quasar | 4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

Resubmissions

22-12-2024 02:36

241222-c3x8xsznby 10

22-12-2024 02:36

241222-c3ndqazna1 10

22-12-2024 02:34

241222-c2nyvszpek 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

455889b66765b1638dd978a0280f1c7e
SHA1

774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA256

4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512

df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
SSDEEP

49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JJ:4782

192.168.10.1:4782

Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes

encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4808-1-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cab-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
2084	Client.exe
2328	Client.exe
3948	Client.exe
3272	Client.exe
3572	Client.exe
2684	Client.exe
2928	Client.exe
768	Client.exe
1996	Client.exe
1380	Client.exe
4716	Client.exe
816	Client.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1988	PING.EXE
5112	PING.EXE
2528	PING.EXE
2920	PING.EXE
4600	PING.EXE
1244	PING.EXE
1016	PING.EXE
3216	PING.EXE
4436	PING.EXE
4756	PING.EXE
2400	PING.EXE
4256	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
4756	PING.EXE
1016	PING.EXE
2400	PING.EXE
2920	PING.EXE
4436	PING.EXE
3216	PING.EXE
2528	PING.EXE
4600	PING.EXE
1244	PING.EXE
1988	PING.EXE
4256	PING.EXE
5112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1484	schtasks.exe
3020	schtasks.exe
432	schtasks.exe
3728	schtasks.exe
2036	schtasks.exe
5044	schtasks.exe
4280	schtasks.exe
4044	schtasks.exe
1924	schtasks.exe
2812	schtasks.exe
4808	schtasks.exe
1788	schtasks.exe
408	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	Client-built.exe
Token: SeDebugPrivilege	2084	Client.exe
Token: SeDebugPrivilege	2328	Client.exe
Token: SeDebugPrivilege	3948	Client.exe
Token: SeDebugPrivilege	3272	Client.exe
Token: SeDebugPrivilege	3572	Client.exe
Token: SeDebugPrivilege	2684	Client.exe
Token: SeDebugPrivilege	2928	Client.exe
Token: SeDebugPrivilege	768	Client.exe
Token: SeDebugPrivilege	1996	Client.exe
Token: SeDebugPrivilege	1380	Client.exe
Token: SeDebugPrivilege	4716	Client.exe
Token: SeDebugPrivilege	816	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2084	Client.exe
2328	Client.exe
3948	Client.exe
3272	Client.exe
3572	Client.exe
2684	Client.exe
2928	Client.exe
768	Client.exe
1996	Client.exe
1380	Client.exe
4716	Client.exe
816	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1788	4808	Client-built.exe	83
PID 4808 wrote to memory of 1788	4808	Client-built.exe	83
PID 4808 wrote to memory of 2084	4808	Client-built.exe	85
PID 4808 wrote to memory of 2084	4808	Client-built.exe	85
PID 2084 wrote to memory of 2036	2084	Client.exe	86
PID 2084 wrote to memory of 2036	2084	Client.exe	86
PID 2084 wrote to memory of 2880	2084	Client.exe	89
PID 2084 wrote to memory of 2880	2084	Client.exe	89
PID 2880 wrote to memory of 2212	2880	cmd.exe	91
PID 2880 wrote to memory of 2212	2880	cmd.exe	91
PID 2880 wrote to memory of 1244	2880	cmd.exe	92
PID 2880 wrote to memory of 1244	2880	cmd.exe	92
PID 2880 wrote to memory of 2328	2880	cmd.exe	103
PID 2880 wrote to memory of 2328	2880	cmd.exe	103
PID 2328 wrote to memory of 408	2328	Client.exe	107
PID 2328 wrote to memory of 408	2328	Client.exe	107
PID 2328 wrote to memory of 2472	2328	Client.exe	109
PID 2328 wrote to memory of 2472	2328	Client.exe	109
PID 2472 wrote to memory of 1568	2472	cmd.exe	111
PID 2472 wrote to memory of 1568	2472	cmd.exe	111
PID 2472 wrote to memory of 1016	2472	cmd.exe	112
PID 2472 wrote to memory of 1016	2472	cmd.exe	112
PID 2472 wrote to memory of 3948	2472	cmd.exe	114
PID 2472 wrote to memory of 3948	2472	cmd.exe	114
PID 3948 wrote to memory of 5044	3948	Client.exe	115
PID 3948 wrote to memory of 5044	3948	Client.exe	115
PID 3948 wrote to memory of 768	3948	Client.exe	120
PID 3948 wrote to memory of 768	3948	Client.exe	120
PID 768 wrote to memory of 1452	768	cmd.exe	122
PID 768 wrote to memory of 1452	768	cmd.exe	122
PID 768 wrote to memory of 1988	768	cmd.exe	123
PID 768 wrote to memory of 1988	768	cmd.exe	123
PID 768 wrote to memory of 3272	768	cmd.exe	126
PID 768 wrote to memory of 3272	768	cmd.exe	126
PID 3272 wrote to memory of 4280	3272	Client.exe	127
PID 3272 wrote to memory of 4280	3272	Client.exe	127
PID 3272 wrote to memory of 772	3272	Client.exe	130
PID 3272 wrote to memory of 772	3272	Client.exe	130
PID 772 wrote to memory of 4108	772	cmd.exe	132
PID 772 wrote to memory of 4108	772	cmd.exe	132
PID 772 wrote to memory of 2400	772	cmd.exe	133
PID 772 wrote to memory of 2400	772	cmd.exe	133
PID 772 wrote to memory of 3572	772	cmd.exe	135
PID 772 wrote to memory of 3572	772	cmd.exe	135
PID 3572 wrote to memory of 1484	3572	Client.exe	136
PID 3572 wrote to memory of 1484	3572	Client.exe	136
PID 3572 wrote to memory of 1524	3572	Client.exe	139
PID 3572 wrote to memory of 1524	3572	Client.exe	139
PID 1524 wrote to memory of 4816	1524	cmd.exe	141
PID 1524 wrote to memory of 4816	1524	cmd.exe	141
PID 1524 wrote to memory of 4256	1524	cmd.exe	142
PID 1524 wrote to memory of 4256	1524	cmd.exe	142
PID 1524 wrote to memory of 2684	1524	cmd.exe	145
PID 1524 wrote to memory of 2684	1524	cmd.exe	145
PID 2684 wrote to memory of 4044	2684	Client.exe	146
PID 2684 wrote to memory of 4044	2684	Client.exe	146
PID 2684 wrote to memory of 1016	2684	Client.exe	149
PID 2684 wrote to memory of 1016	2684	Client.exe	149
PID 1016 wrote to memory of 4480	1016	cmd.exe	151
PID 1016 wrote to memory of 4480	1016	cmd.exe	151
PID 1016 wrote to memory of 5112	1016	cmd.exe	152
PID 1016 wrote to memory of 5112	1016	cmd.exe	152
PID 1016 wrote to memory of 2928	1016	cmd.exe	154
PID 1016 wrote to memory of 2928	1016	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1788
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSd3ShrCMK7H.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2212
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1244
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j51H2hvWxa2Y.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1568
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1Jy2t9NhwRb.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obmnQt8UondW.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r3CTaKEdzj43.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4256
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Ghmxui7KhIq.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pady0rwOHHVg.bat" "
        15⤵
        
        PID:1452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3216
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cM5zdWYbfR5.bat" "
        17⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2528
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOwXIa4LoA1Y.bat" "
        19⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9lnYEWr4xC7v.bat" "
        21⤵
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfG2sysqzHql.bat" "
        23⤵
        
        PID:672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMYCzh71rkw2.bat" "
        25⤵
        
        PID:3216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cM5zdWYbfR5.bat

Filesize
196B

MD5
5d7452f091fa74d09876f5521e7c1bee

SHA1
4e28432d764314fcae7e95bdf2abb3a842b2ec21

SHA256
acd797e4e586397d9d9acb1547feed0d38d42238da84a135578084d6962abe77

SHA512
d413242b64fc32840e50a9ba447c8da3527f77c5739f7e8fefbe741c5d6f489efb51b1c823484a57af3b58ca7326288c985b9fb1785b8decb6b25c49226703cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Ghmxui7KhIq.bat

Filesize
196B

MD5
dcec5684212f661b64320ae69f1c2e12

SHA1
e799165db7c4d381477aebe407e188eadce12142

SHA256
514af69c9972b52049aeda231aa1d426d0493e710438baf2fd1a92651fb55436

SHA512
dafc4adbbad6329e6c33f0a4cda4fd866db1f680f94fe995141e21c6592d46b6061d2db96e08675e35a4fcf3a6f40b02ad2c6abdb5551b00578f1d24466425c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9lnYEWr4xC7v.bat

Filesize
196B

MD5
f5db81cc68a7a412a19b8bafc463b084

SHA1
d8ab78bb9c869b3df7ca7809ee1064919f665601

SHA256
5c664d43eb7152338a034346a7e8998483b7c676d09803aff93286eedaf792fc

SHA512
58adfe4f71d90a036b0defd7fe772fb043fca9a75e5d4f889137f95cac13e325862a4ee8639909c7ddfb89475cbc6a79f1349e05df2af43b46a3f9f05f0fe865

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1Jy2t9NhwRb.bat

Filesize
196B

MD5
b0b55290a64468571636e1d71a5a9dfa

SHA1
cdb628be13a6bbbbeefad9bd4f8a14ced17a8ecf

SHA256
e07c0d66be6a316d3ac5b4602b82c098690a4c83bc25ec9e4fef24cfe0c5399a

SHA512
3ca603a1d5a23d5b5efe2a75fcd2ca0c687eaa69641d75082580cd4114df2206769377a6b8f176ef7bbe00c1b626fdf00ab3646619bf8e81c1ade04395cab08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMYCzh71rkw2.bat

Filesize
196B

MD5
72f25e47587fac14e416d12f3d4c1394

SHA1
23693b49724ab7ffc47e8e4da1103e313f2aaf0e

SHA256
528bda5118fee6ad2ed193688b13bb73dca2b7f5b113310efa1d7eaaf92b08c9

SHA512
987634a964b2e196385edc486a9e6aae71bd536a9e77cfe5ce2a0cd089b930633b730f6df3ce3b52e5e0f4ae99a37ba3cf239c1aa0e39de505792cebe33b62c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOwXIa4LoA1Y.bat

Filesize
196B

MD5
86bbe86932e5940312e1c630904a7339

SHA1
099c9e97c5fb63e2f72265825434aa574dcd3d23

SHA256
d72078b7db895e207e9e1900e82135ef681762650e30d8cd43bbd830801c2c88

SHA512
ec7d81f4a8556097324fb9fa532c70d55fcd67a2e957c6206f5f8a8675959f4cf7f6aad1b81f9d46e50e199a375e25456541705f2a86cfda6214e4b21b5d7ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSd3ShrCMK7H.bat

Filesize
196B

MD5
e6c98874e290c3de9c6546731cda3a8f

SHA1
a80d2bab2aefbb9c61abab66a493bf8f913d205e

SHA256
15dca67e14fae61d0576f903a234403cebc9bb4f722309df87eaa5364deaad09

SHA512
9ecdd10b0728a6beee9dc6963151020996ec35f2bc6cbeb994a474d01d830a9352be140bd15c022eaa64eeedc6ab125db73289b4e27c49309808d0d254f9aaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\j51H2hvWxa2Y.bat

Filesize
196B

MD5
c38e0679a7588adc698f3c9ad94945b6

SHA1
691f67c5e3e3a2ba064170be67010b085d030c04

SHA256
b230d07f3f46c302a7fbbe3b875eba116318f5c70d2f3af9b4d7fe9adf2b91b5

SHA512
6fedad9cc05f56e58f24e283db324b6ebafa003bc0fe4003a0b2e9749dc425173ecb1aaa8f614118e79996e1ec8cb4ddc03058d492397fa727a590d27116733a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfG2sysqzHql.bat

Filesize
196B

MD5
93f8ab29953dd72f9f2fb478e88cc8d0

SHA1
a65dafb00e8646bf80c45882760ff94f7df0ddcb

SHA256
93e88e505bc331c70d41abfab8e537249c09f20f6e5518e5cc5485814d1709b8

SHA512
ced1979fa965c3401108ededd62e43eb2fa704263dd1ebe5cb6df5d888adba83b1bbd82debc7661486c7c7a4d132f205bd47bc5063f45e0a28dadcf872a09107

Download Submit
C:\Users\Admin\AppData\Local\Temp\obmnQt8UondW.bat

Filesize
196B

MD5
cb9865c5ff3c7862d60075996c4b4804

SHA1
b98796cc40438c74e5153362a400a7e23e4fa09f

SHA256
23aaeb30a9ad12e3fdd69051b7b46bb46828a698f07fc92051d9321720e54d2e

SHA512
e69716d220660baa4a2105f52f57f1f9cd605f63a84262433f2c772cd1a842442702362d0383e00cbd5eddfdb56ec5d36d9a0427a9709085ce9d8d0a9b7a0954

Download Submit
C:\Users\Admin\AppData\Local\Temp\pady0rwOHHVg.bat

Filesize
196B

MD5
06108f305f06766452fb350ce679eb25

SHA1
872d17f2fc5ab6bc13cf811b5f404a08d6e595fd

SHA256
4398b05e212a4f534df5dd664a2a6a699207f9dda249c2c84eacb855ba1c7da7

SHA512
0625d41cc7640acbbd6a2646273891d531691609b5ee958abe320744d8ae80a493ca363e73553699730c78cff41756e89c7ad59804557aa852f782c4edb43108

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3CTaKEdzj43.bat

Filesize
196B

MD5
15d98981a4ae6ac7b858ae4154c57271

SHA1
0183c02ba117d25af4b5273bca975e369bc01e56

SHA256
8c798ee6b973833618c045d32022e48eec62834d737636aec55706dc01c2bedd

SHA512
b9c275a8583e03f9163fe74cfbc46ce66221434f0fc94e635f28c42dfc9610f4926604664ba03f8e1f272246dffa64f409fd3447174bce64d0cbdfbd5790873a

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
455889b66765b1638dd978a0280f1c7e

SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1

SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

Download Submit
memory/2084-18-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-13-0x000000001BE10000-0x000000001BEC2000-memory.dmp

Filesize
712KB

Download
memory/2084-12-0x000000001B450000-0x000000001B4A0000-memory.dmp

Filesize
320KB

Download
memory/2084-11-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-10-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x00007FFFFE6F3000-0x00007FFFFE6F5000-memory.dmp

Filesize
8KB

Download
memory/4808-9-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-2-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-1-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads