quasar | 40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c0a15477ed759cacb6e41c32df4ee3b6
SHA1

1105f1a6da7fc5286fc6bbf3bb09b0640c390475
SHA256

40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858
SHA512

595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa
SSDEEP

49152:WvEt62XlaSFNWPjljiFa2RoUYI4bRJ6rbR3LoGdDNTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYI4bRJ69T

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Ljqzskib:4782

Mutex

6d2bad0c-8668-4007-b0ab-432a32c2b700

Attributes

encryption_key
EBBC63CA357CC42C1ADBEA1947460FC46B646E71
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
file explorer start up
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2300-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000195d6-6.dat	family_quasar
behavioral1/memory/2744-10-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/2668-23-0x0000000001210000-0x0000000001534000-memory.dmp	family_quasar
behavioral1/memory/2628-34-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
behavioral1/memory/1732-45-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2492-56-0x00000000001F0000-0x0000000000514000-memory.dmp	family_quasar
behavioral1/memory/2292-68-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2732-90-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/memory/1576-101-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/808-113-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/1864-124-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/2244-136-0x00000000008C0000-0x0000000000BE4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2744	Client.exe
2668	Client.exe
2628	Client.exe
1732	Client.exe
2492	Client.exe
2292	Client.exe
2316	Client.exe
2732	Client.exe
1576	Client.exe
808	Client.exe
1864	Client.exe
2244	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1544	PING.EXE
2824	PING.EXE
1300	PING.EXE
1612	PING.EXE
2232	PING.EXE
3068	PING.EXE
2156	PING.EXE
2448	PING.EXE
1944	PING.EXE
2996	PING.EXE
2244	PING.EXE
580	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2232	PING.EXE
1544	PING.EXE
2448	PING.EXE
2824	PING.EXE
2244	PING.EXE
1612	PING.EXE
580	PING.EXE
2156	PING.EXE
1944	PING.EXE
2996	PING.EXE
1300	PING.EXE
3068	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2192	schtasks.exe
3024	schtasks.exe
1228	schtasks.exe
1748	schtasks.exe
1584	schtasks.exe
1508	schtasks.exe
1052	schtasks.exe
2600	schtasks.exe
2964	schtasks.exe
928	schtasks.exe
2788	schtasks.exe
2996	schtasks.exe
1980	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	Client-built.exe
Token: SeDebugPrivilege	2744	Client.exe
Token: SeDebugPrivilege	2668	Client.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	2492	Client.exe
Token: SeDebugPrivilege	2292	Client.exe
Token: SeDebugPrivilege	2316	Client.exe
Token: SeDebugPrivilege	2732	Client.exe
Token: SeDebugPrivilege	1576	Client.exe
Token: SeDebugPrivilege	808	Client.exe
Token: SeDebugPrivilege	1864	Client.exe
Token: SeDebugPrivilege	2244	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2744	Client.exe
2668	Client.exe
2628	Client.exe
1732	Client.exe
2492	Client.exe
2292	Client.exe
2316	Client.exe
2732	Client.exe
1576	Client.exe
808	Client.exe
1864	Client.exe
2244	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2744	Client.exe
2668	Client.exe
2628	Client.exe
1732	Client.exe
2492	Client.exe
2292	Client.exe
2316	Client.exe
2732	Client.exe
1576	Client.exe
808	Client.exe
1864	Client.exe
2244	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2744	Client.exe
2668	Client.exe
2628	Client.exe
1732	Client.exe
2492	Client.exe
2292	Client.exe
2316	Client.exe
2732	Client.exe
1576	Client.exe
808	Client.exe
1864	Client.exe
2244	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1748	2300	Client-built.exe	30
PID 2300 wrote to memory of 1748	2300	Client-built.exe	30
PID 2300 wrote to memory of 1748	2300	Client-built.exe	30
PID 2300 wrote to memory of 2744	2300	Client-built.exe	32
PID 2300 wrote to memory of 2744	2300	Client-built.exe	32
PID 2300 wrote to memory of 2744	2300	Client-built.exe	32
PID 2744 wrote to memory of 2964	2744	Client.exe	33
PID 2744 wrote to memory of 2964	2744	Client.exe	33
PID 2744 wrote to memory of 2964	2744	Client.exe	33
PID 2744 wrote to memory of 2972	2744	Client.exe	35
PID 2744 wrote to memory of 2972	2744	Client.exe	35
PID 2744 wrote to memory of 2972	2744	Client.exe	35
PID 2972 wrote to memory of 2344	2972	cmd.exe	37
PID 2972 wrote to memory of 2344	2972	cmd.exe	37
PID 2972 wrote to memory of 2344	2972	cmd.exe	37
PID 2972 wrote to memory of 2824	2972	cmd.exe	38
PID 2972 wrote to memory of 2824	2972	cmd.exe	38
PID 2972 wrote to memory of 2824	2972	cmd.exe	38
PID 2972 wrote to memory of 2668	2972	cmd.exe	39
PID 2972 wrote to memory of 2668	2972	cmd.exe	39
PID 2972 wrote to memory of 2668	2972	cmd.exe	39
PID 2668 wrote to memory of 928	2668	Client.exe	40
PID 2668 wrote to memory of 928	2668	Client.exe	40
PID 2668 wrote to memory of 928	2668	Client.exe	40
PID 2668 wrote to memory of 2416	2668	Client.exe	42
PID 2668 wrote to memory of 2416	2668	Client.exe	42
PID 2668 wrote to memory of 2416	2668	Client.exe	42
PID 2416 wrote to memory of 2428	2416	cmd.exe	44
PID 2416 wrote to memory of 2428	2416	cmd.exe	44
PID 2416 wrote to memory of 2428	2416	cmd.exe	44
PID 2416 wrote to memory of 1944	2416	cmd.exe	45
PID 2416 wrote to memory of 1944	2416	cmd.exe	45
PID 2416 wrote to memory of 1944	2416	cmd.exe	45
PID 2416 wrote to memory of 2628	2416	cmd.exe	46
PID 2416 wrote to memory of 2628	2416	cmd.exe	46
PID 2416 wrote to memory of 2628	2416	cmd.exe	46
PID 2628 wrote to memory of 1584	2628	Client.exe	47
PID 2628 wrote to memory of 1584	2628	Client.exe	47
PID 2628 wrote to memory of 1584	2628	Client.exe	47
PID 2628 wrote to memory of 1740	2628	Client.exe	49
PID 2628 wrote to memory of 1740	2628	Client.exe	49
PID 2628 wrote to memory of 1740	2628	Client.exe	49
PID 1740 wrote to memory of 3020	1740	cmd.exe	51
PID 1740 wrote to memory of 3020	1740	cmd.exe	51
PID 1740 wrote to memory of 3020	1740	cmd.exe	51
PID 1740 wrote to memory of 2996	1740	cmd.exe	52
PID 1740 wrote to memory of 2996	1740	cmd.exe	52
PID 1740 wrote to memory of 2996	1740	cmd.exe	52
PID 1740 wrote to memory of 1732	1740	cmd.exe	53
PID 1740 wrote to memory of 1732	1740	cmd.exe	53
PID 1740 wrote to memory of 1732	1740	cmd.exe	53
PID 1732 wrote to memory of 1508	1732	Client.exe	54
PID 1732 wrote to memory of 1508	1732	Client.exe	54
PID 1732 wrote to memory of 1508	1732	Client.exe	54
PID 1732 wrote to memory of 2032	1732	Client.exe	56
PID 1732 wrote to memory of 2032	1732	Client.exe	56
PID 1732 wrote to memory of 2032	1732	Client.exe	56
PID 2032 wrote to memory of 1060	2032	cmd.exe	58
PID 2032 wrote to memory of 1060	2032	cmd.exe	58
PID 2032 wrote to memory of 1060	2032	cmd.exe	58
PID 2032 wrote to memory of 1300	2032	cmd.exe	59
PID 2032 wrote to memory of 1300	2032	cmd.exe	59
PID 2032 wrote to memory of 1300	2032	cmd.exe	59
PID 2032 wrote to memory of 2492	2032	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1748
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tL0PN3UxpAld.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2344
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2824
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:928
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ahHLZVYZfNw.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2428
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1944
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKZzx7g4mWJk.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m3sa6BrOImA8.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CS0puTYBU8Tk.bat" "
        11⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WayJbV8RGV19.bat" "
        13⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMLf4NQpsjDJ.bat" "
        15⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIZU2KDa3bDk.bat" "
        17⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qSEZ34jiopl8.bat" "
        19⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\t20S6GTxO3ng.bat" "
        21⤵
        
        PID:2336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aymjSzfZLZus.bat" "
        23⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7dpzKmo17seg.bat" "
        25⤵
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ahHLZVYZfNw.bat

Filesize
207B

MD5
72f648c466363b6ab46d2a8952ec8f18

SHA1
a2de5312c687011f109eb871eac5e0c56f143c1c

SHA256
c420c37397a0bc46e0d538c0b7c292b0a1d81754731a8de61196254781f0ac04

SHA512
292b681c95efab0ae1917245b5f2d39422724ad53d568419e1fc0d43e2b324b5ee664196a5214dad95fac807e1c35083b13b033e4c3eb091ce6fa5a09397acf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dpzKmo17seg.bat

Filesize
207B

MD5
e7ef4a327a1fb6ad0332a356614fcbea

SHA1
ddbf0aeb573f0326538710d866497a6d75dcc983

SHA256
48d091ae380bc44500902cf6561382d2c707a6f41b8cf0bd4c2e7d78b3c33464

SHA512
7adbbc17bc2a927ba4d95b8721f066f947b88a56a02f80476461dac0fc4fc7c5e86a8dd71cfca32c604bd65bf76a3b597ef646951ec1fc03ed6daea03c3eb466

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKZzx7g4mWJk.bat

Filesize
207B

MD5
75a0f55ac6505ecb3b4b1f2b1ef73556

SHA1
3fc90d8e38505811d993dbdb6bf470891496527b

SHA256
c5eda2568fef0a3c73135ff730068415e67181be5b8be0bfd5383f7f27a7fb68

SHA512
a638e2c9f112667e422ef977ed6e06da12cc61044da4d5ff7ef2888e6a3e7a1500e3c6ef36fd49276d90a458759c9f3cd52c626fa9433948ac9bc14a82e8c382

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS0puTYBU8Tk.bat

Filesize
207B

MD5
3cb6c41e3b34529a6340da155b78ddba

SHA1
05d7eb5880d9d9efb32d9aed2ef7002a4b034620

SHA256
2656f2a09f4d67262e99258e10c239fb19417702ed00212e8edf305f6219dcc7

SHA512
3a2049b6b75225f90a3ab34298ca9422bfef7cdd377d3de9ec67fac818f6b5180cde54ac42a297c43b3b04cad548db543813fa6f88db0d3c41a6a8ec2c01edb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIZU2KDa3bDk.bat

Filesize
207B

MD5
f6bcbc48923888bdc305b3c3faaa200e

SHA1
85419610d654d832d4245676008d744579e73c56

SHA256
5e22b24fbd599a98b0fe910c2db17ad97c587b2cd7cb751a6b0c221fb557abb7

SHA512
b7888c9db3ccbadf21f8e69890d152b1e13a8a8c033a898e8dc9bcbc7c2c9984069ac9045ee7ef56b832e2e3df10dfd86f0ce2a7980b99697671ece40455e3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMLf4NQpsjDJ.bat

Filesize
207B

MD5
a7b0dc43b8c7d37e2afdeed74f8b9b6d

SHA1
a488061f648cda66569671e490af29cadb9c0d7c

SHA256
e5f6f219baae899bae5b553a4211ceb277ad278c16d304aba7ef196058aee3f5

SHA512
2f530ca3781751b0ffb842c8234a4f048ffaeadedfe7181c062b5050f9cc8b791c33a3776c3acae6fc7fa849b3794802ad55d9efaa2fad15c846ccd8cbced18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WayJbV8RGV19.bat

Filesize
207B

MD5
513c0c0a2f011cf6da5b5794d8d827df

SHA1
c900683b8664bded3c0d10435b29f2cbbe654ccf

SHA256
7946c72ab8c02e541d234717ff9c2ae5f7db4aa13602ed89b706f4dc44b08568

SHA512
613a3d425f065c4a96f7ca3f3231b90a427f98231f9ebac1f13ad517ec0a640f9b025467194d8780ab20af45a052e9159e2de88d876b0dbb8ab607fb5cb0661b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aymjSzfZLZus.bat

Filesize
207B

MD5
d473d5dc357dc45c0531b8b51892865c

SHA1
647f89d7bd486b3b281842ba29ba2083008a9067

SHA256
9de4f38270c11631deabdac19d3f283c4a1fcc82c8f6741f45250e4e205476af

SHA512
37b98e1388baeb789ea6d82cfd17b6649718e24f13ea1c4ab90ba8a242b9a4cf6faf9b4dbac413532a0e6ccf5b181b23271b91863930073d54fe886b3d94ddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3sa6BrOImA8.bat

Filesize
207B

MD5
3f2534ecfe66045f85d03b5b321fb4b2

SHA1
9a79cd3ac0e5650cbd5df49e9a5f52903fc7b770

SHA256
192fe76034ed50451ae105a7c1bcabe5c5d361bbdace9099269903932aed0c5b

SHA512
3d76cb80da06469c5681175d7ce30ae381c869146e92cd61371ed545b503b4084db9f81c1121057d6368c4c8a87c3af5e65e35175c2934b46f361917d9af4487

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSEZ34jiopl8.bat

Filesize
207B

MD5
dabd75cf67bc4177f9af4a936ac0f971

SHA1
39c4005175fb3d33ea8d4a52c4e2e6097073b3d1

SHA256
33f236dd2ab8a44f2a7bd39eeeda1b32374ed618eab129db1f06550ac578a863

SHA512
f80b9c7af87263aaf3335a5654d08e725bf5e5b45f9606ef19a0455827e2d771b74a8c4a6e6565b004b0dfa8618f4a0d5e53eb245b8ca951f748a0beb6ca7742

Download Submit
C:\Users\Admin\AppData\Local\Temp\t20S6GTxO3ng.bat

Filesize
207B

MD5
d9f3953008830eb0231a267fafeabff7

SHA1
ac57faa8bd66e390410dd308f144819082941d99

SHA256
46c9e0f5d2ff7b61a4b90bcb9dada7b600b7a89c1418367dba31d7a9f54268e1

SHA512
f43384a70005555755b4a49530772da3eeee315cfec28abea07120824db78f812d6897c0d1d6e68fc1d91b6888962204ae6b5e04eb75e24f5d8dc775c8bd6733

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL0PN3UxpAld.bat

Filesize
207B

MD5
65a2a14620579860c8d5af52ab5592f8

SHA1
4bbcc0024bc098d24a883ae67dec900eed636196

SHA256
5350bc9cd93ba61992cbe1b57173595b4c284ae4957a4d2d9c819cafa99595c2

SHA512
783cea3c52f0ab93e78ed13d7e67fbe27085e16f77bb9eace6207ed1b71511158df898410918f8df5006c6a17a10b12700c911fbd4c77173a3e8d9e687b7ede6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c0a15477ed759cacb6e41c32df4ee3b6

SHA1
1105f1a6da7fc5286fc6bbf3bb09b0640c390475

SHA256
40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

SHA512
595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa

Download Submit
memory/808-113-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/1576-101-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/1732-45-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/1864-124-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/2244-136-0x00000000008C0000-0x0000000000BE4000-memory.dmp

Filesize
3.1MB

Download
memory/2292-68-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2300-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2300-8-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2300-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2300-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/2492-56-0x00000000001F0000-0x0000000000514000-memory.dmp

Filesize
3.1MB

Download
memory/2628-34-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/2668-23-0x0000000001210000-0x0000000001534000-memory.dmp

Filesize
3.1MB

Download
memory/2732-90-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2744-20-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-11-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-10-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/2744-9-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads