Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27/12/2024, 08:02
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c0a15477ed759cacb6e41c32df4ee3b6
-
SHA1
1105f1a6da7fc5286fc6bbf3bb09b0640c390475
-
SHA256
40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858
-
SHA512
595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa
-
SSDEEP
49152:WvEt62XlaSFNWPjljiFa2RoUYI4bRJ6rbR3LoGdDNTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYI4bRJ69T
Malware Config
Extracted
quasar
1.4.1
Office04
Ljqzskib:4782
6d2bad0c-8668-4007-b0ab-432a32c2b700
-
encryption_key
EBBC63CA357CC42C1ADBEA1947460FC46B646E71
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
file explorer start up
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/1388-1-0x0000000000EE0000-0x0000000001204000-memory.dmp family_quasar behavioral1/files/0x00280000000460c6-3.dat family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 12 IoCs
pid Process 2088 Client.exe 5052 Client.exe 5020 Client.exe 420 Client.exe 4616 Client.exe 2724 Client.exe 964 Client.exe 3616 Client.exe 4428 Client.exe 936 Client.exe 2756 Client.exe 3060 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1892 PING.EXE 1168 PING.EXE 3280 PING.EXE 2916 PING.EXE 1532 PING.EXE 5088 PING.EXE 1028 PING.EXE 3192 PING.EXE 984 PING.EXE 2984 PING.EXE 2448 PING.EXE 3624 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 984 PING.EXE 2916 PING.EXE 1892 PING.EXE 1168 PING.EXE 3280 PING.EXE 2984 PING.EXE 1532 PING.EXE 5088 PING.EXE 1028 PING.EXE 3192 PING.EXE 2448 PING.EXE 3624 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2352 schtasks.exe 1540 schtasks.exe 4780 schtasks.exe 2384 schtasks.exe 2448 schtasks.exe 1868 schtasks.exe 328 schtasks.exe 3160 schtasks.exe 2300 schtasks.exe 4536 schtasks.exe 4084 schtasks.exe 388 schtasks.exe 4200 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1388 Client-built.exe Token: SeDebugPrivilege 2088 Client.exe Token: SeDebugPrivilege 5052 Client.exe Token: SeDebugPrivilege 5020 Client.exe Token: SeDebugPrivilege 420 Client.exe Token: SeDebugPrivilege 4616 Client.exe Token: SeDebugPrivilege 2724 Client.exe Token: SeDebugPrivilege 964 Client.exe Token: SeDebugPrivilege 3616 Client.exe Token: SeDebugPrivilege 4428 Client.exe Token: SeDebugPrivilege 936 Client.exe Token: SeDebugPrivilege 2756 Client.exe Token: SeDebugPrivilege 3060 Client.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2088 Client.exe 5052 Client.exe 5020 Client.exe 420 Client.exe 4616 Client.exe 2724 Client.exe 964 Client.exe 3616 Client.exe 4428 Client.exe 936 Client.exe 2756 Client.exe 3060 Client.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2088 Client.exe 5052 Client.exe 5020 Client.exe 420 Client.exe 4616 Client.exe 2724 Client.exe 964 Client.exe 3616 Client.exe 4428 Client.exe 936 Client.exe 2756 Client.exe 3060 Client.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2088 Client.exe 5052 Client.exe 5020 Client.exe 420 Client.exe 4616 Client.exe 2724 Client.exe 964 Client.exe 3616 Client.exe 4428 Client.exe 936 Client.exe 2756 Client.exe 3060 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2352 1388 Client-built.exe 82 PID 1388 wrote to memory of 2352 1388 Client-built.exe 82 PID 1388 wrote to memory of 2088 1388 Client-built.exe 84 PID 1388 wrote to memory of 2088 1388 Client-built.exe 84 PID 2088 wrote to memory of 1540 2088 Client.exe 85 PID 2088 wrote to memory of 1540 2088 Client.exe 85 PID 2088 wrote to memory of 760 2088 Client.exe 91 PID 2088 wrote to memory of 760 2088 Client.exe 91 PID 760 wrote to memory of 2412 760 cmd.exe 93 PID 760 wrote to memory of 2412 760 cmd.exe 93 PID 760 wrote to memory of 984 760 cmd.exe 94 PID 760 wrote to memory of 984 760 cmd.exe 94 PID 760 wrote to memory of 5052 760 cmd.exe 98 PID 760 wrote to memory of 5052 760 cmd.exe 98 PID 5052 wrote to memory of 4536 5052 Client.exe 99 PID 5052 wrote to memory of 4536 5052 Client.exe 99 PID 5052 wrote to memory of 4648 5052 Client.exe 101 PID 5052 wrote to memory of 4648 5052 Client.exe 101 PID 4648 wrote to memory of 2824 4648 cmd.exe 103 PID 4648 wrote to memory of 2824 4648 cmd.exe 103 PID 4648 wrote to memory of 2984 4648 cmd.exe 104 PID 4648 wrote to memory of 2984 4648 cmd.exe 104 PID 4648 wrote to memory of 5020 4648 cmd.exe 105 PID 4648 wrote to memory of 5020 4648 cmd.exe 105 PID 5020 wrote to memory of 4780 5020 Client.exe 106 PID 5020 wrote to memory of 4780 5020 Client.exe 106 PID 5020 wrote to memory of 60 5020 Client.exe 108 PID 5020 wrote to memory of 60 5020 Client.exe 108 PID 60 wrote to memory of 3368 60 cmd.exe 110 PID 60 wrote to memory of 3368 60 cmd.exe 110 PID 60 wrote to memory of 1532 60 cmd.exe 111 PID 60 wrote to memory of 1532 60 cmd.exe 111 PID 60 wrote to memory of 420 60 cmd.exe 113 PID 60 wrote to memory of 420 60 cmd.exe 113 PID 420 wrote to memory of 2384 420 Client.exe 114 PID 420 wrote to memory of 2384 420 Client.exe 114 PID 420 wrote to memory of 3784 420 Client.exe 116 PID 420 wrote to memory of 3784 420 Client.exe 116 PID 3784 wrote to memory of 1820 3784 cmd.exe 118 PID 3784 wrote to memory of 1820 3784 cmd.exe 118 PID 3784 wrote to memory of 5088 3784 cmd.exe 119 PID 3784 wrote to memory of 5088 3784 cmd.exe 119 PID 3784 wrote to memory of 4616 3784 cmd.exe 120 PID 3784 wrote to memory of 4616 3784 cmd.exe 120 PID 4616 wrote to memory of 2448 4616 Client.exe 121 PID 4616 wrote to memory of 2448 4616 Client.exe 121 PID 4616 wrote to memory of 2060 4616 Client.exe 123 PID 4616 wrote to memory of 2060 4616 Client.exe 123 PID 2060 wrote to memory of 3692 2060 cmd.exe 125 PID 2060 wrote to memory of 3692 2060 cmd.exe 125 PID 2060 wrote to memory of 1028 2060 cmd.exe 126 PID 2060 wrote to memory of 1028 2060 cmd.exe 126 PID 2060 wrote to memory of 2724 2060 cmd.exe 127 PID 2060 wrote to memory of 2724 2060 cmd.exe 127 PID 2724 wrote to memory of 4084 2724 Client.exe 128 PID 2724 wrote to memory of 4084 2724 Client.exe 128 PID 2724 wrote to memory of 2836 2724 Client.exe 130 PID 2724 wrote to memory of 2836 2724 Client.exe 130 PID 2836 wrote to memory of 3240 2836 cmd.exe 132 PID 2836 wrote to memory of 3240 2836 cmd.exe 132 PID 2836 wrote to memory of 3192 2836 cmd.exe 133 PID 2836 wrote to memory of 3192 2836 cmd.exe 133 PID 2836 wrote to memory of 964 2836 cmd.exe 134 PID 2836 wrote to memory of 964 2836 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EK4NKuL7T0nT.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2412
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:984
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4o74w0EbJOPQ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2824
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2984
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUmgRpVKT13Z.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q30iA4bCw9zn.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKHXlvrxOkxE.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3692
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7U6hAz5OIuS.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3192
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1STon5kE5aOe.bat" "15⤵PID:3736
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHTYCbXs4VIX.bat" "17⤵PID:2924
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1168
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O647Qrxlp72l.bat" "19⤵PID:4792
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l6CnUaZxtvYu.bat" "21⤵PID:2676
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRS9PfQHnbxu.bat" "23⤵PID:1232
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3624
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nTgwkYW2kPoG.bat" "25⤵PID:4280
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57787ce173dfface746f5a9cf5477883d
SHA14587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA5123a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff
-
Filesize
207B
MD560d32ce244cd3f01425c516d75625ef3
SHA1c292d5edfeaa43c785bc29574e588c7f95cb63b1
SHA25662ba2950a6a2c0f7ddd5f4625c88bf4019d655f31bd777d12fa94d2b58cfdf00
SHA512300180f9907d37cef61ec5ce93349fd1ac434b3a6626c08fca1974606581eb073192d1cbadcbb57db6c2a4a30876d19a069f3da1a9a783f6fbd828255a3debeb
-
Filesize
207B
MD5c7b4c038cabfa1e7fe763e30c497552a
SHA14e0f324bd6c5572987dd924f51e4afc1e84bf5f4
SHA256f9c24a9430a03b6fec888314f5d6a27a92b5ad687429a2c860e5ca01d021cec0
SHA512147906cc92887ed56ee1adf79ea1fc7a165d348c61892fc3639208e9a58c8d3ae0cfefe2c4783e9390d03b0d3d562ca0927267b391155273788895bbfb8357a5
-
Filesize
207B
MD5f61b3550058649f746a698b98d23f971
SHA163d96a8c7dca7c6bcf64f45232b00ed876ff9120
SHA2564a9489452525a64609d55aea088634dccf997dc382b4d5de0deff4cf9a743847
SHA512f894d289ab9d71ce1a03d76cf43a52e8a1707ffcb75e8c2917b1159de710f1f0d298145779d90c083ab83559fbbd045668d8a4e0323962e4ce8b7367289cf154
-
Filesize
207B
MD5df9bbe5d5e25d743e81864290807876a
SHA1ddce4a98858d216e2416f194e672916a3e60422c
SHA2569a7355c6fe45d82fb80c79b7482ffd50542389a2b2c1ad867ed8ef932dd9d301
SHA5120c8f91489399e33f290c8901be32251472ac3f4e692682a9cc86833bc21f963084b9f4c24681a4583ada3978dbe96394040bd254246b6f3b4a7c178440c96118
-
Filesize
207B
MD580e637628cd5791ecc202215f390d1aa
SHA1a09ac468c0b65bdf40c776ab05554c124f000db3
SHA256d97ec66ec5078e4a69445f42dd7f627e43fa7a6a6851248f2d35bbf55dc94887
SHA5126b14a62954d72721cdcadcaaf99d6f4d650b03d9a9ff122bc7728162eaaef3ad733ef566d00c440e34a0e34e843d52b80970b9c00c1d55ca2a305d3aa502973f
-
Filesize
207B
MD5966e60cd2cecedb73c428318de04d3e6
SHA11250ff0a26474bfc5e3859bf0b01dd9b53e2fed1
SHA256c74946bcde1962339abe30f089311e577e2d08b6582e4e6d63679d21e47678ea
SHA512092c1650720edb8db643e1032fe320c1f26de83116bcdb3ef3b86294a973e2218487556ca230c4f875bf10b9c252e730004f38d75df2bf1944942e7b0252ca11
-
Filesize
207B
MD55fe8bffc3e8df05672e13ff1bb017b9e
SHA1704dfb6d949457fda1e47c90a6fbbf10a900a014
SHA25629e509d6b80d14e772fb6670047c175ec9b36c5983a74026a67e8b50f130e325
SHA5129331edf8c0883237bc24dceb9843d036968365a5c8241b007195defef345af6eb37ba5f7fe16224b18b07c66212b1f128c50d8556d26cb108064be5dfe3c6f88
-
Filesize
207B
MD58de2d46b30461a81066f686887949391
SHA1701ee5e2442826b226b26395498860d4ef49f221
SHA2569a3f8355a314a3d62b75757186ed4471810140883766631275bdfa836377e334
SHA512347001aa67d9199470e48a08d5637bed1073e003f9975f57f4dfad3f0c5a028e37f2a8305476becda7657703630c43b9c8e407b4f36f9f61ced09cbebedfd059
-
Filesize
207B
MD572f1d2fe70a613e0b5e95cdabd655df2
SHA185a63fdec3b57f8ae46124675b026fc899f2b2b9
SHA2564433fcb2e63467d84eefc59662441dfad5aa7001f1978f4a7886a22532570546
SHA512a3a4e39d2adb567b96e30fe6f06da64d83f394174d75a1af2c8951d9b3c7a1a8090d9f3915b50b31833756ac848697ee7cc7f22a04254accd39c1b660d81e837
-
Filesize
207B
MD58ffa0fea66be91f03b87f7801ffc1b1f
SHA1c35e2651cee6f82e622e55b9ceceab51e026aba2
SHA256f78cc903511f57457f6b92a5c82e344c4e82fa21d332b4e995a94d3e9640f250
SHA5120dcf46526945234b40a56585f4a98484a923ab80329286adf1b490ea8f67cab188b1649068118c402584e616688d85bed2c2122bb20a43a928fe6f733a719909
-
Filesize
207B
MD5db0850a0902b2f0a12f0e1434c0f5092
SHA1315c014f42a8d84e7f88b9e6ede5c42d5852b5db
SHA256e3a2cb58403174ed6a83c8fe735d1b5c74a9abdc215778df54d4e6f523f3daca
SHA512f050178e981187bbccb24ce8abb9f2fdd331d8af81b86bc137880d45611e60a85ec5e26008f15bbca9f0236d947f89925cfb93410047f737450920d30724eb4e
-
Filesize
207B
MD58c6ba4390535c299c9bcec664ba5f580
SHA148a7361a8f75848deefb39cfa2a51585dc5fadf1
SHA256ad576837fea0c8c48288cdff50d3aba9216af7482f54df34fef72fbafda1b48c
SHA51221b948b44050ef8106374e8579c7a2636cadd9f6608af12617fdd34194a69f15d1f1ab170e4dd12931466d1b8ade9a57d2eb4bf313af16fe40e65187533603e1
-
Filesize
3.1MB
MD5c0a15477ed759cacb6e41c32df4ee3b6
SHA11105f1a6da7fc5286fc6bbf3bb09b0640c390475
SHA25640b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858
SHA512595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa