory of 924	4984	cmd.exe	121
PID 4984 wrote to memory of 924	4984	cmd.exe	121
PID 4984 wrote to memory of 3140	4984	cmd.exe	126
PID 4984 wrote to memory of 3140	4984	cmd.exe	126
PID 3140 wrote to memory of 3616	3140	Client.exe	127
PID 3140 wrote to memory of 3616	3140	Client.exe	127
PID 3140 wrote to memory of 2016	3140	Client.exe	130
PID 3140 wrote to memory of 2016	3140	Client.exe	130
PID 2016 wrote to memory of 2032	2016	cmd.exe	132
PID 2016 wrote to memory of 2032	2016	cmd.exe	132
PID 2016 wrote to memory of 4584	2016	cmd.exe	133
PID 2016 wrote to memory of 4584	2016	cmd.exe	133
PID 2016 wrote to memory of 1872	2016	cmd.exe	135
PID 2016 wrote to memory of 1872	2016	cmd.exe	135
PID 1872 wrote to memory of 3736	1872	Client.exe	136
PID 1872 wrote to memory of 3736	1872	Client.exe	136
PID 1872 wrote to memory of 3676	1872	Client.exe	139
PID 1872 wrote to memory of 3676	1872	Client.exe	139
PID 3676 wrote to memory of 4920	3676	cmd.exe	141
PID 3676 wrote to memory of 4920	3676	cmd.exe	141
PID 3676 wrote to memory of 3640	3676	cmd.exe	142
PID 3676 wrote to memory of 3640	3676	cmd.exe	142
PID 3676 wrote to memory of 2124	3676	cmd.exe	143
PID 3676 wrote to memory of 2124	3676	cmd.exe	143
PID 2124 wrote to memory of 4300	2124	Client.exe	144
PID 2124 wrote to memory of 4300	2124	Client.exe	144
PID 2124 wrote to memory of 3972	2124	Client.exe	147
PID 2124 wrote to memory of 3972	2124	Client.exe	147
PID 3972 wrote to memory of 1728	3972	cmd.exe	149
PID 3972 wrote to memory of 1728	3972	cmd.exe	149
PID 3972 wrote to memory of 4948	3972	cmd.exe	150
PID 3972 wrote to memory of 4948	3972	cmd.exe	150
PID 3972 wrote to memory of 1708	3972	cmd.exe	153
PID 3972 wrote to memory of 1708	3972	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4360
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSQMlOQnKrku.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4584
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4532
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b0AlRHFOKAV5.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4780
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1104
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqRQ3u5oK71E.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1yJD70amNheX.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ndm70EKcIX4G.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nviMz0irxiIu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STc0eMnM7LLb.bat" "
        15⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QjtMVMmqtGqx.bat" "
        17⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EfVybkp696Yk.bat" "
        19⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N127WTMJfFgA.bat" "
        21⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xLdcnZwJ3glj.bat" "
        23⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWqOBcg2tun5.bat" "
        25⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2260
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2JTwEoFG83Zq.bat" "
        27⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2XxVHT3a2t1H.bat" "
        29⤵
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yJD70amNheX.bat

Filesize
207B

MD5
f4d9988edf1893b0dcdf0f981409485f

SHA1
3441abccc404043d1ef787cefe82c6cad596037e

SHA256
ce86ec1a8a927cee1f8db6ab1a7ace1a4c286f66d530e18a1e529a54b7fbc764

SHA512
a6050817f5a34b9c6aac25b1b82f46b8a094509992cd839ed0acba2a8d45f47490856d8f480b4759bbe9d677745060af241a2176f29f56b80ea831e7ce056e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\2JTwEoFG83Zq.bat

Filesize
207B

MD5
55b2f52b3ece964886bbe803f636ddfd

SHA1
08f208b38fdc4ba516c52c9298685889f3a61054

SHA256
852259117cfcf37b5f61ccfa22bd3014943c97315e5a9e76a34405ea3583ae1d

SHA512
dc765e2b4da1fb661dcd6a1f2910d5eb1936505f1bcd8241da1b1b1937801aa52e6033d62c90332f40a5d07e5ddf3ccbebb12fde7dacf09181370d9a9e3041c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2XxVHT3a2t1H.bat

Filesize
207B

MD5
18b1f9bd18b716cf3c260ab9762a1305

SHA1
b3879309a48ef47344418a75a768b2c752dccb17

SHA256
408860aa66bc60c057c2459a08babb3356bbbd0b7548361a3ef72cfbdf83ed4f

SHA512
97a1f45442831dd1a7f76c50f2cb9cdc72908a6dac9da2d89d668ae702384bddfe7144501880493447fe3bca575b75ec421f89d3b9adb22976c5a4c6ad8b575e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EfVybkp696Yk.bat

Filesize
207B

MD5
f1aa5a25af38e76b550bb03cb64243e0

SHA1
ea39b4c10bc04e88295553e90823898a466767e7

SHA256
7f7159742f52bab3c1facf4d779cfa98be42ab72e10b047122c56480c7b2a1e4

SHA512
75ed2eb82f35dc8eac3341a098079280c28ef65c3d235f6f4b72d31c18ee61b2c6ea9fea3c9e4cf866aca65c84d290996b5e3e4b9bd059ede73fcd4b109c8dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\N127WTMJfFgA.bat

Filesize
207B

MD5
5ad480e421b1695ed8c7abd29f534f43

SHA1
853d61e692e20aab31af4adf1a1db4a8599b1d43

SHA256
cb1c4db71245afeb9033fd5e88e51920f80ca5ba0761ec87f93ab9f47865c6f0

SHA512
8879ded7b6f3d7acced4ba2c08c35efc0f0f30585204a3d13b9d85c40be6c8af97947c19331e77dd59ef6514b2aefa9adf0d9175669292b8c5f9ffedf1a18f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ndm70EKcIX4G.bat

Filesize
207B

MD5
3bdfaaf7ceb8ecc2788799230ad462a3

SHA1
58195b0b32e5e55622159801c651508c46f77e6e

SHA256
58c6d55593d7791889a4836863fcd9fb7260fb27f725601ae76bd90d9fbfcc20

SHA512
780b84485fbb902eb25aa0dfad5491d32978bfa997d6d1ee60a2cc759fa7fbfbf4bfb1df57d4ce935b642dbcf69c23087c09b47633dcc7e9e01c944d9fa1bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWqOBcg2tun5.bat

Filesize
207B

MD5
d922e742ffffe63c1b1ca08c03d7b338

SHA1
26327a49d16e72fe4f1f92990848c90994a6e8ce

SHA256
e74f8278eb5f4fa7a342113e8559fbbeeaaaa41f81fc82a4e9c37a70a09b9d76

SHA512
ac2bd0117ebb8c5c893317db48199d369534626bfbd300fe7e7753f0bd726f41818d2c5abb566c26ef26df692773f2d9ae1b3317eadda28545c027510c83e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QjtMVMmqtGqx.bat

Filesize
207B

MD5
37a246d57ca46db9f15582488d8b72b9

SHA1
064d9505df45a0dc60845163bb1f824ac949c2f3

SHA256
288c3918cbff55c0b3db5cc2786156e5b5cc4845e4bfbd7236321bedeae0b1f6

SHA512
70a15b514de99e0d80d39bdd0da0733fbe7d66a6e3f7426a16ada2da566b6d8b797461108d45275310231d0755e301350f4aa19edbfdeea07344929820ec2064

Download Submit
C:\Users\Admin\AppData\Local\Temp\STc0eMnM7LLb.bat

Filesize
207B

MD5
df5dc1ad4e06e053e488e293b4eafa6e

SHA1
667e40f8834c443d8ccdc119e424ad01a0accb10

SHA256
7e777645bd745889865438d48c91e619a3c5a00d9e2ea055e863ed289ff0ff2d

SHA512
843aafbac4cbfe272ebfc85fefba171483f6f773e7bc571bcd285487030abab13e9c0f6648fc16d485d3a6d9b3ba04aba4340ff396eef93bbac4683756f3baa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0AlRHFOKAV5.bat

Filesize
207B

MD5
c2115aebab963dc828f63edbdab303e5

SHA1
0fc7bb43fc02f7435421bcd1fccab0588874d8dc

SHA256
7a71a9c63b7d93d2ba7a045006085f1930568fb4f9ff596f63d34401dc075aeb

SHA512
d6180aad1b440ab2b89795051b863a4f2dcbd6441f6d2e93775955222677e8efa170e4d86ae0cf2133dd9acad4b53db48860b28194569f92e5c0e9299fed1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqRQ3u5oK71E.bat

Filesize
207B

MD5
9e133a5a89c2ccee0a99ee3284dacf73

SHA1
0bd7edb91a4e1af51e2719eaf870784681da5567

SHA256
d1a579aac4bab7ea0e3ae568b7c661e747b648e544b8238e8b6c9fb375a2d10e

SHA512
7664a0c0c0f661527d00f9ecc983e9a4e7d0cb3e86721a40d1fc02e2dbe88b392595ad18f9ad9516ab9c8f56a891d9ca55f334bce7b7109414f73c95b507991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nviMz0irxiIu.bat

Filesize
207B

MD5
b82ae16daf701e84ba197d655a101778

SHA1
3739ba799d09517a69b728d4fa7069caaa108568

SHA256
b38e00a7f99510746cf191c7c8b65f46d91063d041dbe647b911bd9dff7074a2

SHA512
0603144ae1cacd1759a9a86b974925d6178f66b33fd661aab9fb00f3ec13ffec9af114d8bace3e861717295ffa6fde308b9a5342a091e9f8bf5ac34419ed406a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLdcnZwJ3glj.bat

Filesize
207B

MD5
aed537fabeb9056a131fc53bb6aec28a

SHA1
97e7aab2b31d19acc61d772ca7776d592565540e

SHA256
2b6bb367409aa2dbbc41d98f98e1a5e9badc831753a7445a18078570f33da108

SHA512
7b4c3c1323fe2472c926b8bfb869bfaa1d314e9de7d07c264e8fae6ab19e96def8810f9dba80fd7db8f6d82dcb36e8954f21ae39eeccf3deafca51bb065646f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSQMlOQnKrku.bat

Filesize
207B

MD5
8f4063f3b1148defdebfe0bb7ea2995a

SHA1
d2333f730de49de03f9496e3c14c4d618a26f5c8

SHA256
daf1d3c7e1346b144da8d4bca1cfb79f8f9a9a37f04ca1e132580aa95e5de573

SHA512
715a2b726b9dd52612f00d3df9edfa11c12d464a7b9a50a39079643864214518e053ae40d39e1f444479fea0b510b521aa73c29ee3327db3e2e632096937a558

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
bc14ab48b3cc300a8a2c14b9fe6b185a

SHA1
3fa377bf0f2cf8a5dab914eb0f224d2ca6b90c78

SHA256
e19ec4fa8dcc4d92b63bf6e5d4b9c519032799fec8fb7d5634adf34d954f067b

SHA512
5f34a257f7cb4511359708a243b15bedcac2d65911ecd4c168a97068c6f1aa77973bd9dffa9e496828883c067205865af159710d0d40e1d0317786fca421bf10

Download Submit
memory/1296-11-0x000000001CA10000-0x000000001CA60000-memory.dmp

Filesize
320KB

Download
memory/1296-12-0x000000001CB20000-0x000000001CBD2000-memory.dmp

Filesize
712KB

Download
memory/1296-10-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-8-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-17-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

Filesize
10.8MB

Download
memory/2196-9-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

Filesize
10.8MB

Download
memory/2196-0-0x00007FFEAFD03000-0x00007FFEAFD05000-memory.dmp

Filesize
8KB

Download
memory/2196-2-0x00007FFEAFD00000-0x00007FFEB07C1000-memory.dmp

Filesize
10.8MB

Download
memory/2196-1-0x0000000000C80000-0x0000000000FA4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads