quasar | 40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

Analysis

max time kernel
141s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c0a15477ed759cacb6e41c32df4ee3b6
SHA1

1105f1a6da7fc5286fc6bbf3bb09b0640c390475
SHA256

40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858
SHA512

595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa
SSDEEP

49152:WvEt62XlaSFNWPjljiFa2RoUYI4bRJ6rbR3LoGdDNTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYI4bRJ69T

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Ljqzskib:4782

Mutex

6d2bad0c-8668-4007-b0ab-432a32c2b700

Attributes

encryption_key
EBBC63CA357CC42C1ADBEA1947460FC46B646E71
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
file explorer start up
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2252-1-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c77-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
2636	Client.exe
1684	Client.exe
540	Client.exe
1160	Client.exe
1060	Client.exe
4460	Client.exe
2740	Client.exe
1560	Client.exe
1312	Client.exe
1880	Client.exe
2380	Client.exe
4368	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5052	PING.EXE
2352	PING.EXE
3056	PING.EXE
3424	PING.EXE
4408	PING.EXE
4772	PING.EXE
2432	PING.EXE
748	PING.EXE
4060	PING.EXE
1412	PING.EXE
3344	PING.EXE
4928	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
748	PING.EXE
5052	PING.EXE
2352	PING.EXE
4928	PING.EXE
3056	PING.EXE
1412	PING.EXE
3424	PING.EXE
3344	PING.EXE
4408	PING.EXE
4772	PING.EXE
2432	PING.EXE
4060	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1316	schtasks.exe
1416	schtasks.exe
3960	schtasks.exe
3644	schtasks.exe
2596	schtasks.exe
1144	schtasks.exe
4860	schtasks.exe
4000	schtasks.exe
216	schtasks.exe
2264	schtasks.exe
4636	schtasks.exe
4496	schtasks.exe
2244	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	Client-built.exe
Token: SeDebugPrivilege	2636	Client.exe
Token: SeDebugPrivilege	1684	Client.exe
Token: SeDebugPrivilege	540	Client.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	1060	Client.exe
Token: SeDebugPrivilege	4460	Client.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	1560	Client.exe
Token: SeDebugPrivilege	1312	Client.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	2380	Client.exe
Token: SeDebugPrivilege	4368	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2636	Client.exe
1684	Client.exe
540	Client.exe
1160	Client.exe
1060	Client.exe
4460	Client.exe
2740	Client.exe
1560	Client.exe
1312	Client.exe
1880	Client.exe
2380	Client.exe
4368	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2636	Client.exe
1684	Client.exe
540	Client.exe
1160	Client.exe
1060	Client.exe
4460	Client.exe
2740	Client.exe
1560	Client.exe
1312	Client.exe
1880	Client.exe
2380	Client.exe
4368	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2636	Client.exe
1684	Client.exe
540	Client.exe
1160	Client.exe
1060	Client.exe
4460	Client.exe
2740	Client.exe
1560	Client.exe
1312	Client.exe
1880	Client.exe
2380	Client.exe
4368	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2244	2252	Client-built.exe	83
PID 2252 wrote to memory of 2244	2252	Client-built.exe	83
PID 2252 wrote to memory of 2636	2252	Client-built.exe	85
PID 2252 wrote to memory of 2636	2252	Client-built.exe	85
PID 2636 wrote to memory of 4000	2636	Client.exe	86
PID 2636 wrote to memory of 4000	2636	Client.exe	86
PID 2636 wrote to memory of 2156	2636	Client.exe	89
PID 2636 wrote to memory of 2156	2636	Client.exe	89
PID 2156 wrote to memory of 3392	2156	cmd.exe	91
PID 2156 wrote to memory of 3392	2156	cmd.exe	91
PID 2156 wrote to memory of 3056	2156	cmd.exe	92
PID 2156 wrote to memory of 3056	2156	cmd.exe	92
PID 2156 wrote to memory of 1684	2156	cmd.exe	102
PID 2156 wrote to memory of 1684	2156	cmd.exe	102
PID 1684 wrote to memory of 1316	1684	Client.exe	103
PID 1684 wrote to memory of 1316	1684	Client.exe	103
PID 1684 wrote to memory of 1204	1684	Client.exe	110
PID 1684 wrote to memory of 1204	1684	Client.exe	110
PID 1204 wrote to memory of 3516	1204	cmd.exe	112
PID 1204 wrote to memory of 3516	1204	cmd.exe	112
PID 1204 wrote to memory of 1412	1204	cmd.exe	113
PID 1204 wrote to memory of 1412	1204	cmd.exe	113
PID 1204 wrote to memory of 540	1204	cmd.exe	115
PID 1204 wrote to memory of 540	1204	cmd.exe	115
PID 540 wrote to memory of 4636	540	Client.exe	116
PID 540 wrote to memory of 4636	540	Client.exe	116
PID 540 wrote to memory of 752	540	Client.exe	119
PID 540 wrote to memory of 752	540	Client.exe	119
PID 752 wrote to memory of 1064	752	cmd.exe	121
PID 752 wrote to memory of 1064	752	cmd.exe	121
PID 752 wrote to memory of 3424	752	cmd.exe	122
PID 752 wrote to memory of 3424	752	cmd.exe	122
PID 752 wrote to memory of 1160	752	cmd.exe	127
PID 752 wrote to memory of 1160	752	cmd.exe	127
PID 1160 wrote to memory of 4496	1160	Client.exe	128
PID 1160 wrote to memory of 4496	1160	Client.exe	128
PID 1160 wrote to memory of 3100	1160	Client.exe	131
PID 1160 wrote to memory of 3100	1160	Client.exe	131
PID 3100 wrote to memory of 3392	3100	cmd.exe	133
PID 3100 wrote to memory of 3392	3100	cmd.exe	133
PID 3100 wrote to memory of 3344	3100	cmd.exe	134
PID 3100 wrote to memory of 3344	3100	cmd.exe	134
PID 3100 wrote to memory of 1060	3100	cmd.exe	136
PID 3100 wrote to memory of 1060	3100	cmd.exe	136
PID 1060 wrote to memory of 1416	1060	Client.exe	137
PID 1060 wrote to memory of 1416	1060	Client.exe	137
PID 1060 wrote to memory of 1820	1060	Client.exe	140
PID 1060 wrote to memory of 1820	1060	Client.exe	140
PID 1820 wrote to memory of 4252	1820	cmd.exe	142
PID 1820 wrote to memory of 4252	1820	cmd.exe	142
PID 1820 wrote to memory of 4408	1820	cmd.exe	143
PID 1820 wrote to memory of 4408	1820	cmd.exe	143
PID 1820 wrote to memory of 4460	1820	cmd.exe	145
PID 1820 wrote to memory of 4460	1820	cmd.exe	145
PID 4460 wrote to memory of 3960	4460	Client.exe	146
PID 4460 wrote to memory of 3960	4460	Client.exe	146
PID 4460 wrote to memory of 2468	4460	Client.exe	149
PID 4460 wrote to memory of 2468	4460	Client.exe	149
PID 2468 wrote to memory of 1452	2468	cmd.exe	151
PID 2468 wrote to memory of 1452	2468	cmd.exe	151
PID 2468 wrote to memory of 4772	2468	cmd.exe	152
PID 2468 wrote to memory of 4772	2468	cmd.exe	152
PID 2468 wrote to memory of 2740	2468	cmd.exe	154
PID 2468 wrote to memory of 2740	2468	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2244
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SvbvzdlQsjs1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3392
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3056
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1QaWHunrdDnc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3516
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1412
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqiTzIy05hgm.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqRi5HuuydSx.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WnM9MS5nctTU.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikIHLH732QJC.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8VdkyFIbLrGk.bat" "
        15⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qRj3mcdfPp6L.bat" "
        17⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6ADZVAkcC5E.bat" "
        19⤵
        
        PID:4604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSi4jgehNrfL.bat" "
        21⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mG49rfS6DPIA.bat" "
        23⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FfVWIU2Svxzj.bat" "
        25⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1QaWHunrdDnc.bat

Filesize
207B

MD5
65f0f8686efe9b4679a7fbe0db200966

SHA1
d90f96f17b1bdc61f016c32d724dd4b8092d826f

SHA256
f23552b0c753ef23a829518a2f7ae6f31a56ea80273ad7f9409a764916195565

SHA512
c11d9d42ef5e10168b03bab2bc69e05ca131e987664adaca7714f63485a227bef396e05bf6633e94d595203d558f20e1ac3470f139b1c93e5511c9faef60d9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8VdkyFIbLrGk.bat

Filesize
207B

MD5
37e0e073b6abe8fe26184ef0a19144c0

SHA1
995d415b80eae65026680cb1ad4d1513d4d20362

SHA256
b97a1697e21f7feaf5f8567fa7e5f63be48ab66caa1b224dd6dd3804cd35ac72

SHA512
e10f08384a03cac8d3d4df12fea8650d66fbeb0c472a8ac1b0452b5ac90412cc8bf1083f5f7dd07858d1e036222707c4d0d8a3b320853120e3f52dc12d855444

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6ADZVAkcC5E.bat

Filesize
207B

MD5
cfe7a893920f53174abef0a853f8abdb

SHA1
ac5224ed5982f1bed0ad9588956cf282f275612e

SHA256
7759fd47d4a6ea1e8fd59d740182a068ee154188f6519a0a4fb8927bc8d4b9ac

SHA512
ba116fa9e2a8c7c8bae753cd081ff150a0c67fcb8866eb77e51b29e2a71984e1b643c85b8051aee91b3670c18e9f241618dcf3c3953204a3c297abac494831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqiTzIy05hgm.bat

Filesize
207B

MD5
3e37ddfef94ede7d6ab626c85ef38f0c

SHA1
46bd8c57527d27f5987d89a52f7e33eea096bab8

SHA256
d57f2e844936864fbc273dbeca568a9cdd159d53daa668e59ee1e19e50be8c7d

SHA512
d632e3a0054337dd557f1b0324001c7f86a0b3ae5dac15db2b90bb7475416a5019c29be10e7e77d109df211bbb60bdef222f318666f932f619337fca18a9955f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfVWIU2Svxzj.bat

Filesize
207B

MD5
e1cbe752a91056dda2f3c7bd266ea9ba

SHA1
c919aa62a6b3c778c53c7de6648ba26d5bb45c0a

SHA256
127fdbc8fbcba7284643d900a151de1eef48bceeb871c63cc1a74f22316575b5

SHA512
431fbf0fbff8412e93d4feebfbb54cb69094741a85c5d0e382b7ffb00ff74124a35658f76b8ae2dec8bc7ffd6adf7a6f5c256b6a0b4046747737247d18b50909

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqRi5HuuydSx.bat

Filesize
207B

MD5
131ae211d9d403b3325e48f9a65f85d1

SHA1
c6f0a0e2b0657c536784e6356005af3ae9580868

SHA256
2e9c3211da2f0d37d1ecc1d63ec7775d03e7c48f5b351a128dd82322ef0f0aaf

SHA512
575bf32636603a0076d22c0a896559e0878116c41f5c1e2a361ecfc2dffb749d1f2caf02b8c2d95b2d2c3e0ce9faaeb5a0f0fba4ce806e823b7ad546478d6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSi4jgehNrfL.bat

Filesize
207B

MD5
fac69a32d5b87c4915b4a2db443c08f6

SHA1
37d0714f0baedc3d85cebefebbce951def43256a

SHA256
2e8e92ab1340eff1fa95b6b8ca1fd5dd9d0d3e6498c64c9cd77b9b94e8723245

SHA512
df7175872c57d052e6f610bbdcec6bc6612b35b447eb549a2e20a5a580f8fa9bf20449da9c57866816e866bb801e376b3c71031bae583ac159eb189164f19c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvbvzdlQsjs1.bat

Filesize
207B

MD5
73cae90b515f07af798a741365317bba

SHA1
fa6608a4ea7126c5f1a4d54c58105d23bc6f5c47

SHA256
bd26bc55d1cfb4e5d184e3437720a0583bf50dd906e659a0ca83bbe51f07fd18

SHA512
c6b522a5e09f854f7cf7b73fd2a81e86f02026f08f53ecd9ecd0e264a37059df1a23128cade6c07190fdd96803638ec64ca49d38903542c759bf7a083e006453

Download Submit
C:\Users\Admin\AppData\Local\Temp\WnM9MS5nctTU.bat

Filesize
207B

MD5
23475c14299a78dcfb7ad381094306db

SHA1
ff1762191c030a7798e97cfe4908b981e16a5842

SHA256
e66b421b4dd9407dbee113117894b1c2c9182eab0f67e10d48858b0602aa8293

SHA512
55fe9fab0b89b61b858a77d98de1721c25ef3465b6863867aef80389b2f8450f451334a6c1119d97b6603cd87a5c5b7d92bd07a3dfd0728fed2531bbed115ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikIHLH732QJC.bat

Filesize
207B

MD5
e974a18b7aacf2dcef0a4e54e0579f4c

SHA1
896ca14739ae30e5c163991b05a7240e3aac2f09

SHA256
18f1077e848ee68385795d14ae0703762128f9e89d7a51ff9eff54c10f0b2514

SHA512
ea518a87423becafc35e68e41b3b2b6d1f83f9f0223aee8609b8c6f1c99bb1279a086468a6f8ab1be8f7772b71e9a8827d34b97cde9b12edf79b7d3b0d27ddcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mG49rfS6DPIA.bat

Filesize
207B

MD5
e4592a0f6cf0c8aa677c115fcffd8031

SHA1
f67833995f88fa8de7da01799234bae572997b30

SHA256
ea17976c95629652687d8ae5c9f0c19c76f7d0bc8e69e6e60c04f3897bfd681b

SHA512
490de02f3fac7e91d25b33bfd6b31452c9cf91d5a581040dcb1b1f32c21029d8d97b9c8d5c0c6a3420b1d90c5b9af3e894828ce85389c4c53c3da583fe5ab4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj3mcdfPp6L.bat

Filesize
207B

MD5
3376784a8ef98777cecf6a901032adb2

SHA1
5a04ae1cb462e9827c35c73e43ba4a30dfcd1338

SHA256
a5e762efdf94c123f00234811e0dbcd08716865fd1c31979b419ed27bc1d1bd6

SHA512
be9e48e3469ddb52691b2b40cfeb07903c43dc74069365f6dc5f2ccc82b5e2e241b6d7149665c167d0826eae4566fdd8287796a3ac4262d0d4c6837fcab8c505

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c0a15477ed759cacb6e41c32df4ee3b6

SHA1
1105f1a6da7fc5286fc6bbf3bb09b0640c390475

SHA256
40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

SHA512
595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa

Download Submit
memory/2252-0-0x00007FFCCB7F3000-0x00007FFCCB7F5000-memory.dmp

Filesize
8KB

Download
memory/2252-10-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-2-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-1-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2636-9-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-11-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-12-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/2636-18-0x00007FFCCB7F0000-0x00007FFCCC2B1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-13-0x000000001BDA0000-0x000000001BE52000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads