quasar | 3f5ad363ca773fa11543df4a54c4f1b44b19cd1c7eb58a13e1153acd52d523c2

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EUPHORIA SPOOFER.exe
Size

3.1MB
MD5

747da4cd939f55760c8f05ac18379274
SHA1

8c97e718177a7ebc5be519416092434b1eb703e0
SHA256

3f5ad363ca773fa11543df4a54c4f1b44b19cd1c7eb58a13e1153acd52d523c2
SHA512

9ce808076587fc6be47d851556cba2336572ca8b971ea65546e0ca6cb6908ca32d73f67a9cd42702bc1dece1e0d4a7f4f1516160f31667016d5a51f7acc8d35f
SSDEEP

49152:SvCY52fyaSZOrPWluWBuGG5g5h5BssdpSLoGdSTHHB72eh2NT:Sv352fyaSZOrPWluWBDG5g5hrsD

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JJ:4782

Mutex

9a10c5be-59aa-4915-9bd2-d92256f2c938

Attributes

encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/376-1-0x00000000013A0000-0x00000000016C4000-memory.dmp	family_quasar
behavioral1/files/0x00060000000186c6-6.dat	family_quasar
behavioral1/memory/2492-43-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar
behavioral1/memory/2192-56-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/memory/2544-67-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral1/memory/992-80-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/1604-91-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2128-104-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar
behavioral1/memory/316-115-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/2480-127-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/2232-139-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
1972	Client.exe
2612	Client.exe
1840	Client.exe
2492	Client.exe
2192	Client.exe
2544	Client.exe
992	Client.exe
1604	Client.exe
2128	Client.exe
316	Client.exe
2480	Client.exe
2232	Client.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	EUPHORIA SPOOFER.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	EUPHORIA SPOOFER.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	EUPHORIA SPOOFER.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1392	PING.EXE
3020	PING.EXE
472	PING.EXE
1180	PING.EXE
2008	PING.EXE
2672	PING.EXE
2516	PING.EXE
2264	PING.EXE
1044	PING.EXE
2432	PING.EXE
1432	PING.EXE
3052	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1392	PING.EXE
3052	PING.EXE
3020	PING.EXE
2516	PING.EXE
1180	PING.EXE
472	PING.EXE
2264	PING.EXE
1044	PING.EXE
2432	PING.EXE
1432	PING.EXE
2008	PING.EXE
2672	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3044	schtasks.exe
2952	schtasks.exe
2828	schtasks.exe
2716	schtasks.exe
2984	schtasks.exe
2320	schtasks.exe
2608	schtasks.exe
1676	schtasks.exe
2408	schtasks.exe
2208	schtasks.exe
2000	schtasks.exe
1876	schtasks.exe
1380	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	EUPHORIA SPOOFER.exe
Token: SeDebugPrivilege	1972	Client.exe
Token: SeDebugPrivilege	2612	Client.exe
Token: SeDebugPrivilege	1840	Client.exe
Token: SeDebugPrivilege	2492	Client.exe
Token: SeDebugPrivilege	2192	Client.exe
Token: SeDebugPrivilege	2544	Client.exe
Token: SeDebugPrivilege	992	Client.exe
Token: SeDebugPrivilege	1604	Client.exe
Token: SeDebugPrivilege	2128	Client.exe
Token: SeDebugPrivilege	316	Client.exe
Token: SeDebugPrivilege	2480	Client.exe
Token: SeDebugPrivilege	2232	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1972	Client.exe
2612	Client.exe
1840	Client.exe
2492	Client.exe
2192	Client.exe
2544	Client.exe
992	Client.exe
1604	Client.exe
2128	Client.exe
316	Client.exe
2480	Client.exe
2232	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1972	Client.exe
2612	Client.exe
1840	Client.exe
2492	Client.exe
2192	Client.exe
2544	Client.exe
992	Client.exe
1604	Client.exe
2128	Client.exe
316	Client.exe
2480	Client.exe
2232	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1972	Client.exe
2612	Client.exe
1840	Client.exe
2492	Client.exe
2192	Client.exe
2544	Client.exe
992	Client.exe
1604	Client.exe
2128	Client.exe
316	Client.exe
2480	Client.exe
2232	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2952	376	EUPHORIA SPOOFER.exe	30
PID 376 wrote to memory of 2952	376	EUPHORIA SPOOFER.exe	30
PID 376 wrote to memory of 2952	376	EUPHORIA SPOOFER.exe	30
PID 376 wrote to memory of 1972	376	EUPHORIA SPOOFER.exe	32
PID 376 wrote to memory of 1972	376	EUPHORIA SPOOFER.exe	32
PID 376 wrote to memory of 1972	376	EUPHORIA SPOOFER.exe	32
PID 1972 wrote to memory of 2828	1972	Client.exe	33
PID 1972 wrote to memory of 2828	1972	Client.exe	33
PID 1972 wrote to memory of 2828	1972	Client.exe	33
PID 1972 wrote to memory of 2632	1972	Client.exe	35
PID 1972 wrote to memory of 2632	1972	Client.exe	35
PID 1972 wrote to memory of 2632	1972	Client.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	37
PID 2632 wrote to memory of 2128	2632	cmd.exe	37
PID 2632 wrote to memory of 2128	2632	cmd.exe	37
PID 2632 wrote to memory of 2264	2632	cmd.exe	38
PID 2632 wrote to memory of 2264	2632	cmd.exe	38
PID 2632 wrote to memory of 2264	2632	cmd.exe	38
PID 2632 wrote to memory of 2612	2632	cmd.exe	39
PID 2632 wrote to memory of 2612	2632	cmd.exe	39
PID 2632 wrote to memory of 2612	2632	cmd.exe	39
PID 2612 wrote to memory of 2716	2612	Client.exe	40
PID 2612 wrote to memory of 2716	2612	Client.exe	40
PID 2612 wrote to memory of 2716	2612	Client.exe	40
PID 2612 wrote to memory of 1032	2612	Client.exe	42
PID 2612 wrote to memory of 1032	2612	Client.exe	42
PID 2612 wrote to memory of 1032	2612	Client.exe	42
PID 1032 wrote to memory of 1672	1032	cmd.exe	44
PID 1032 wrote to memory of 1672	1032	cmd.exe	44
PID 1032 wrote to memory of 1672	1032	cmd.exe	44
PID 1032 wrote to memory of 1044	1032	cmd.exe	45
PID 1032 wrote to memory of 1044	1032	cmd.exe	45
PID 1032 wrote to memory of 1044	1032	cmd.exe	45
PID 1032 wrote to memory of 1840	1032	cmd.exe	46
PID 1032 wrote to memory of 1840	1032	cmd.exe	46
PID 1032 wrote to memory of 1840	1032	cmd.exe	46
PID 1840 wrote to memory of 2408	1840	Client.exe	47
PID 1840 wrote to memory of 2408	1840	Client.exe	47
PID 1840 wrote to memory of 2408	1840	Client.exe	47
PID 1840 wrote to memory of 2080	1840	Client.exe	49
PID 1840 wrote to memory of 2080	1840	Client.exe	49
PID 1840 wrote to memory of 2080	1840	Client.exe	49
PID 2080 wrote to memory of 2256	2080	cmd.exe	51
PID 2080 wrote to memory of 2256	2080	cmd.exe	51
PID 2080 wrote to memory of 2256	2080	cmd.exe	51
PID 2080 wrote to memory of 1392	2080	cmd.exe	52
PID 2080 wrote to memory of 1392	2080	cmd.exe	52
PID 2080 wrote to memory of 1392	2080	cmd.exe	52
PID 2080 wrote to memory of 2492	2080	cmd.exe	53
PID 2080 wrote to memory of 2492	2080	cmd.exe	53
PID 2080 wrote to memory of 2492	2080	cmd.exe	53
PID 2492 wrote to memory of 2984	2492	Client.exe	54
PID 2492 wrote to memory of 2984	2492	Client.exe	54
PID 2492 wrote to memory of 2984	2492	Client.exe	54
PID 2492 wrote to memory of 2148	2492	Client.exe	56
PID 2492 wrote to memory of 2148	2492	Client.exe	56
PID 2492 wrote to memory of 2148	2492	Client.exe	56
PID 2148 wrote to memory of 2024	2148	cmd.exe	58
PID 2148 wrote to memory of 2024	2148	cmd.exe	58
PID 2148 wrote to memory of 2024	2148	cmd.exe	58
PID 2148 wrote to memory of 2432	2148	cmd.exe	59
PID 2148 wrote to memory of 2432	2148	cmd.exe	59
PID 2148 wrote to memory of 2432	2148	cmd.exe	59
PID 2148 wrote to memory of 2192	2148	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EUPHORIA SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\EUPHORIA SPOOFER.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2952
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bJ2Jbr4DzKbf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2128
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2264
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hn7FDMxUNgIk.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1672
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGCipRGSWPBr.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UM4mMU9A8Ljf.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gv2Tiu4tbaP5.bat" "
        11⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIwNFqrMqMRz.bat" "
        13⤵
        
        PID:604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YnJINjlg0aVW.bat" "
        15⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B75CyNvv0C52.bat" "
        17⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zg7fWjIFs3Nz.bat" "
        19⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2672
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8njbT97Uiwnd.bat" "
        21⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B3Jw6fv5b3B.bat" "
        23⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:472
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWsOwTm1YHNj.bat" "
        25⤵
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B3Jw6fv5b3B.bat

Filesize
196B

MD5
a930ff23dce81c4c31d1d03a7efbbc97

SHA1
5ee6acbace7a173796101fbac9befe9673077cf1

SHA256
8eab2b78561fda292f5d5d110451ffef8925689b34142b1e9740ebe09834ff2c

SHA512
b4c354c7fa5600aaf9d842ff73d20672521cd5af404967e380e49d8c32a42916a08f81e3214379368532f776192c1959bf34d0e7642363b7477b8f67c29b8a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8njbT97Uiwnd.bat

Filesize
196B

MD5
0a08fc316edfaeca77cd440b82991194

SHA1
416207bbe6c1435300b1b067f36eb98efddd15aa

SHA256
42ba03f79c8f8e50307f8169f0e13abda6ba9dd029863aec30baafb48591761e

SHA512
e716823214a0cfe853be991a2e78636d15078b39141dcf65a37eb249c4ddbae91bc2ebb9390a59a87c666dcdccc4ce51bbce432627cf3f09e4209b8a82d0354b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75CyNvv0C52.bat

Filesize
196B

MD5
2ab0f7b5052ed10ddff32dc5d38c3827

SHA1
725fb86009ed6758ec064c1de84c127023802b13

SHA256
5dc5dc7e8a4f16c83c518bef3fc231473e80b537d6f7e0577c7dc66435f1c3dd

SHA512
8e33549cae21d612d7ebf8dc18c03e161d7eec4e930dc748c4028c16a8d64dfc627c22ed444ed21345898b62fb71eb4ad0c71ccb28ffe482f6df29959a48504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGCipRGSWPBr.bat

Filesize
196B

MD5
b5d6a4f323ebf06313ce276101c9c389

SHA1
d54f9b0c1484bfa30702e37783e722a24e145284

SHA256
c1d8c0c0299b2e512c67ed19654c6a1c067b370c8c1b96f939b4a82a6c2f27c1

SHA512
a91873b9a2aa204a23575a4d9bd478be573f087de85b226203706ef4879e2586e571500f36cf617b7c4a32adb0379f2532567708cd0ec4faa5f3a244e5c4a2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hn7FDMxUNgIk.bat

Filesize
196B

MD5
a0159c478e001a08858a8640a980457a

SHA1
baf8d4a867aa7db5e39d245a4f5adfd4ae6536ba

SHA256
ae2ecd2bc8bebfc19ff14a424006353d52c184fa04143e74086ac6722f94c200

SHA512
5112e38453dceab1e40cb7e1486abb82df313b3b89e7edd20b1862d81c72ba84817ad9074b432077eac32edb5b2fb9199a1c40c61b5ceda0adbf8b5bd40aca15

Download Submit
C:\Users\Admin\AppData\Local\Temp\UM4mMU9A8Ljf.bat

Filesize
196B

MD5
8d31ad48d3b5d82561943c178b5774ee

SHA1
c7044548a24802d6406f1c7b47eaa34c5d4a509e

SHA256
b2091676df50b2bd884e94554806c8f71df4f5ba7ec2ef261d1ee6620c9773e1

SHA512
4abdaf2a13e680158a86d4e0d270417687db25f91c0a47c95c1a97f96c6dfdcea1358948c6441701ca0e20675949a1f3da1d80f550c28f70abe5be1b3d8723cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIwNFqrMqMRz.bat

Filesize
196B

MD5
1d586abdb956c79407c038e6884c5f64

SHA1
a95201eb5f2ea027f42a358db6c5fdb3db377c7d

SHA256
ee0a6f8e9dfe7124e5b8e140869ba896f1c8a2bd10f3d2023d8eaee5caa78532

SHA512
f289e90969519fc7a833c6e7d734e9aeda10233f5abfab46591e20c4f8545ae6c7360938f7f0af0f233291efd47e5dbfdd9c1e541fe5836807aa3352641a0a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\YnJINjlg0aVW.bat

Filesize
196B

MD5
246d9af0a83b72336d1e6a9c0ae9cd6b

SHA1
c8cc9716cd0390ba4dfd865ca978940192020b21

SHA256
ace93da167be80cc7065239ad8aad89fef33f10eb83f74488916ec93d3631e39

SHA512
446beafbf69301db9df1947125f2767d713486254bab6f0708a142d4956f9b3127e7571c6cd54b1e7677a4ee1d6849d71d89bf6f5cd779ea1b48a4ed433b0c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bJ2Jbr4DzKbf.bat

Filesize
196B

MD5
112e2abc24824cbe31159396bbd51ef5

SHA1
7acd5630c812950417cbed0994a530a119cd459f

SHA256
a10247da1e9f671f7a15b98ba7538dc345959079f3e62bd3ba1113b3915bbd5d

SHA512
10cee2b18582c73c90fb550cc2860aa154c21bf42a41d3f6a4c5987e2b1bb5dda53447f1dcfe1b0fdfcb6df1a7e6f2f1462e838509bcb6b9abd40acbc80f8769

Download Submit
C:\Users\Admin\AppData\Local\Temp\gv2Tiu4tbaP5.bat

Filesize
196B

MD5
77cf86a84087afa3642dd46c3d53c872

SHA1
003b21b1b848bbb1912f11c0acc2dc79776e977d

SHA256
b00aadf2e879f1db5eea7e1a507b970545625bf00076c3f6659793136314d3c1

SHA512
59e416d5b99677f59b774211738c8a232bd0842d9a1ed2750355ab7b470c8c42c59265243b3e1b33bedf17ed3329cfd78ddcaae3217c3cf16d6bc933823db9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWsOwTm1YHNj.bat

Filesize
196B

MD5
e15fc083fae7a99b4ce5d9158a036f70

SHA1
6e74eb2c58d06e515e803592643971f58e27747c

SHA256
9be0b4cfe8a9712c8cddde86398c5694e4199ff8ceb5689f3b12157e99690b3c

SHA512
bcaf2a869faac776fbec46bd981881e55e9adf2841eb2419bbf92b019517710e27eef43c22b03ed7d96b7028c4c8b9f5379ad83cf5b3a45d4387129c9e8a2964

Download Submit
C:\Users\Admin\AppData\Local\Temp\zg7fWjIFs3Nz.bat

Filesize
196B

MD5
144342c132aac68025e166a02d8f4eda

SHA1
e32714fc93373f38cabfe73c64476f45ad6c203b

SHA256
b5cba3d14aa76d12e4c36fb44a6c1e0a62d54f5d90f6009e7e7459b0760f3999

SHA512
ebb7607766cfa3d8b1354a2c4d8aa799e3cd1dd7cd21975e3656412525907aac1f63d35aa9780bbf833b6f366d488cde26e44b96dd2596a76585343802491bd1

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
747da4cd939f55760c8f05ac18379274

SHA1
8c97e718177a7ebc5be519416092434b1eb703e0

SHA256
3f5ad363ca773fa11543df4a54c4f1b44b19cd1c7eb58a13e1153acd52d523c2

SHA512
9ce808076587fc6be47d851556cba2336572ca8b971ea65546e0ca6cb6908ca32d73f67a9cd42702bc1dece1e0d4a7f4f1516160f31667016d5a51f7acc8d35f

Download Submit
memory/316-115-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/376-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

Filesize
4KB

Download
memory/376-1-0x00000000013A0000-0x00000000016C4000-memory.dmp

Filesize
3.1MB

Download
memory/376-8-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/376-2-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/992-80-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/1604-91-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/1972-10-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-9-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-19-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-104-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2192-56-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/2232-139-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/2480-127-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/2492-43-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/2544-67-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads