quasar | bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
Size

3.1MB
MD5

972d7bcd3eb4daaa0ef69215d91e41d9
SHA1

d3bcc25f8585405642a113ae6bae503648a765a2
SHA256

bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55
SHA512

17433b55a5f0f61b0db42e22f975c4fa96298bc79a7a15b34d5342057bbf97a5229b23a7a12cc4a02afb48e485a2ae4ff05892b132ef19d145f2997814885cf0
SSDEEP

49152:bvblL26AaNeWgPhlmVqvMQ7XSKjBOEEqk7k/8FFoGdRnggTHHB72eh2NT:bvBL26AaNeWgPhlmVqkQ7XSKjBOjT

Score

10^/10

quasar rat client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat client

AMNSALKSamongus-47679.portmap.host:4782

Mutex

d3bc3858-ff4a-4aa8-97ec-67721ddcdeeb

Attributes

encryption_key
C8D618C9B5D2F91FFC94B6E9C868ECF80EB774F8
install_name
Client.exe
log_directory
ratted client
reconnect_delay
3000
startup_key
RedTiger Tool v6.1
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1916-1-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cc0-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4464	Client.exe
2792	Client.exe
664	Client.exe
2204	Client.exe
2664	Client.exe
5052	Client.exe
3692	Client.exe
2872	Client.exe
4264	Client.exe
4328	Client.exe
1160	Client.exe
1144	Client.exe
2884	Client.exe
3888	Client.exe
1308	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3416	PING.EXE
3804	PING.EXE
2680	PING.EXE
1948	PING.EXE
1832	PING.EXE
4924	PING.EXE
3888	PING.EXE
2156	PING.EXE
428	PING.EXE
4768	PING.EXE
1212	PING.EXE
1904	PING.EXE
5068	PING.EXE
2360	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1904	PING.EXE
4768	PING.EXE
5068	PING.EXE
2156	PING.EXE
2360	PING.EXE
3416	PING.EXE
1212	PING.EXE
428	PING.EXE
1948	PING.EXE
4924	PING.EXE
3888	PING.EXE
1832	PING.EXE
2680	PING.EXE
3804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4964	schtasks.exe
692	schtasks.exe
4172	schtasks.exe
1784	schtasks.exe
2120	schtasks.exe
3040	schtasks.exe
1976	schtasks.exe
3116	schtasks.exe
1976	schtasks.exe
4336	schtasks.exe
4284	schtasks.exe
3888	schtasks.exe
1612	schtasks.exe
4328	schtasks.exe
5040	schtasks.exe
1824	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
Token: SeDebugPrivilege	4464	Client.exe
Token: SeDebugPrivilege	2792	Client.exe
Token: SeDebugPrivilege	664	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	2664	Client.exe
Token: SeDebugPrivilege	5052	Client.exe
Token: SeDebugPrivilege	3692	Client.exe
Token: SeDebugPrivilege	2872	Client.exe
Token: SeDebugPrivilege	4264	Client.exe
Token: SeDebugPrivilege	4328	Client.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	1144	Client.exe
Token: SeDebugPrivilege	2884	Client.exe
Token: SeDebugPrivilege	3888	Client.exe
Token: SeDebugPrivilege	1308	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4464	Client.exe
2792	Client.exe
664	Client.exe
2204	Client.exe
2664	Client.exe
5052	Client.exe
3692	Client.exe
2872	Client.exe
4264	Client.exe
4328	Client.exe
1160	Client.exe
1144	Client.exe
2884	Client.exe
3888	Client.exe
1308	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4464	Client.exe
2792	Client.exe
664	Client.exe
2204	Client.exe
2664	Client.exe
5052	Client.exe
3692	Client.exe
2872	Client.exe
4264	Client.exe
4328	Client.exe
1160	Client.exe
1144	Client.exe
2884	Client.exe
3888	Client.exe
1308	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1612	1916	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	85
PID 1916 wrote to memory of 1612	1916	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	85
PID 1916 wrote to memory of 4464	1916	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	87
PID 1916 wrote to memory of 4464	1916	bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe	87
PID 4464 wrote to memory of 4172	4464	Client.exe	88
PID 4464 wrote to memory of 4172	4464	Client.exe	88
PID 4464 wrote to memory of 1820	4464	Client.exe	90
PID 4464 wrote to memory of 1820	4464	Client.exe	90
PID 1820 wrote to memory of 2136	1820	cmd.exe	92
PID 1820 wrote to memory of 2136	1820	cmd.exe	92
PID 1820 wrote to memory of 4768	1820	cmd.exe	93
PID 1820 wrote to memory of 4768	1820	cmd.exe	93
PID 1820 wrote to memory of 2792	1820	cmd.exe	103
PID 1820 wrote to memory of 2792	1820	cmd.exe	103
PID 2792 wrote to memory of 4328	2792	Client.exe	104
PID 2792 wrote to memory of 4328	2792	Client.exe	104
PID 2792 wrote to memory of 1372	2792	Client.exe	107
PID 2792 wrote to memory of 1372	2792	Client.exe	107
PID 1372 wrote to memory of 5052	1372	cmd.exe	109
PID 1372 wrote to memory of 5052	1372	cmd.exe	109
PID 1372 wrote to memory of 1212	1372	cmd.exe	110
PID 1372 wrote to memory of 1212	1372	cmd.exe	110
PID 1372 wrote to memory of 664	1372	cmd.exe	115
PID 1372 wrote to memory of 664	1372	cmd.exe	115
PID 664 wrote to memory of 3116	664	Client.exe	116
PID 664 wrote to memory of 3116	664	Client.exe	116
PID 664 wrote to memory of 2936	664	Client.exe	119
PID 664 wrote to memory of 2936	664	Client.exe	119
PID 2936 wrote to memory of 4908	2936	cmd.exe	121
PID 2936 wrote to memory of 4908	2936	cmd.exe	121
PID 2936 wrote to memory of 428	2936	cmd.exe	122
PID 2936 wrote to memory of 428	2936	cmd.exe	122
PID 2936 wrote to memory of 2204	2936	cmd.exe	127
PID 2936 wrote to memory of 2204	2936	cmd.exe	127
PID 2204 wrote to memory of 5040	2204	Client.exe	128
PID 2204 wrote to memory of 5040	2204	Client.exe	128
PID 2204 wrote to memory of 2020	2204	Client.exe	131
PID 2204 wrote to memory of 2020	2204	Client.exe	131
PID 2020 wrote to memory of 2208	2020	cmd.exe	133
PID 2020 wrote to memory of 2208	2020	cmd.exe	133
PID 2020 wrote to memory of 3888	2020	cmd.exe	134
PID 2020 wrote to memory of 3888	2020	cmd.exe	134
PID 2020 wrote to memory of 2664	2020	cmd.exe	136
PID 2020 wrote to memory of 2664	2020	cmd.exe	136
PID 2664 wrote to memory of 1976	2664	Client.exe	137
PID 2664 wrote to memory of 1976	2664	Client.exe	137
PID 2664 wrote to memory of 3024	2664	Client.exe	140
PID 2664 wrote to memory of 3024	2664	Client.exe	140
PID 3024 wrote to memory of 784	3024	cmd.exe	142
PID 3024 wrote to memory of 784	3024	cmd.exe	142
PID 3024 wrote to memory of 5068	3024	cmd.exe	143
PID 3024 wrote to memory of 5068	3024	cmd.exe	143
PID 3024 wrote to memory of 5052	3024	cmd.exe	145
PID 3024 wrote to memory of 5052	3024	cmd.exe	145
PID 5052 wrote to memory of 4336	5052	Client.exe	146
PID 5052 wrote to memory of 4336	5052	Client.exe	146
PID 5052 wrote to memory of 3172	5052	Client.exe	149
PID 5052 wrote to memory of 3172	5052	Client.exe	149
PID 3172 wrote to memory of 2188	3172	cmd.exe	151
PID 3172 wrote to memory of 2188	3172	cmd.exe	151
PID 3172 wrote to memory of 2680	3172	cmd.exe	152
PID 3172 wrote to memory of 2680	3172	cmd.exe	152
PID 3172 wrote to memory of 3692	3172	cmd.exe	155
PID 3172 wrote to memory of 3692	3172	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe
"C:\Users\Admin\AppData\Local\Temp\bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1612
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFL6XB4Bh8OL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2136
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4768
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jFiGez1MbEcu.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5052
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1212
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3HPR4bvACwhr.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIfz1N0CKWc1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqpQQ1MzoxsV.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RjxjPsuI9frp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCMFWkmWTJa0.bat" "
        15⤵
        
        PID:100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dja7Z2AmBqS9.bat" "
        17⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0CQ0eGof187J.bat" "
        19⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0BgZJCVw8Z7T.bat" "
        21⤵
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W6ckeye6kMoQ.bat" "
        23⤵
        
        PID:4052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bfnSBYeQ9UlG.bat" "
        25⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wraTWSmdZjun.bat" "
        27⤵
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZH3mn59uYSbA.bat" "
        29⤵
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RedTiger Tool v6.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0BgZJCVw8Z7T.bat

Filesize
207B

MD5
34b5bf8ec9316969aa6a6d0d98f095cd

SHA1
8f4cebbfe94e75d0c4030cc6d7c5de7182e7ed78

SHA256
d3a954fc82155f32f00eaaa158a55c18224a86080c603a149d42bd0538c634d0

SHA512
f761a786d7eeee2f618f5e38f1fa266bf4e5afe8f1d44d41fb195d8118be06673d0ddb618aff5cb546f5f460aaf98e63bc8704d1f123fb2d0c667e72a909a899

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CQ0eGof187J.bat

Filesize
207B

MD5
08e7c7165a03b9f1eecc5e9423cd46f4

SHA1
a1216578a247bd3e94797498a1bcb543b0669d77

SHA256
c37c6e1a29226453dc5321a6d3a4fc6ab4a74c717810f1b9c02d679c599f3d65

SHA512
fc5d03b5dd5fd5b79fc9cc3a9ca697125047d4eae9823ff620d5d50f3d101fbc2a02f21062910440c5498a0d12300792c9cd7847b8e364a85fab0a3387985543

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HPR4bvACwhr.bat

Filesize
207B

MD5
136263d26e3d3d6b9ba2072b4a1590dc

SHA1
6e1f759d5bedbf7ce82d80e570f1eb5956f3d4a1

SHA256
a1503c2dd6b38d0d420c33bb92d94fe09ef34385862aad31d645fd8b48082671

SHA512
f8d1f2b7c8df2d7f62a782098236ee6a2716293fea8157062517cfd83f3ec603698636de19cc71523d5d720a2626dc3aab365a432010a561bda5ba3aaa7d8502

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCMFWkmWTJa0.bat

Filesize
207B

MD5
22a7fbae7235f77027305daf49d9d72b

SHA1
bda38c69b0765ef87a3f65669136fd1f9f045297

SHA256
ef301356755af82e7693bdefaa8ce5ad1993628e9aeba423dd775ef7f7f7234b

SHA512
f24453eea0c384c9343222d2d4b44c4caa3d29f6cb6ba706a93003ddda75f80f50d3a09a99d629cdb8537e0575f358c5826e11078b03882fbf9a3b2201979ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjxjPsuI9frp.bat

Filesize
207B

MD5
d33a94d5b4366f7d56d80bed2f64edda

SHA1
f4ba83c321af3e110c222ec377eedb708bf1f95d

SHA256
0f8c8c528b7fc2c1ada20c541e8447eb8bb02063b160087a53d3f92ab30a475d

SHA512
b5b30480c8e1e423fb15a2f55e5c38b2e6fb3f2a8f2e8d6fcb2743dbb77487abf51c1a6e557b69dca0ad6873832dfe0a94797e967dbaef14598532f821ac3a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqpQQ1MzoxsV.bat

Filesize
207B

MD5
e23260bd8c11100671938cb8f82b7ec0

SHA1
00c76c466d5e91ff852a4628209e4c00ee3a30b5

SHA256
c065a61dc8e33d506431a9528d4df64c7828448ec4fd0ac3c56e55f9fd6f3335

SHA512
2ac660ac9fee809ffbd9b75100296684880d4d6b2f8dc423ad74cfddd32d80ba72257596834a5886e05c0d820b45c1fc7befefe19a07d9acaac835575294bd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W6ckeye6kMoQ.bat

Filesize
207B

MD5
64454c2d4c06a407bc1cb73268710117

SHA1
db13a317739ee05af06f223d49cd59ef22f2a2ba

SHA256
12a0c6ab4009696fa09c42bec92a608a175e6eaa2f9676c34383b0b9bbadfd92

SHA512
011c613df3301ba2c3a2371e741b9d05ab83d466bff7331d1c87f42a33775287bf9b84801faec617f1704829f349b3253e9ab2345f4068c45f107829cf3550fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH3mn59uYSbA.bat

Filesize
207B

MD5
5c85e6625cab5a2a225a19c71c1bd2f3

SHA1
6bc2e22d4f458dde85c4d0bc24ddd4d3b9f72fc2

SHA256
6fd3f542ec91cd6e93152bf7233f3569f2b0f18e1b5afcf7193306c55ac649ac

SHA512
e0c81fdfe39b5421a85465f549fe6dd44bd8ecb663fe3921df8bd89e0ceeef009c6fb25608f6a4716b6b00b52deeb6b7edf7d48736a236dd7ab6668faee01979

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfnSBYeQ9UlG.bat

Filesize
207B

MD5
8fbad2da3f6272a49bda6755e2332f96

SHA1
92bb3eec28c7d1df5b0f4e2d0e56bff99fcd4120

SHA256
0ee8d5f8e95abeec156d29f8c786bc04ad85f330a628a627c8bc7b3c1e57a262

SHA512
b2825ebe4401364c064a51f5abd5328b32be264ea0d038d235c69f372bfad6dabf89210f29a1397e719aaf64120a9ba81d4af7481750e19fee781f09d59dfae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dja7Z2AmBqS9.bat

Filesize
207B

MD5
8a6438a01c4789fd556c46078c6b1e0f

SHA1
f959f9fd12a23a03778064c7d4f038228ae43106

SHA256
da7d1105153195db57152b6aeb2c46f28f5e432fa9407033d7948c1ee3310950

SHA512
013f299505aab0591860458ec413c2990ff700490a54c2b377316c466886fc200eab971e35300f07024fa37821649df40d0674c9982e34ecaeff6f914ec66d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\iFL6XB4Bh8OL.bat

Filesize
207B

MD5
b53d01863ed79de89b3db9cbce3a83df

SHA1
307661f4a258937921eff13c3a7b96d79e7183a0

SHA256
2aedc2044590b0ecbdd93fdb0cb581ca62f6699a629d2dd111ef81fc1c08d4db

SHA512
9b7a5d4de4d8187dc3d0fbe6d52dd9c1cbb4816122fb726f92a9377161148a96c25102ccad0ee090eb54222407a93965fb8249160453648e5d8e80316b62c6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFiGez1MbEcu.bat

Filesize
207B

MD5
b75b495f10e3361161eca82e452e8b64

SHA1
b6b2fd32ec4cfcddb2142fe257a7d1753d51a4a9

SHA256
7ce22ffc375b9da678f4a7184cde5efefe766a3c9064560b3d0d2b191a6c357c

SHA512
0fcc9b212891c8b40bc3409ef777f19d7f267dd4524a2e2a55f42b65d755ea5c187e8cf53aa68f822ba8bc26acb1d8d6c337bace9aec1b1258d8e57d0fbafc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIfz1N0CKWc1.bat

Filesize
207B

MD5
4860475de9ddec39814fb44d0dfaa9b7

SHA1
49e07514f2e70096f8314e2f0daaa673288e44bb

SHA256
618c446732676b87f413405039e00f2cd1b070303b8c52fe68e9716d782697f8

SHA512
c8d63f4446000aa00a96f20fc8d1e1116a2c91a8c49a8f3d161526afb171bfb38d41c2c3bf78ba805beeb4546e48fd2d62c0c00877e564a5c6dff9607c42f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wraTWSmdZjun.bat

Filesize
207B

MD5
647ac01c0c51077c7a63af8de5e56aaa

SHA1
c3fa407f515cc218d65846aaaa43de0cc2ffbcd4

SHA256
a44b7a6658397d4e24030fa101448d9135998a4bd8d68e8b574418904fbe8a53

SHA512
aa11571ccf6a7f339c7a1244a27573ccefe5727e798dc38d1e6ea74d5214a50d37513702de043cd44b914240d0a7451eff35f1590d19a7535c30f60ca6c3948c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
972d7bcd3eb4daaa0ef69215d91e41d9

SHA1
d3bcc25f8585405642a113ae6bae503648a765a2

SHA256
bfb28a852b12a795fb4d21fbe2b2f4c56e9742cbeace1cf9564b97bda1d08e55

SHA512
17433b55a5f0f61b0db42e22f975c4fa96298bc79a7a15b34d5342057bbf97a5229b23a7a12cc4a02afb48e485a2ae4ff05892b132ef19d145f2997814885cf0

Download Submit
memory/1916-0-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/1916-9-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-1-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/4464-17-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-12-0x000000001BE40000-0x000000001BEF2000-memory.dmp

Filesize
712KB

Download
memory/4464-11-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/4464-10-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-8-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads