quasar | 4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

Resubmissions

22/12/2024, 02:36

241222-c3x8xsznby 10

22/12/2024, 02:36

241222-c3ndqazna1 10

22/12/2024, 02:34

241222-c2nyvszpek 10

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

455889b66765b1638dd978a0280f1c7e
SHA1

774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA256

4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512

df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
SSDEEP

49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JJ:4782

192.168.10.1:4782

Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes

encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3860-1-0x0000000000E20000-0x0000000001144000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023cb5-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
2932	Client.exe
5008	Client.exe
3488	Client.exe
4040	Client.exe
4412	Client.exe
4192	Client.exe
3588	Client.exe
5088	Client.exe
3460	Client.exe
3724	Client.exe
2972	Client.exe
2848	Client.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4532	PING.EXE
2912	PING.EXE
2388	PING.EXE
1904	PING.EXE
2292	PING.EXE
4640	PING.EXE
5116	PING.EXE
3540	PING.EXE
2264	PING.EXE
5112	PING.EXE
3828	PING.EXE
3668	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3668	PING.EXE
2388	PING.EXE
5112	PING.EXE
3828	PING.EXE
4640	PING.EXE
4532	PING.EXE
5116	PING.EXE
3540	PING.EXE
2912	PING.EXE
2264	PING.EXE
1904	PING.EXE
2292	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4760	schtasks.exe
716	schtasks.exe
5072	schtasks.exe
5020	schtasks.exe
4932	schtasks.exe
2260	schtasks.exe
4468	schtasks.exe
4876	schtasks.exe
3504	schtasks.exe
2376	schtasks.exe
60	schtasks.exe
3708	schtasks.exe
3820	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	Client-built.exe
Token: SeDebugPrivilege	2932	Client.exe
Token: SeDebugPrivilege	5008	Client.exe
Token: SeDebugPrivilege	3488	Client.exe
Token: SeDebugPrivilege	4040	Client.exe
Token: SeDebugPrivilege	4412	Client.exe
Token: SeDebugPrivilege	4192	Client.exe
Token: SeDebugPrivilege	3588	Client.exe
Token: SeDebugPrivilege	5088	Client.exe
Token: SeDebugPrivilege	3460	Client.exe
Token: SeDebugPrivilege	3724	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	2848	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2932	Client.exe
5008	Client.exe
3488	Client.exe
4040	Client.exe
4412	Client.exe
4192	Client.exe
3588	Client.exe
5088	Client.exe
3460	Client.exe
3724	Client.exe
2972	Client.exe
2848	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4876	3860	Client-built.exe	82
PID 3860 wrote to memory of 4876	3860	Client-built.exe	82
PID 3860 wrote to memory of 2932	3860	Client-built.exe	84
PID 3860 wrote to memory of 2932	3860	Client-built.exe	84
PID 2932 wrote to memory of 3504	2932	Client.exe	85
PID 2932 wrote to memory of 3504	2932	Client.exe	85
PID 2932 wrote to memory of 3192	2932	Client.exe	87
PID 2932 wrote to memory of 3192	2932	Client.exe	87
PID 3192 wrote to memory of 2640	3192	cmd.exe	89
PID 3192 wrote to memory of 2640	3192	cmd.exe	89
PID 3192 wrote to memory of 2388	3192	cmd.exe	90
PID 3192 wrote to memory of 2388	3192	cmd.exe	90
PID 3192 wrote to memory of 5008	3192	cmd.exe	92
PID 3192 wrote to memory of 5008	3192	cmd.exe	92
PID 5008 wrote to memory of 2376	5008	Client.exe	93
PID 5008 wrote to memory of 2376	5008	Client.exe	93
PID 5008 wrote to memory of 3392	5008	Client.exe	97
PID 5008 wrote to memory of 3392	5008	Client.exe	97
PID 3392 wrote to memory of 3108	3392	cmd.exe	99
PID 3392 wrote to memory of 3108	3392	cmd.exe	99
PID 3392 wrote to memory of 2264	3392	cmd.exe	100
PID 3392 wrote to memory of 2264	3392	cmd.exe	100
PID 3392 wrote to memory of 3488	3392	cmd.exe	106
PID 3392 wrote to memory of 3488	3392	cmd.exe	106
PID 3488 wrote to memory of 4760	3488	Client.exe	107
PID 3488 wrote to memory of 4760	3488	Client.exe	107
PID 3488 wrote to memory of 548	3488	Client.exe	110
PID 3488 wrote to memory of 548	3488	Client.exe	110
PID 548 wrote to memory of 592	548	cmd.exe	112
PID 548 wrote to memory of 592	548	cmd.exe	112
PID 548 wrote to memory of 5112	548	cmd.exe	113
PID 548 wrote to memory of 5112	548	cmd.exe	113
PID 548 wrote to memory of 4040	548	cmd.exe	114
PID 548 wrote to memory of 4040	548	cmd.exe	114
PID 4040 wrote to memory of 60	4040	Client.exe	115
PID 4040 wrote to memory of 60	4040	Client.exe	115
PID 4040 wrote to memory of 4940	4040	Client.exe	118
PID 4040 wrote to memory of 4940	4040	Client.exe	118
PID 4940 wrote to memory of 3856	4940	cmd.exe	120
PID 4940 wrote to memory of 3856	4940	cmd.exe	120
PID 4940 wrote to memory of 1904	4940	cmd.exe	121
PID 4940 wrote to memory of 1904	4940	cmd.exe	121
PID 4940 wrote to memory of 4412	4940	cmd.exe	122
PID 4940 wrote to memory of 4412	4940	cmd.exe	122
PID 4412 wrote to memory of 3708	4412	Client.exe	123
PID 4412 wrote to memory of 3708	4412	Client.exe	123
PID 4412 wrote to memory of 2064	4412	Client.exe	125
PID 4412 wrote to memory of 2064	4412	Client.exe	125
PID 2064 wrote to memory of 3052	2064	cmd.exe	127
PID 2064 wrote to memory of 3052	2064	cmd.exe	127
PID 2064 wrote to memory of 3828	2064	cmd.exe	128
PID 2064 wrote to memory of 3828	2064	cmd.exe	128
PID 2064 wrote to memory of 4192	2064	cmd.exe	129
PID 2064 wrote to memory of 4192	2064	cmd.exe	129
PID 4192 wrote to memory of 716	4192	Client.exe	130
PID 4192 wrote to memory of 716	4192	Client.exe	130
PID 4192 wrote to memory of 1224	4192	Client.exe	132
PID 4192 wrote to memory of 1224	4192	Client.exe	132
PID 1224 wrote to memory of 4008	1224	cmd.exe	134
PID 1224 wrote to memory of 4008	1224	cmd.exe	134
PID 1224 wrote to memory of 2292	1224	cmd.exe	135
PID 1224 wrote to memory of 2292	1224	cmd.exe	135
PID 1224 wrote to memory of 3588	1224	cmd.exe	136
PID 1224 wrote to memory of 3588	1224	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4876
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RzmS1nec5W5j.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2640
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2388
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e9pdwNxUHpnU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3108
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okFPltrQttuR.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:60
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9csgTqhx8XQX.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hD4MuvIS4ZwZ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3828
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1kYR4S0Oh8sd.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7NEMQpjm4oTy.bat" "
        15⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3668
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceGV4iMlhoTy.bat" "
        17⤵
        
        PID:3956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FH9u6EmjxjbQ.bat" "
        19⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TJ7lI5iDHZP6.bat" "
        21⤵
        
        PID:4724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNJPrFptJLRB.bat" "
        23⤵
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3540
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dr7667Vn4KU7.bat" "
        25⤵
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kYR4S0Oh8sd.bat

Filesize
196B

MD5
7926dbefffc18b7d55943bfed8886f95

SHA1
0b91b18be831a21e8252ad0ab7ecee7d45c35617

SHA256
fc51dc4eb74183fcbc04851e5c58e715e9e10fde2d7a1a4dc6f0af5f94d0dee2

SHA512
8d4b2596d40f508faae926550f6871ce9925c9e6726350b38d82653f7972192833c3d7604da6f58b5cd3f153bc13de32dcab32f9955720232607d16fbfa5a1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7NEMQpjm4oTy.bat

Filesize
196B

MD5
0ba423e3e28ae84227297b96152f3daa

SHA1
270cd4bb9015a80f3fcabda07a00254a67d074a9

SHA256
38b68d2cbe5e12a5ccc8990b7b9066b33ec39fe71102c2f0ed7313b6af82f441

SHA512
c6a2c0e40630896566d2bc806b7d28b772410f0b9080602f9ca032d8cc04ebc9c3675d829a30ba38ea141572db58f57fbe71ea06ad1cca1e5308e72402935fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9csgTqhx8XQX.bat

Filesize
196B

MD5
b6ee5bf5773233cc4626bd85b88ae43c

SHA1
15b7d5f2dfd6a6f2a820d82460be33c0340f22f1

SHA256
eed8e703cadf55e5ca91e79d4785bcfbf7d341d2f07977db961e445ab2f3bb0b

SHA512
9647241fb78cbf4f49ebf72254d88376c6dc84e6004e90b08970b40706bd38d700e67df211c9830f5d0da496ae7ae345768e28cdfef56a341ec1da52edf26052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dr7667Vn4KU7.bat

Filesize
196B

MD5
0c6a1d0f07bc82983652d06146a67b5b

SHA1
cf7fd287ea09b307d08a5155b1cfd520c919f38d

SHA256
0423184d77d153c5169f4fecf859306bb995fde92b8d0881aee2ccab7b196e91

SHA512
85707ba0e8ff9941ae457232dd120cf9eba0798edced10f4f5d243f47e17f0200e5c8e63cff4e9b4ac3eb253dbc056b78326aa9e4e193827125245f886a28167

Download Submit
C:\Users\Admin\AppData\Local\Temp\FH9u6EmjxjbQ.bat

Filesize
196B

MD5
08da4a4c7460d25cd5bfbad908ecbf12

SHA1
53fb9bfcebf09693857ec3a94a18d5a2991c3603

SHA256
2b0de4e7502777625cc6fa4403db50d18f741e3b618ab60d507ec637a5617cf5

SHA512
63682c94469f3dda6c68317a4a1a4e126ab41c275424583d6eddd00073d81b3c3a7a34db28d332c9bb78384c12177f12e12a5fa2ad9ed88550755573df728cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzmS1nec5W5j.bat

Filesize
196B

MD5
5239d84b9fb3c6b36ec94bf2bcdfc1f1

SHA1
045516c90aec98fb14adc18492f5fcee7e249704

SHA256
cdd48d86b1026d35e8a448fb6a0e4247fcc3c5051a4910744be8782819ca7568

SHA512
280a94429354c9089387b95bbc91074c9a1a31febee6da08dddd2612c2755511faf6d3612c8aae2d11258371e89958c13b727e9053e6a7906c106d19572a9ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ7lI5iDHZP6.bat

Filesize
196B

MD5
52be6a12516109265c0e261f78241094

SHA1
6e7586bc7ccb56561483fa9e741ee4d7b766a717

SHA256
a2e30d89430b29b5a2a37491d8ce85f9240305839f90c9dfb2a288891c69c68b

SHA512
4a01e2aa883b6b6d39ae3a9634e4275a04421763ba6fe82c3d79db00755b4e6ced5dfb9714ba3a68abe3019470d77ed533e07e03c4d54177cf6dffff206df4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZNJPrFptJLRB.bat

Filesize
196B

MD5
765613a2d2be34549b0470c9c43f4d43

SHA1
c8a63d0ffb30953fbf6187cde2d2f2dffe63ccf3

SHA256
9a52e16c57cce9d54f2b6602542ad90e3492cc7e0272af86905de18ef2d512ef

SHA512
cd84d4f801af5c0f3fd6bdf29fba9e63c536064f0f7995f59c031354355b8c81f6cc980009060bbf159261a8174c8bc373459b1ee18c03f174100ac8ea356ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceGV4iMlhoTy.bat

Filesize
196B

MD5
49e8703ddc0ce4d57285ecaa71e6c5e8

SHA1
dadc487c19c8725f124b878afb7a3ef13e39b166

SHA256
4b6e6bef2ae8cc23f519daa421a9195ce1d86575eea15e5c9ab22400387b0516

SHA512
b60b0bb10cb4eefecc57f66635774867502d5c34b64e412573143731cdfbde51e69ff234a9077612ae50a3b23b311ceba6b5489bd8df4c0dcda5c03ba1e35fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9pdwNxUHpnU.bat

Filesize
196B

MD5
dabb40bc633b570363dbd342c25d4cee

SHA1
7eff80016f2718253294fb1457d708da67834462

SHA256
5558220ddd162f1d5f2275a28abf5431ef7af34efe8c45f505910e5f2f4ddf19

SHA512
08592dbc13f0bca0f38c28434f6433b759fb102d5d473c4434f1d3e9f21693161a3edf70656909f9dd4bf9fb4718f46e5fe4112a41759b05fcf212978e712e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD4MuvIS4ZwZ.bat

Filesize
196B

MD5
9310a755f1f74d8ebadcb1472a20397d

SHA1
54c248751d2d0f7dd5a87a340248679c54b7d429

SHA256
da854de07efd341b253b932a91e3cd85946946ef2251a6086ccb2c48ccf98da9

SHA512
d22360ae3fbc24780f27d42fa20c0b5b986dc51f2983b3c0918c48af8c927a35ca315921621b041c4d0ce44b878c87a8936479ce29c9e16c46a8e7a2d001c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\okFPltrQttuR.bat

Filesize
196B

MD5
4574119f4264dcc7619b1743fa0cb795

SHA1
ea35c4c986a47ee07d9a731ec9deef130952cd93

SHA256
fe713e632faab692f3c4e4ad8046e8646052d9bb0d0960631ef570ce20557671

SHA512
2a76d037648f2d54132b0b9424b3b9bc9af06b3656215a674b72b845fab339e5e0313c8b4f49b4cb5e8a7ccfdd41e431c2797bed0e00b46f2b9c6b68a861694d

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
455889b66765b1638dd978a0280f1c7e

SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1

SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

Download Submit
memory/2932-18-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/2932-13-0x000000001DCE0000-0x000000001DD92000-memory.dmp

Filesize
712KB

Download
memory/2932-12-0x000000001DBD0000-0x000000001DC20000-memory.dmp

Filesize
320KB

Download
memory/2932-11-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/2932-10-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/3860-0-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

Filesize
8KB

Download
memory/3860-9-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/3860-2-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

Filesize
10.8MB

Download
memory/3860-1-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads