quasar | bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
Size

3.1MB
MD5

972d7bcd3eb4daaa0ef69215d91e41d9
SHA1

d3bcc25f8585405642a113ae6bae503648a765a2
SHA256

bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55
SHA512

17433b55a5f0f61b0db42e22f975c4fa96298bc79a7a15b34d5342057bbf97a5229b23a7a12cc4a02afb48e485a2ae4ff05892b132ef19d145f2997814885cf0
SSDEEP

49152:bvblL26AaNeWgPhlmVqvMQ7XSKjBOEEqk7k/8FFoGdRnggTHHB72eh2NT:bvBL26AaNeWgPhlmVqkQ7XSKjBOjT

Score

10^/10

quasar rat client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat client

AMNSALKSamongus-47679.portmap.host:4782

Mutex

d3bc3858-ff4a-4aa8-97ec-67721ddcdeeb

Attributes

encryption_key
C8D618C9B5D2F91FFC94B6E9C868ECF80EB774F8
install_name
Client.exe
log_directory
ratted client
reconnect_delay
3000
startup_key
RedTiger Tool v6.1
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016edc-4.dat	family_quasar
behavioral1/memory/2328-9-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar
behavioral1/memory/2604-22-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/1252-33-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar
behavioral1/memory/1588-78-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/2848-90-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/memory/1052-102-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/2892-113-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/memory/2632-145-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/2240-156-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/2712-168-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2328	Client.exe
2604	Client.exe
1252	Client.exe
2916	Client.exe
1608	Client.exe
2176	Client.exe
1588	Client.exe
2848	Client.exe
1052	Client.exe
2892	Client.exe
1084	Client.exe
1996	Client.exe
2632	Client.exe
2240	Client.exe
2712	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2008	PING.EXE
2784	PING.EXE
1020	PING.EXE
1400	PING.EXE
2816	PING.EXE
1516	PING.EXE
320	PING.EXE
2456	PING.EXE
2960	PING.EXE
1240	PING.EXE
2628	PING.EXE
2096	PING.EXE
564	PING.EXE
1964	PING.EXE
1092	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
320	PING.EXE
2816	PING.EXE
564	PING.EXE
1020	PING.EXE
1400	PING.EXE
1092	PING.EXE
2456	PING.EXE
2960	PING.EXE
2008	PING.EXE
1516	PING.EXE
1240	PING.EXE
2628	PING.EXE
1964	PING.EXE
2096	PING.EXE
2784	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1224	schtasks.exe
2308	schtasks.exe
2908	schtasks.exe
2440	schtasks.exe
828	schtasks.exe
1632	schtasks.exe
2236	schtasks.exe
2296	schtasks.exe
2156	schtasks.exe
2256	schtasks.exe
2564	schtasks.exe
1264	schtasks.exe
2852	schtasks.exe
884	schtasks.exe
3052	schtasks.exe
2832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
Token: SeDebugPrivilege	2328	Client.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	1252	Client.exe
Token: SeDebugPrivilege	2916	Client.exe
Token: SeDebugPrivilege	1608	Client.exe
Token: SeDebugPrivilege	2176	Client.exe
Token: SeDebugPrivilege	1588	Client.exe
Token: SeDebugPrivilege	2848	Client.exe
Token: SeDebugPrivilege	1052	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	1084	Client.exe
Token: SeDebugPrivilege	1996	Client.exe
Token: SeDebugPrivilege	2632	Client.exe
Token: SeDebugPrivilege	2240	Client.exe
Token: SeDebugPrivilege	2712	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2328	Client.exe
2604	Client.exe
1252	Client.exe
2916	Client.exe
1608	Client.exe
2176	Client.exe
1588	Client.exe
2848	Client.exe
1052	Client.exe
2892	Client.exe
1084	Client.exe
1996	Client.exe
2632	Client.exe
2240	Client.exe
2712	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2328	Client.exe
2604	Client.exe
1252	Client.exe
2916	Client.exe
1608	Client.exe
2176	Client.exe
1588	Client.exe
2848	Client.exe
1052	Client.exe
2892	Client.exe
1084	Client.exe
1996	Client.exe
2632	Client.exe
2240	Client.exe
2712	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2328	Client.exe
1252	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2256	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	31
PID 2848 wrote to memory of 2256	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	31
PID 2848 wrote to memory of 2256	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	31
PID 2848 wrote to memory of 2328	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	33
PID 2848 wrote to memory of 2328	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	33
PID 2848 wrote to memory of 2328	2848	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	33
PID 2328 wrote to memory of 828	2328	Client.exe	34
PID 2328 wrote to memory of 828	2328	Client.exe	34
PID 2328 wrote to memory of 828	2328	Client.exe	34
PID 2328 wrote to memory of 2700	2328	Client.exe	36
PID 2328 wrote to memory of 2700	2328	Client.exe	36
PID 2328 wrote to memory of 2700	2328	Client.exe	36
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2008	2700	cmd.exe	39
PID 2700 wrote to memory of 2008	2700	cmd.exe	39
PID 2700 wrote to memory of 2008	2700	cmd.exe	39
PID 2700 wrote to memory of 2604	2700	cmd.exe	40
PID 2700 wrote to memory of 2604	2700	cmd.exe	40
PID 2700 wrote to memory of 2604	2700	cmd.exe	40
PID 2604 wrote to memory of 2564	2604	Client.exe	41
PID 2604 wrote to memory of 2564	2604	Client.exe	41
PID 2604 wrote to memory of 2564	2604	Client.exe	41
PID 2604 wrote to memory of 1520	2604	Client.exe	43
PID 2604 wrote to memory of 1520	2604	Client.exe	43
PID 2604 wrote to memory of 1520	2604	Client.exe	43
PID 1520 wrote to memory of 1408	1520	cmd.exe	45
PID 1520 wrote to memory of 1408	1520	cmd.exe	45
PID 1520 wrote to memory of 1408	1520	cmd.exe	45
PID 1520 wrote to memory of 2784	1520	cmd.exe	46
PID 1520 wrote to memory of 2784	1520	cmd.exe	46
PID 1520 wrote to memory of 2784	1520	cmd.exe	46
PID 1520 wrote to memory of 1252	1520	cmd.exe	47
PID 1520 wrote to memory of 1252	1520	cmd.exe	47
PID 1520 wrote to memory of 1252	1520	cmd.exe	47
PID 1252 wrote to memory of 1632	1252	Client.exe	48
PID 1252 wrote to memory of 1632	1252	Client.exe	48
PID 1252 wrote to memory of 1632	1252	Client.exe	48
PID 1252 wrote to memory of 1448	1252	Client.exe	50
PID 1252 wrote to memory of 1448	1252	Client.exe	50
PID 1252 wrote to memory of 1448	1252	Client.exe	50
PID 1448 wrote to memory of 1980	1448	cmd.exe	52
PID 1448 wrote to memory of 1980	1448	cmd.exe	52
PID 1448 wrote to memory of 1980	1448	cmd.exe	52
PID 1448 wrote to memory of 564	1448	cmd.exe	53
PID 1448 wrote to memory of 564	1448	cmd.exe	53
PID 1448 wrote to memory of 564	1448	cmd.exe	53
PID 1448 wrote to memory of 2916	1448	cmd.exe	54
PID 1448 wrote to memory of 2916	1448	cmd.exe	54
PID 1448 wrote to memory of 2916	1448	cmd.exe	54
PID 2916 wrote to memory of 2236	2916	Client.exe	55
PID 2916 wrote to memory of 2236	2916	Client.exe	55
PID 2916 wrote to memory of 2236	2916	Client.exe	55
PID 2916 wrote to memory of 940	2916	Client.exe	57
PID 2916 wrote to memory of 940	2916	Client.exe	57
PID 2916 wrote to memory of 940	2916	Client.exe	57
PID 940 wrote to memory of 1488	940	cmd.exe	59
PID 940 wrote to memory of 1488	940	cmd.exe	59
PID 940 wrote to memory of 1488	940	cmd.exe	59
PID 940 wrote to memory of 1020	940	cmd.exe	60
PID 940 wrote to memory of 1020	940	cmd.exe	60
PID 940 wrote to memory of 1020	940	cmd.exe	60
PID 940 wrote to memory of 1608	940	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
"C:\Users\Admin\AppData\Local\Temp\bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2256
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:828
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEjAM6zvqXUU.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2556
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2008
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5QYudEHQi0xs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1408
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P182y7dfssy3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsEpO9R3ZRIX.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0TGgwhUHCnmV.bat" "
        11⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaUGyR7lNcWo.bat" "
        13⤵
        
        PID:824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1588
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TDGZjUjvX3eL.bat" "
        15⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ohxcOmL24qnJ.bat" "
        17⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQak6oDOUMb5.bat" "
        19⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SyfddvE6xs6j.bat" "
        21⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1084
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEMpKqpUvg9J.bat" "
        23⤵
        
        PID:780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUKs0m2Ue2Q4.bat" "
        25⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2632
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gbKChtWmXbnC.bat" "
        27⤵
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2240
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rqbcg50FlYYI.bat" "
        29⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pg4ecmme88sr.bat" "
        31⤵
        
        PID:2580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0TGgwhUHCnmV.bat

Filesize
207B

MD5
2aab228df8afd0a0fe1845b4591f77f3

SHA1
a85155e233b680322a49d8baae4ed9ce41a93d30

SHA256
8a5dedb4c3a30d58e48e81270fa344c4b321142e9001f5625cb40716635b50ca

SHA512
cfafa22d1c98a538ae742c634159ca29f4c4d6baa596ddb0c5df0970195a2a732ae87c4595caab973d9788222449e6bec3f11a036e60dd0e0468ad9b8f172e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5QYudEHQi0xs.bat

Filesize
207B

MD5
b915e68061edef5dfe6ff518b6034c93

SHA1
1a98338a3fe028f4bd3552075329dec938a9f207

SHA256
3b7c2065afa6b09a438e08a52913e0241fb8cc62130d33b278365e5b58f2b60b

SHA512
9006894821da2ee11923d275f7d550ce50710a3d4f3fbde65f133e785fce48ed2a4c68f7da12d7bd32ac6d17831d5543c1d613bd8fe6c12e7e3bf830cbde7a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEpO9R3ZRIX.bat

Filesize
207B

MD5
d2ec8bac20d906f1d275acc688825858

SHA1
acb6c1e4e16f9b578d3df8d8955262f85747dd8f

SHA256
36ae70b846fbbc94a6bb0a3ece3546a3be722563ad2a00ee47bebaf654bad0b8

SHA512
1dcee7442757203815d593d4e1040920d8018d268b6d5d69182495fe37084b309756503abe39107e3f9ace2746bde642322eaaf56450af861760bba859dedc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEjAM6zvqXUU.bat

Filesize
207B

MD5
d4fcffd35af7dfa4aeb4a173be635149

SHA1
288636e1b2499c0018dbef5a7879d8696dd33a4e

SHA256
9419c4c52d1a949ac6d08f4dbf6faab245175ca2be8041efdb5aa9bd9473a447

SHA512
8bf12c93c7067021b197effbaa7abaf9455e02260e9e05c0323bf9ed96f9c1073a69b3ab7e0faa58c8d58b253a1b4aa89e480a794b44261394545fab3743b942

Download Submit
C:\Users\Admin\AppData\Local\Temp\NaUGyR7lNcWo.bat

Filesize
207B

MD5
47a10548f6a85d2dff5df8b72701578e

SHA1
072a7efe81b01a8240c032ea343b3052c6147974

SHA256
22f808826c38c1d793db50f520beb4eb68cea78b83f94c80a526ac5a894ba6c2

SHA512
73651089af7cc32e3acdd3fbe405e14a8ec43bf5c46034df1d67212187dcc8281fc19a620866ad282bf25eeccab2c110c461172e411d5c8c04b12a121cb7762d

Download Submit
C:\Users\Admin\AppData\Local\Temp\P182y7dfssy3.bat

Filesize
207B

MD5
2ee1e8e73b7954327e4d8d68fa21b8d6

SHA1
29a9587255e6549216aaed376995bd9804e35bad

SHA256
d14f7d8b5e04a5333073735cc3e220dce88fb8a13e10cc025720b65c1cdc73ab

SHA512
5285f60568bed46b34ee31165f14c100cfa09aa1282ff82c16f49aff0c597ecdc94fa00268d283e6649f91e0f93fcc4656fd9ba32a9a8414720475b182897c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pg4ecmme88sr.bat

Filesize
207B

MD5
f37bfd9c19c89fb66b09650cddd633bd

SHA1
afb4571ec752f802c1cafdf0fd8fd7ffe1e4b38a

SHA256
db0696db30cf6bb1ee9374b5df9795cad17143d2272246fc92ba558e58a4d5e3

SHA512
a756b66a597621ebc7ebd949768b98cae7ec3480af137cb4009094e8d807ea2aa649d0cabfc8105b42c367c90509399de172ae7baf196eb7f71aafb567499a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqbcg50FlYYI.bat

Filesize
207B

MD5
bd81353955cc8ba265692a1eb030900b

SHA1
3bdfb057e57f6e7007bc6ebef77243564d30453c

SHA256
051e663655f27bc1006620c3e4f23d75a78fc6a3e6aaa79ea833d95a30edc2e2

SHA512
8266d0967f8019746cc0f13abfb7d5f7f191126adcabbedb777d342bd03473b7893047dadde41b19251b75d6a2054df75c7027832675a3bf6fb8276be3b37acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyfddvE6xs6j.bat

Filesize
207B

MD5
45376f9033f482ac67c35e0a5bedcd0b

SHA1
ce58c7d09d6d6f520ce32287f14620ddea4b2e6c

SHA256
2c62d03d950fc6b79654758147b15616ef18eae8cc1f76711236ef0b5f55ea89

SHA512
3c95d905cfa84958cb1f96da2b29447bb6b1fd93a9ff53582e278ab97c8a22412c3d362e8211309ad1f322593fbf082c698be8e76c00acfb72ff64296e340114

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDGZjUjvX3eL.bat

Filesize
207B

MD5
e09d4625cd14c870347d5a6f6d42c86c

SHA1
0795d193d02601a5e3d898d89b41170c9920915d

SHA256
a6f9dfe41490258ef559a6db284b8273c4c62138e34462464e06b486bd5e9087

SHA512
a61d8fc48643b10e2046d138b8182eee6339c753e0f10a6ec6da06ff9e1ba8d22d44cea5ccb44c66ff43fa418920e9665890b2e8459829ba7b0f782e087f4583

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUKs0m2Ue2Q4.bat

Filesize
207B

MD5
aa99713ed1e0738b4adbb5fd8a57d0b4

SHA1
2141be4ae388372f589ae83f3e6df1272d140079

SHA256
e27455ee1f859b778c761e47c0296f100891956f93fb9e4cd793a5e6e17b6fa5

SHA512
4b7bde3236e911010d3dfd8d521853c4c4ddfe1ddf39e2ca7c2ea7bfb6ac175ab8dc00942fb240064b39ec9de639d0abd63d3f1287eb25f3d48f18e3368a7c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbKChtWmXbnC.bat

Filesize
207B

MD5
73419f1dca75cf150a28df23ba0ba468

SHA1
bb380d2904c03943358db0061ddf2749f8410476

SHA256
785f60054e4ab9bafc27e85a671b335473d156c1b414885f0ef082fd4128bb57

SHA512
8b603c2f9b64cdca9dfe9fda91b5d593296b742c37b33a6d7fbfaaba00c4e8ad2a9a459c74a79b216edb8b93bc8511873d317c4cb6816a94a84828447ee6a101

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohxcOmL24qnJ.bat

Filesize
207B

MD5
1bb2d119ba2dfbadee82e6217043baed

SHA1
4a55b9e67421925f6bfcb2610782f0169a60e1a8

SHA256
62a768e25a44ed93ed1cf68aa3c7c84faab50448a9ad7995ae53264089080384

SHA512
e0a641aae4f7301f6bc485d11bccb4d75fb6d331dd4d70c3111d737f48c368ce76cb058515e3274584e003679ccab3213efd1d1fd93f07ece31019f0978a4bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEMpKqpUvg9J.bat

Filesize
207B

MD5
fb10a2d1d83347475780e8324f2020dd

SHA1
f9b3b5a10b681e77ebca1aa35b5782af3a754ab8

SHA256
826a99ce9be5a3f4187e5512a50a759407c67a2576fa6c04a872de0dfe40aac2

SHA512
e0af0bcdcb807efdbf0914fc8661e854055de5d41a2a2be3bbab315f92ba6fb75f63ac692e1a6050001b1b428d1667fc1922f8942c7faad83e9ba960dc033d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQak6oDOUMb5.bat

Filesize
207B

MD5
af480b4f67f535f7ade83c8f8dc05f06

SHA1
22da698e4e872cd2f2d0aa24c73c53967ffdc09e

SHA256
91f9d74c9b846842d6637b98c02c969b1d74890d0ec7818787459007202378a2

SHA512
4735510da7f1e79f1ae92b54f0828b81d38141963519c870964fab03ccce8b0ea39aae5fd850f1073ab6e6fbd538d9ca7ffe545128a44b02367a325b6b5ae01f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
972d7bcd3eb4daaa0ef69215d91e41d9

SHA1
d3bcc25f8585405642a113ae6bae503648a765a2

SHA256
bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55

SHA512
17433b55a5f0f61b0db42e22f975c4fa96298bc79a7a15b34d5342057bbf97a5229b23a7a12cc4a02afb48e485a2ae4ff05892b132ef19d145f2997814885cf0

Download Submit
memory/1052-102-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/1252-33-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download
memory/1588-78-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2240-156-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2328-10-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-19-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-7-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-9-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/2604-22-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2632-145-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2712-168-0x0000000001380000-0x00000000016A4000-memory.dmp

Filesize
3.1MB

Download
memory/2848-90-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/2848-8-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-1-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2848-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/2892-113-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads