quasar | 4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

455889b66765b1638dd978a0280f1c7e
SHA1

774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA256

4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512

df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
SSDEEP

49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JJ:4782

192.168.10.1:4782

Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes

encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2244-1-0x0000000001000000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/files/0x000800000001686c-6.dat	family_quasar
behavioral1/memory/2440-9-0x0000000000AE0000-0x0000000000E04000-memory.dmp	family_quasar
behavioral1/memory/2748-23-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/1532-35-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral1/memory/1992-46-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar
behavioral1/memory/924-58-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/1288-69-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/memory/1608-81-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/3056-92-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/1792-114-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
behavioral1/memory/940-135-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2440	Client.exe
2748	Client.exe
1532	Client.exe
1992	Client.exe
924	Client.exe
1288	Client.exe
1608	Client.exe
3056	Client.exe
2736	Client.exe
1792	Client.exe
2856	Client.exe
940	Client.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2176	PING.EXE
2212	PING.EXE
2524	PING.EXE
2528	PING.EXE
2484	PING.EXE
580	PING.EXE
3028	PING.EXE
2312	PING.EXE
2852	PING.EXE
1676	PING.EXE
2336	PING.EXE
2544	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE
2484	PING.EXE
3028	PING.EXE
2544	PING.EXE
2312	PING.EXE
2212	PING.EXE
2524	PING.EXE
580	PING.EXE
2336	PING.EXE
2852	PING.EXE
1676	PING.EXE
2176	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1576	schtasks.exe
1920	schtasks.exe
2948	schtasks.exe
2256	schtasks.exe
1044	schtasks.exe
2340	schtasks.exe
2168	schtasks.exe
640	schtasks.exe
2480	schtasks.exe
388	schtasks.exe
2648	schtasks.exe
1932	schtasks.exe
2548	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	Client-built.exe
Token: SeDebugPrivilege	2440	Client.exe
Token: SeDebugPrivilege	2748	Client.exe
Token: SeDebugPrivilege	1532	Client.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	924	Client.exe
Token: SeDebugPrivilege	1288	Client.exe
Token: SeDebugPrivilege	1608	Client.exe
Token: SeDebugPrivilege	3056	Client.exe
Token: SeDebugPrivilege	2736	Client.exe
Token: SeDebugPrivilege	1792	Client.exe
Token: SeDebugPrivilege	2856	Client.exe
Token: SeDebugPrivilege	940	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2440	Client.exe
2748	Client.exe
1532	Client.exe
1992	Client.exe
924	Client.exe
1288	Client.exe
1608	Client.exe
3056	Client.exe
2736	Client.exe
1792	Client.exe
2856	Client.exe
940	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 388	2244	Client-built.exe	28
PID 2244 wrote to memory of 388	2244	Client-built.exe	28
PID 2244 wrote to memory of 388	2244	Client-built.exe	28
PID 2244 wrote to memory of 2440	2244	Client-built.exe	30
PID 2244 wrote to memory of 2440	2244	Client-built.exe	30
PID 2244 wrote to memory of 2440	2244	Client-built.exe	30
PID 2440 wrote to memory of 2948	2440	Client.exe	31
PID 2440 wrote to memory of 2948	2440	Client.exe	31
PID 2440 wrote to memory of 2948	2440	Client.exe	31
PID 2440 wrote to memory of 2456	2440	Client.exe	33
PID 2440 wrote to memory of 2456	2440	Client.exe	33
PID 2440 wrote to memory of 2456	2440	Client.exe	33
PID 2456 wrote to memory of 2192	2456	cmd.exe	35
PID 2456 wrote to memory of 2192	2456	cmd.exe	35
PID 2456 wrote to memory of 2192	2456	cmd.exe	35
PID 2456 wrote to memory of 3028	2456	cmd.exe	36
PID 2456 wrote to memory of 3028	2456	cmd.exe	36
PID 2456 wrote to memory of 3028	2456	cmd.exe	36
PID 2456 wrote to memory of 2748	2456	cmd.exe	37
PID 2456 wrote to memory of 2748	2456	cmd.exe	37
PID 2456 wrote to memory of 2748	2456	cmd.exe	37
PID 2748 wrote to memory of 2648	2748	Client.exe	38
PID 2748 wrote to memory of 2648	2748	Client.exe	38
PID 2748 wrote to memory of 2648	2748	Client.exe	38
PID 2748 wrote to memory of 2828	2748	Client.exe	40
PID 2748 wrote to memory of 2828	2748	Client.exe	40
PID 2748 wrote to memory of 2828	2748	Client.exe	40
PID 2828 wrote to memory of 2664	2828	cmd.exe	42
PID 2828 wrote to memory of 2664	2828	cmd.exe	42
PID 2828 wrote to memory of 2664	2828	cmd.exe	42
PID 2828 wrote to memory of 2544	2828	cmd.exe	43
PID 2828 wrote to memory of 2544	2828	cmd.exe	43
PID 2828 wrote to memory of 2544	2828	cmd.exe	43
PID 2828 wrote to memory of 1532	2828	cmd.exe	46
PID 2828 wrote to memory of 1532	2828	cmd.exe	46
PID 2828 wrote to memory of 1532	2828	cmd.exe	46
PID 1532 wrote to memory of 1932	1532	Client.exe	47
PID 1532 wrote to memory of 1932	1532	Client.exe	47
PID 1532 wrote to memory of 1932	1532	Client.exe	47
PID 1532 wrote to memory of 864	1532	Client.exe	49
PID 1532 wrote to memory of 864	1532	Client.exe	49
PID 1532 wrote to memory of 864	1532	Client.exe	49
PID 864 wrote to memory of 1716	864	cmd.exe	51
PID 864 wrote to memory of 1716	864	cmd.exe	51
PID 864 wrote to memory of 1716	864	cmd.exe	51
PID 864 wrote to memory of 2312	864	cmd.exe	52
PID 864 wrote to memory of 2312	864	cmd.exe	52
PID 864 wrote to memory of 2312	864	cmd.exe	52
PID 864 wrote to memory of 1992	864	cmd.exe	53
PID 864 wrote to memory of 1992	864	cmd.exe	53
PID 864 wrote to memory of 1992	864	cmd.exe	53
PID 1992 wrote to memory of 2548	1992	Client.exe	54
PID 1992 wrote to memory of 2548	1992	Client.exe	54
PID 1992 wrote to memory of 2548	1992	Client.exe	54
PID 1992 wrote to memory of 2868	1992	Client.exe	56
PID 1992 wrote to memory of 2868	1992	Client.exe	56
PID 1992 wrote to memory of 2868	1992	Client.exe	56
PID 2868 wrote to memory of 1740	2868	cmd.exe	58
PID 2868 wrote to memory of 1740	2868	cmd.exe	58
PID 2868 wrote to memory of 1740	2868	cmd.exe	58
PID 2868 wrote to memory of 2852	2868	cmd.exe	59
PID 2868 wrote to memory of 2852	2868	cmd.exe	59
PID 2868 wrote to memory of 2852	2868	cmd.exe	59
PID 2868 wrote to memory of 924	2868	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:388
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuRnacLJFRj2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2192
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3028
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ag4B9gs5Tvf0.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2664
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K206mnKoRBZo.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xvK6oyrdf8mf.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tfzF1cMfVrdF.bat" "
        11⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WhCSudh4U4Lf.bat" "
        13⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\k7Zf41UGpagA.bat" "
        15⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TvEyautmuR9L.bat" "
        17⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X0mhIqJd9AnA.bat" "
        19⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2528
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwt4aKBKVz24.bat" "
        21⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\okuWzouiyqfl.bat" "
        23⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:580
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c4qMTfHuGN2x.bat" "
        25⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CuRnacLJFRj2.bat

Filesize
196B

MD5
7c58728720955382de2f5f3b8b1c6e6d

SHA1
ed981da6df9cae50bde225b974fc9d13579508c1

SHA256
1cd52aba740ba0c7cfd3849d27a0ab2742fbf2a9ed45e06fd407fe123c7a574c

SHA512
0a04b6124e56e70c347328a27881473b667ff9b10b40f101887bd0dbc7c18039837f6ec08389919149b8d4698c2bacab791ebc4d6400934d5b6c5b51280d693e

Download Submit
C:\Users\Admin\AppData\Local\Temp\K206mnKoRBZo.bat

Filesize
196B

MD5
428b99fb1e1593914ebafd808dd336a2

SHA1
2f2cf85a641d872ff6b0fe87551022b1ab065453

SHA256
2d670e796a8af2110dd0ccbdf111c3b6fbf5dfe81113d6ecfb6df019544ed28c

SHA512
dd26225375e4ec311a5b54b023620838302a52dedfe1a7dc88bc856883fb736294971f4a315bc831b9149fdb8f13b380398aa42d58b67e80497496c70bc4776f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TvEyautmuR9L.bat

Filesize
196B

MD5
bbb2ed7eaa995c55ce71bd3ad6d98b5a

SHA1
e2c5e5b46e7829078ffcd9190680f70cc6914114

SHA256
bcb0b711af4b6864ae5b1c139d1d5b970c168002dbb39253fac99a8de33e96d4

SHA512
7789d1b954e2bb0ef06319f4ac52f5c0a1b9c712693a67609fc2e991c60113dbded543fb5651971ccb946d25ce02d6229df7ce5e540d86410350fd8071a164a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhCSudh4U4Lf.bat

Filesize
196B

MD5
9e35acf20aa0e0cd2e2511a9fb6d4811

SHA1
391357ae5fdc1c59f36d8d46d3566be7053211fa

SHA256
670cab55d3f47dd8bed828cab363d6e7cc717922a258f2c314daf89350a6dbc6

SHA512
aa865065da29c5362fa63802f1fd35e57efeb753e489acfea2a7ff857e327371c6a8f0a108baae4a8c149723578cbd74d2ead60b00967e24e57016134524d2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0mhIqJd9AnA.bat

Filesize
196B

MD5
47f0f7a54a1f33b59645357df99b30f8

SHA1
80ecd2581cce657d9ea80706db8d7415504f8860

SHA256
d696070e2d22bea3f64ec80bb62d9813e212293dcb779d7a581c917ea705d842

SHA512
d65cc8133fc914ea587dd9d60d38166ab60d37f0d6c36203f0dcef9aadb4ca820cafd3c4cc3dc925447bb0f1d3cb6ff1961d17248701e1ac51b10ca41e633d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ag4B9gs5Tvf0.bat

Filesize
196B

MD5
6044532a135f08dad08d07ea622720a7

SHA1
630b40252534eae81673547275186038c6a25186

SHA256
c4a77ba1ba0774fa9bca79257247cf011b656ac556d115c8345a594f964a7681

SHA512
28d485e120c2b5955a086e6b135495cd4f6ec981fbbd84189dfe086526640cbcf12b6011f8c8d321703690800d61a55da435f002354f93e5a37f7d1dbc54f8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4qMTfHuGN2x.bat

Filesize
196B

MD5
f53d49d3af7bd0051a85a984d7103c2a

SHA1
5b65584af500f3468e7e93009c181d607c179f62

SHA256
099e7306a119da503259af58cded71a51cfdff7b4c6d082c6da62b1d66ea1dbe

SHA512
83ada6fda465c0d37efa5a8be1ebf0e3a3fa79b547b09e324d6b918afc10962f4f192d6f94ce6a70113bd9b5f400eefdfe4ac3219efaaba89f03ac5f7b3c8264

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwt4aKBKVz24.bat

Filesize
196B

MD5
25dd88ac5b3b491c7f90bd310fa91085

SHA1
ede8cd9b9f79ffb2cf96958524e5ea189e187e45

SHA256
53f70c09e7b3b14b731c8d20848c9cf4feab177e1e6575700f4b99772cbb86da

SHA512
170534bbabe3bd01091f10d7d2080bec3401904b839836f308716ed4b42a07c3bc09f193e4f69cea4779b5a2e9f6bbe6fa9133b52f5c70958d6186f5acbd4fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7Zf41UGpagA.bat

Filesize
196B

MD5
21af7c1644f81fe74d65be082a327b5b

SHA1
d89f01b594b10e1ccee172d4b67a788108e8eb21

SHA256
f7fc7b71b8f18d0d77b0548e19370438be5548b100b08ad97cd3dfdb1df6fb3a

SHA512
a22e69466793b961173399a0c5dc12ca73d53fde904b5bf07794c15afc114e5a660fd1ddd7dbc6e0dfe38800e5ae79625be693f37d0da45ac927e74fafd639c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\okuWzouiyqfl.bat

Filesize
196B

MD5
87d1aa6e58ca54e74f33cc06c7cc09b5

SHA1
cdac375cdc9141f4b23dbfb3aca271e4f368d96a

SHA256
9e09d6adb06c4b988e9d35fd21d176c09232b8277ccc9f70b60e6fbb35e0a029

SHA512
69a6109a0e7b19403910321db622ccb7a3f0454f6a642d67814a8a19e3456c0857731e808383ba919d974669c650bcec08fdc3995c8e4e8feb35918f770116b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfzF1cMfVrdF.bat

Filesize
196B

MD5
ca341772ea2bf03b4b1f49bdfe83dfca

SHA1
e740edf9a6241782a7e30eafe27cac89a05aca76

SHA256
723a7e0cead3a94498ec4f948abe4aca73d708c29b422c346c0d76e99ba4ea78

SHA512
c7eb2ee66238f2daf0dd3e29000668aa32935c2a25a031dc2f7eb1d27f8ff6a0588939a6205e2bd9e31af31e457753cf6ad40eef26aa497cae1e6a64301e5b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvK6oyrdf8mf.bat

Filesize
196B

MD5
5820a3530e21818959a5c551b9fa5e41

SHA1
6c1aa907b3f1af448f4df8d3e216dd2caefe0a39

SHA256
a7d3cb1f4c6bae02a3d63dc210e3eca02adc78c55ebe85790eb60ad63d7cd853

SHA512
3be6af01204a0ac508d42eefb5d27d9e5bce1c27c0ce7efe046240c2ac1cf59e80cac98cd7d1d4bde7048a2c0319c8cdd7b368ed1cebc832a9b95d5dbcd992f4

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
455889b66765b1638dd978a0280f1c7e

SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1

SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f

SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e

Download Submit
memory/924-58-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/940-135-0x0000000001380000-0x00000000016A4000-memory.dmp

Filesize
3.1MB

Download
memory/1288-69-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/1532-35-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download
memory/1608-81-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/1792-114-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/1992-46-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/2244-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-1-0x0000000001000000-0x0000000001324000-memory.dmp

Filesize
3.1MB

Download
memory/2440-21-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-11-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-9-0x0000000000AE0000-0x0000000000E04000-memory.dmp

Filesize
3.1MB

Download
memory/2440-10-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-23-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/3056-92-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads