quasar | 4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

Resubmissions

22-12-2024 02:36

241222-c3x8xsznby 10

22-12-2024 02:36

241222-c3ndqazna1 10

22-12-2024 02:34

241222-c2nyvszpek 10

Analysis

max time kernel
145s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

455889b66765b1638dd978a0280f1c7e
SHA1

774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA256

4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512

df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
SSDEEP

49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JJ:4782

192.168.10.1:4782

Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes

encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2324-1-0x0000000001080000-0x00000000013A4000-memory.dmp	family_quasar
behavioral1/files/0x000900000001678f-6.dat	family_quasar
behavioral1/memory/2736-9-0x0000000000800000-0x0000000000B24000-memory.dmp	family_quasar
behavioral1/memory/2720-23-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/964-34-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral1/memory/1624-46-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/memory/2772-77-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/2352-131-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2736	Client.exe
2720	Client.exe
964	Client.exe
1624	Client.exe
804	Client.exe
2972	Client.exe
2772	Client.exe
2624	Client.exe
2536	Client.exe
2864	Client.exe
1088	Client.exe
2352	Client.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2608	PING.EXE
1628	PING.EXE
1452	PING.EXE
1300	PING.EXE
1364	PING.EXE
1204	PING.EXE
2184	PING.EXE
1368	PING.EXE
2100	PING.EXE
3040	PING.EXE
2388	PING.EXE
3024	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1628	PING.EXE
1364	PING.EXE
2184	PING.EXE
1368	PING.EXE
2100	PING.EXE
2388	PING.EXE
1300	PING.EXE
1452	PING.EXE
2608	PING.EXE
1204	PING.EXE
3024	PING.EXE
3040	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
888	schtasks.exe
3020	schtasks.exe
2788	schtasks.exe
2024	schtasks.exe
1016	schtasks.exe
3036	schtasks.exe
2416	schtasks.exe
1872	schtasks.exe
1340	schtasks.exe
2432	schtasks.exe
1440	schtasks.exe
1344	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	Client-built.exe
Token: SeDebugPrivilege	2736	Client.exe
Token: SeDebugPrivilege	2720	Client.exe
Token: SeDebugPrivilege	964	Client.exe
Token: SeDebugPrivilege	1624	Client.exe
Token: SeDebugPrivilege	804	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	2772	Client.exe
Token: SeDebugPrivilege	2624	Client.exe
Token: SeDebugPrivilege	2536	Client.exe
Token: SeDebugPrivilege	2864	Client.exe
Token: SeDebugPrivilege	1088	Client.exe
Token: SeDebugPrivilege	2352	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2736	Client.exe
2720	Client.exe
964	Client.exe
1624	Client.exe
804	Client.exe
2972	Client.exe
2772	Client.exe
2624	Client.exe
2536	Client.exe
2864	Client.exe
1088	Client.exe
2352	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3036	2324	Client-built.exe	31
PID 2324 wrote to memory of 3036	2324	Client-built.exe	31
PID 2324 wrote to memory of 3036	2324	Client-built.exe	31
PID 2324 wrote to memory of 2736	2324	Client-built.exe	33
PID 2324 wrote to memory of 2736	2324	Client-built.exe	33
PID 2324 wrote to memory of 2736	2324	Client-built.exe	33
PID 2736 wrote to memory of 2416	2736	Client.exe	34
PID 2736 wrote to memory of 2416	2736	Client.exe	34
PID 2736 wrote to memory of 2416	2736	Client.exe	34
PID 2736 wrote to memory of 2584	2736	Client.exe	36
PID 2736 wrote to memory of 2584	2736	Client.exe	36
PID 2736 wrote to memory of 2584	2736	Client.exe	36
PID 2584 wrote to memory of 2656	2584	cmd.exe	38
PID 2584 wrote to memory of 2656	2584	cmd.exe	38
PID 2584 wrote to memory of 2656	2584	cmd.exe	38
PID 2584 wrote to memory of 3040	2584	cmd.exe	39
PID 2584 wrote to memory of 3040	2584	cmd.exe	39
PID 2584 wrote to memory of 3040	2584	cmd.exe	39
PID 2584 wrote to memory of 2720	2584	cmd.exe	40
PID 2584 wrote to memory of 2720	2584	cmd.exe	40
PID 2584 wrote to memory of 2720	2584	cmd.exe	40
PID 2720 wrote to memory of 2544	2720	Client.exe	41
PID 2720 wrote to memory of 2544	2720	Client.exe	41
PID 2720 wrote to memory of 2544	2720	Client.exe	41
PID 2720 wrote to memory of 632	2720	Client.exe	43
PID 2720 wrote to memory of 632	2720	Client.exe	43
PID 2720 wrote to memory of 632	2720	Client.exe	43
PID 632 wrote to memory of 2004	632	cmd.exe	45
PID 632 wrote to memory of 2004	632	cmd.exe	45
PID 632 wrote to memory of 2004	632	cmd.exe	45
PID 632 wrote to memory of 2388	632	cmd.exe	46
PID 632 wrote to memory of 2388	632	cmd.exe	46
PID 632 wrote to memory of 2388	632	cmd.exe	46
PID 632 wrote to memory of 964	632	cmd.exe	47
PID 632 wrote to memory of 964	632	cmd.exe	47
PID 632 wrote to memory of 964	632	cmd.exe	47
PID 964 wrote to memory of 1440	964	Client.exe	48
PID 964 wrote to memory of 1440	964	Client.exe	48
PID 964 wrote to memory of 1440	964	Client.exe	48
PID 964 wrote to memory of 2008	964	Client.exe	50
PID 964 wrote to memory of 2008	964	Client.exe	50
PID 964 wrote to memory of 2008	964	Client.exe	50
PID 2008 wrote to memory of 2612	2008	cmd.exe	52
PID 2008 wrote to memory of 2612	2008	cmd.exe	52
PID 2008 wrote to memory of 2612	2008	cmd.exe	52
PID 2008 wrote to memory of 1628	2008	cmd.exe	53
PID 2008 wrote to memory of 1628	2008	cmd.exe	53
PID 2008 wrote to memory of 1628	2008	cmd.exe	53
PID 2008 wrote to memory of 1624	2008	cmd.exe	54
PID 2008 wrote to memory of 1624	2008	cmd.exe	54
PID 2008 wrote to memory of 1624	2008	cmd.exe	54
PID 1624 wrote to memory of 1344	1624	Client.exe	55
PID 1624 wrote to memory of 1344	1624	Client.exe	55
PID 1624 wrote to memory of 1344	1624	Client.exe	55
PID 1624 wrote to memory of 2820	1624	Client.exe	59
PID 1624 wrote to memory of 2820	1624	Client.exe	59
PID 1624 wrote to memory of 2820	1624	Client.exe	59
PID 2820 wrote to memory of 1128	2820	cmd.exe	61
PID 2820 wrote to memory of 1128	2820	cmd.exe	61
PID 2820 wrote to memory of 1128	2820	cmd.exe	61
PID 2820 wrote to memory of 1300	2820	cmd.exe	62
PID 2820 wrote to memory of 1300	2820	cmd.exe	62
PID 2820 wrote to memory of 1300	2820	cmd.exe	62
PID 2820 wrote to memory of 804	2820	cmd.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3036
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2416
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1X8FB3gbdtSK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2656
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3040
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ehL297zatgAB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2004
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYF7h5lo7UUt.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jVFhzA2rbKSa.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7EBD6kysVwH3.bat" "
        11⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1364
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cSqrn5tL5oQs.bat" "
        13⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qRYOW3WQZVBD.bat" "
        15⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YshOIRoKZQr6.bat" "
        17⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1204
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u7Bt0d3VlqOf.bat" "
        19⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\genbGepSWTFP.bat" "
        21⤵
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1368
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RPAtF69HoD83.bat" "
        23⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gtIibBvB5V1A.bat" "
        25⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1X8FB3gbdtSK.bat

Filesize
196B

MD5
4b683fa476b8189320a9621e3f4126e2

SHA1
9c1d852f6f91f737634bf5da1eeb4f9f93fe9c9b

SHA256
f80b418a680427e858ab8f8ac890cbec152d8af8f3a237661d76cd5eaf273e9b

SHA512
d8a1c137336cb3d3d34a7328454f16e0d78d8157200e4800038ebdaaf72f3cdefdc069311f035ed3ace5bf7d196975fbfd22f2bb25135b5f56cfaf39a618d150

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EBD6kysVwH3.bat

Filesize
196B

MD5
07779cee0d88f780a59556499f04d7f6

SHA1
59ce3672563d9a401b92b95399b727299876cef9

SHA256
7cecdf8d326f9385399b3f322612578ab4d43f0b3ae748a89efae9de7ee905c0

SHA512
dde90f5ffda6584aed004e5fd4038f0790ba92b5189127371ecc2ebba7c837b539c136af07f616c43233f139471986a7d7268cf43e0d4bb9d4f2d0267d61f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYF7h5lo7UUt.bat

Filesize
196B

MD5
1dba4f646aceb7a71c2890d0571b784e

SHA1
2d18406b1b3a23137494a8970973d80dadba3fa6

SHA256
c7b07a0591b23009dba2724b19d8166bdccbf38dec4cc318930d35f2d9479cb7

SHA512
3cb4110d057682b83358d46a805872b8a63f072c7588aeb6b96f96191c9ed523f944ff94cbb042f2667b076f05e1cc7bb49df46b38f952130f99f3c2c91cfc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RPAtF69HoD83.bat

Filesize
196B

MD5
db17e4e17c2a3dc30a663ab02ba65a2f

SHA1
914292c361b6f4ed5a87f2b71433c123e81a27f3

SHA256
0dd433d59bb371f64e590deb05cd6373e557b5667fde23924055f98b42d18ce0

SHA512
2758db2adeeffb1e541d680c0a506dbe1989f7a26508942de363051637061aaa14606c15232ae946d1727a352b59c795b2485d0c3ba68df707d4f3aa6832d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YshOIRoKZQr6.bat

Filesize
196B

MD5
59b93a3d3dc9f7be85e340aed126a091

SHA1
83ecfdaba0715d30668731656b98a3179b035755

SHA256
3585450490f1ced3b2817e235197fc363b9f8d627eb5021fde9a93a1e312d047

SHA512
f8bfbb2fb2a04e29dc0f90e11859c90aab275fb411af9096ade910a094aa335835fb13e79414af0c6262b645e86c1fbff92a50e8577064aaf0bb61f924d1129b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSqrn5tL5oQs.bat

Filesize
196B

MD5
c9428df17555c04ce0f1b8070c950f57

SHA1
0c7a152ee963f9948ae7082b00561d35d8bf1c62

SHA256
225651dcc410ef39c8e735c62181f4abf614b13a11e7caf09c6fed1981ab2fef

SHA512
cc96bc8f47a770edf5e089a48fc1fd81b81f3f644a2ba8fd4a4b2dd48dd196b3fba3bb7f0090560279d2a4d1a77d288dc20358c6053bcde1cd0d0ddeaadf0589

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehL297zatgAB.bat

Filesize
196B

MD5
ecc220afcd3c7f35ea3351d1ec205133

SHA1
b05f4e53a7f9d0773f2cd70cc20ffab2b64e634e

SHA256
e8da30c8dca14673af4a2669401455449416cd847ebce48d77007fdc3173ba48

SHA512
812bb3d4ada66d2eb2dd03581c0a33a52cbaf10c80961f33044a5e4f0c015cd94a517e8f5cfc07d0d07ca251ec665c3e4eaa18cb45b84072a0da5daed15cb8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\genbGepSWTFP.bat

Filesize
196B

MD5
262e3689fd812e98a07ecb491ab0cb39

SHA1
b3d100208f68ea2c7cce7ffe3b75cf1033397413

SHA256
ffcb359a2e9561b8b5a92cd54ae6c82dd43aca40ecb208d8d8577cbf527ccec0

SHA512
c94eaa16aa4aace72299b86dce964c0fa718278a65f35fcb3d9814c832601314bf2e0e181621b56f327a3601a4626a0f8d134752235a887f1919fa2a78a279d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtIibBvB5V1A.bat

Filesize
196B

MD5
4fb123ec94533e0415b6c6f86a7e081e

SHA1
1d649c9ae4d86bd7848ca4a62fbd18c3580ba4e6

SHA256
192b89b28980b5ea6b16b18f5ac5a73e6bf14b70a98c35175c599a7fd64062d6

SHA512
ed2f67c6d2a08d75ec7475e392035a2ca10c340573295d6ab871fc71624a582ee4c734b37731bd5ffecf02c41242579189583fb66375e1e05a17c8c476529eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jVFhzA2rbKSa.bat

Filesize
196B

MD5
04774658f4dffe93bf628adfef5f0a2e

SHA1
a41a534772089c085040d396657ce9ff546b4502

SHA256
94bfbbf898371cc618b145b19a63c05ee65049aaa57a04aa5429a129fec8edfa

SHA512
e6ddb27270f3d7d47b923b1c01d7cb5a5be400ca41d547693be31bd828b1a854a02e2a313486f161c69a593333833c29496f03625f72a1b24dba85c0ece4caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRYOW3WQZVBD.bat

Filesize
196B

MD5
f3b7c00091516529aee428fea61da93e

SHA1
eee9ee497f2aab8cb89e733ab9f728c0a917083a

SHA256
e0d2ee35e0a637dd99f6628ee59d134749954734f2277b7bec143b4658fc3b0f

SHA512
74e673361870723ac3593026d2b3fa2d6b7664a072e930017bcaf6fb27ef818fb837cd1c773a8ff1239006e49e62640eb08cc8aa59f4d7f006c0b96f46780aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7Bt0d3VlqOf.bat

Filesize
196B

MD5
7b8ea89d29e8caf7902561ec04d06b7a

SHA1
9b7e53c3a28fd5e2b4d793f8f4390add1a77b3e2

SHA256
d51faaa55f3d510a3dd12f2ff67fee727e93fed0590653394804046b3b3e6a4a

SHA512
2e70c605c618303dceed08ea6025206d608b4a555e17961fca25b5ee9d646656968fd2a3c8f7b342fa6e0c93454016c3c0fa711afea5f96c97b886b85669d26c

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
455889b66765b1638dd978a0280f1c7e

SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1

SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

Download Submit
memory/964-34-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download
memory/1624-46-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/2324-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2324-8-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-1-0x0000000001080000-0x00000000013A4000-memory.dmp

Filesize
3.1MB

Download
memory/2352-131-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/2720-23-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/2736-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-11-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-9-0x0000000000800000-0x0000000000B24000-memory.dmp

Filesize
3.1MB

Download
memory/2736-10-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-77-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads