quasar | 40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

Resubmissions

27-12-2024 08:03

241227-jxp4patlbl 10

27-12-2024 08:02

241227-jxfj9atlbk 10

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c0a15477ed759cacb6e41c32df4ee3b6
SHA1

1105f1a6da7fc5286fc6bbf3bb09b0640c390475
SHA256

40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858
SHA512

595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa
SSDEEP

49152:WvEt62XlaSFNWPjljiFa2RoUYI4bRJ6rbR3LoGdDNTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYI4bRJ69T

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Ljqzskib:4782

Mutex

6d2bad0c-8668-4007-b0ab-432a32c2b700

Attributes

encryption_key
EBBC63CA357CC42C1ADBEA1947460FC46B646E71
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
file explorer start up
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/5036-1-0x00000000006C0000-0x00000000009E4000-memory.dmp	family_quasar
behavioral1/files/0x000b000000023b90-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
4312	Client.exe
3748	Client.exe
3188	Client.exe
4416	Client.exe
1788	Client.exe
4132	Client.exe
4252	Client.exe
4532	Client.exe
4412	Client.exe
4064	Client.exe
1512	Client.exe
1552	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3404	PING.EXE
5100	PING.EXE
3688	PING.EXE
1940	PING.EXE
2324	PING.EXE
1604	PING.EXE
4028	PING.EXE
2388	PING.EXE
1572	PING.EXE
3336	PING.EXE
2668	PING.EXE
4160	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
4160	PING.EXE
1604	PING.EXE
3336	PING.EXE
3688	PING.EXE
1940	PING.EXE
2668	PING.EXE
5100	PING.EXE
2324	PING.EXE
4028	PING.EXE
3404	PING.EXE
2388	PING.EXE
1572	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3672	schtasks.exe
396	schtasks.exe
2624	schtasks.exe
2680	schtasks.exe
2236	schtasks.exe
4324	schtasks.exe
2684	schtasks.exe
4332	schtasks.exe
1480	schtasks.exe
2016	schtasks.exe
4064	schtasks.exe
4048	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	msedge.exe
2184	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	Client-built.exe
Token: SeDebugPrivilege	4312	Client.exe
Token: SeDebugPrivilege	3748	Client.exe
Token: SeDebugPrivilege	3188	Client.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	1788	Client.exe
Token: SeDebugPrivilege	4132	Client.exe
Token: SeDebugPrivilege	4252	Client.exe
Token: SeDebugPrivilege	4532	Client.exe
Token: SeDebugPrivilege	4412	Client.exe
Token: SeDebugPrivilege	4064	Client.exe
Token: SeDebugPrivilege	1512	Client.exe
Token: SeDebugPrivilege	1552	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4312	Client.exe
3748	Client.exe
3188	Client.exe
4416	Client.exe
1788	Client.exe
4132	Client.exe
4252	Client.exe
4532	Client.exe
4412	Client.exe
4064	Client.exe
1512	Client.exe
1552	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4312	Client.exe
3748	Client.exe
3188	Client.exe
4416	Client.exe
1788	Client.exe
4132	Client.exe
4252	Client.exe
4532	Client.exe
4412	Client.exe
4064	Client.exe
1512	Client.exe
1552	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4312	Client.exe
3748	Client.exe
3188	Client.exe
4416	Client.exe
1788	Client.exe
4132	Client.exe
4252	Client.exe
4532	Client.exe
4412	Client.exe
4064	Client.exe
1512	Client.exe
1552	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2080	5036	Client-built.exe	85
PID 5036 wrote to memory of 2080	5036	Client-built.exe	85
PID 5036 wrote to memory of 4312	5036	Client-built.exe	87
PID 5036 wrote to memory of 4312	5036	Client-built.exe	87
PID 4312 wrote to memory of 2684	4312	Client.exe	88
PID 4312 wrote to memory of 2684	4312	Client.exe	88
PID 4312 wrote to memory of 860	4312	Client.exe	91
PID 4312 wrote to memory of 860	4312	Client.exe	91
PID 860 wrote to memory of 2028	860	cmd.exe	93
PID 860 wrote to memory of 2028	860	cmd.exe	93
PID 860 wrote to memory of 4028	860	cmd.exe	94
PID 860 wrote to memory of 4028	860	cmd.exe	94
PID 860 wrote to memory of 3748	860	cmd.exe	96
PID 860 wrote to memory of 3748	860	cmd.exe	96
PID 3748 wrote to memory of 3672	3748	Client.exe	97
PID 3748 wrote to memory of 3672	3748	Client.exe	97
PID 3748 wrote to memory of 812	3748	Client.exe	100
PID 3748 wrote to memory of 812	3748	Client.exe	100
PID 812 wrote to memory of 4444	812	cmd.exe	103
PID 812 wrote to memory of 4444	812	cmd.exe	103
PID 812 wrote to memory of 3404	812	cmd.exe	105
PID 812 wrote to memory of 3404	812	cmd.exe	105
PID 812 wrote to memory of 3188	812	cmd.exe	123
PID 812 wrote to memory of 3188	812	cmd.exe	123
PID 3188 wrote to memory of 396	3188	Client.exe	124
PID 3188 wrote to memory of 396	3188	Client.exe	124
PID 2368 wrote to memory of 1524	2368	msedge.exe	134
PID 2368 wrote to memory of 1524	2368	msedge.exe	134
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135
PID 2368 wrote to memory of 3336	2368	msedge.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2080
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5MZShAy3hMJB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2028
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4028
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r4XqOpB8KM97.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4444
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3404
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vfTzK8xTUqu.bat" "
        7⤵
        
        PID:3628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GJe78C1Xj8Ey.bat" "
        9⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiMjZ9h6qJuY.bat" "
        11⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qNBT7TrX79wq.bat" "
        13⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cFxZvNdiC24s.bat" "
        15⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0JEu5MPHjai.bat" "
        17⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gODHq20NbLPn.bat" "
        19⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DhouHTRNAbjP.bat" "
        21⤵
        
        PID:4140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n78TCsVfQ0ZE.bat" "
        23⤵
        
        PID:4688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkmYUmtLLz9z.bat" "
        25⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte5c57efchd4e2h4b5eha241h2b5d62ca3687
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xfc,0x130,0x7ffc9b6646f8,0x7ffc9b664708,0x7ffc9b664718
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15675641312244543984,3017564167050780945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15675641312244543984,3017564167050780945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15675641312244543984,3017564167050780945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c84b56b7ee765f2c18c8d4b502e5ea3

SHA1
186c8754c82320b0dc80833fdaea4310e0dbe09c

SHA256
5af6c37dc26fd566445e6391a27aad6ecbdaa241e8c12083f3808532eed5c01e

SHA512
95d44a608651d8d0f76ab8c78a72a7eace32b3bec6fb1d11cb09cadc3a9410df7ef1c76d7744d298ab68e7fe1734c9510664a9f0a4da59c75eb70e1c3b2887ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
531bb9250d7246022311eacba7828fc8

SHA1
55a4c8d6901d29f42f43124d5df7cb4f85799ba9

SHA256
3c485d94bed44b4b81a037fd65e2d5a2c446240dd3a83e2b1f9f548ec9715952

SHA512
004f94aee3bd8dcb78f62a73dc17f6271422cc18d13725a6e675fa399625e6db5b63d0b294a90540e67b60c835e7e4bca64ae27db9d3f30e9b9cd122741bb39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MZShAy3hMJB.bat

Filesize
207B

MD5
2b83b7833a8fa54a18e738ff1da77d3e

SHA1
38f35990cc105da423125c4e68395a3baec1ec67

SHA256
768c2e80921e2c56483595d34f4fc17dbbc97d24f1597b7c48b22f527b791229

SHA512
c42c4e1a93a634a103bf99c4a4f4347ea9b371e428fbd8c2e96c83a5ffda09c5638f54757b5eba27802254add37069e69c18234964146fe0c5e25033e2ca6709

Download Submit
C:\Users\Admin\AppData\Local\Temp\6vfTzK8xTUqu.bat

Filesize
207B

MD5
a18ca64eb023cf1de6c4d792dbf187ae

SHA1
d14d672f4b77b2bc5e99f12d32e972697681bb0b

SHA256
ddf20afa50c30041c26faac68fe2fc1d3f46d7f58289cd2b71c44e5b2f6563c5

SHA512
524f397d20ace4335b382a026d125bbdbee638fb7c7c12e4d186728e5c1f298cf0e42156a0af4ebfa8a31308c0aa89a98bfadbd189bc447d4363154d8f4a7f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DhouHTRNAbjP.bat

Filesize
207B

MD5
78955a03b5c00654e72c357f9a380097

SHA1
97d53e7f0e3c9c2f5fe252726202002b60194022

SHA256
d8dfe5e39e2ee2aae6b663adf695533101b5b43453d0eaf5d484aee86048ad7a

SHA512
59485d8d039459d36d7d88f2acd9d57f461d791c4807da6005a1d903bce1697c9a5782dc5bfa6a509a93bb9f267f0dbbbe497b57932883f039973691def93b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJe78C1Xj8Ey.bat

Filesize
207B

MD5
fc88e5e450dff47f04c8b97626e13aa1

SHA1
e4b189d1a8ee26b1b5c9299ed9bf46cc2192df5b

SHA256
9faaeeb51f138ccbc8836a875339ec1768ca28435c7c243a66bb14cd985f1aca

SHA512
78763730685c5fb533236f4e305bda077e96b085203dabd9c95899a44484cb054a0db2c36adb38054bea7f5468d0a51616dd14f2434a80746a192e384c9772db

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkmYUmtLLz9z.bat

Filesize
207B

MD5
460eef7c4653b42c47ffd341d87c2291

SHA1
ef1d3cb73655c30661b3cb5342eab84dc1e1d0d8

SHA256
30796fbba32951241e5eff4477ab37881fa6d3aecff5ba441965673c529ea633

SHA512
275f008ed5c83d0209d493cdf7e54fecb15e366d66aa2f88ed16fbaf1663c3a7f2ac1fd34cbbcb3e5a9d728ec69de9b4f792afaade1833cc7c7be2059e151c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cFxZvNdiC24s.bat

Filesize
207B

MD5
4027f38493a1bf99242acc337d1fef8f

SHA1
e6e0df731c626275251810563ce3ee4a64dbe59d

SHA256
246214917eaabd72b1b4d8b937f5285e92295beab2454d5b0485428b854ab189

SHA512
139d2a6b6a8dd5387f81300e17592b28cbf43f8de418486dc30b6c792b778bb497c2fd46daf90949effe75368c53648e38445f8039bfcee5b49e68882d2fee46

Download Submit
C:\Users\Admin\AppData\Local\Temp\gODHq20NbLPn.bat

Filesize
207B

MD5
efca47d1f2db67eb96c0b1673ffaeb52

SHA1
23b3a169c779a79ba0d0bfee187605efd0616a91

SHA256
f5949c3d1843d9da38d388b28a72deeaaab3634a82845f142cd8345115d91e46

SHA512
ae7a110e8909b17a9ccb836ea7045959855e558687fedc9db3105c839ea1f951a1a72763695059620ebe7a22e30214ffdcdb3aa9132b53948a855e2367fcb38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiMjZ9h6qJuY.bat

Filesize
207B

MD5
9d525835db3fd1e78e45761d9ba5f5a6

SHA1
c8ceb3bc3c27a3f040a886eeebb673b5fd5bb6cd

SHA256
970b43c9da04beb0ef7a798d3e51add6c93a63172dcdaa94522ba75564c415a4

SHA512
32e29393a6c8148259cdbb3a46f28ac50a7be3c0a853425669ddedff3d2e60daf54544ebb1398000c65028f40510e208001209d7f6d13a7d2ff0d36914d30ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n78TCsVfQ0ZE.bat

Filesize
207B

MD5
99313ea7afc667b5996abe63ae513272

SHA1
10ab9250a7e4d0fb21db62b81abc6e6e940c2e06

SHA256
10788dd547e3bd42beb32506005f7dc8aed00565c3eba630a80753144185f4d6

SHA512
4a8c38e762a3135a9501ea2ec1f1ab1c3b1e5b3f3a8856b4950b02b5c267870cc2698499d6f888efa5f15e0fa3e009da8183fde36364f4f43d2a47bdbc751616

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNBT7TrX79wq.bat

Filesize
207B

MD5
8b0dcf707164648eb4d36d2765a153a9

SHA1
185a955eeeea00b2000372392f1c3e522caa958e

SHA256
23b82a8f7e9f90565801e3b0b94106f4a2b3fed4dea1961159d3e287a279ce6e

SHA512
129b76c277093c4d8f41da29f93d7230736d35efaf4eb434c49d241540f2b888947d1db60d261bf1d6883ce9b0f818fac2530b01a33654fa5119bfe5c4491a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4XqOpB8KM97.bat

Filesize
207B

MD5
81e9da2cce2b48901758ffe0395476cf

SHA1
5107a8d51c8458bd561e0b0f200aa07282045a13

SHA256
51afd84dfb592bc78577f5fbf225f50cfdb91c1008a668c982c930cde2561b84

SHA512
cb60de01269072f732a89468fc650a8087855c8f6c921dd56f5e321a782bcfebf0893bca82ff8b2495047637bed696f8b193fec1cb899251f0a4c904893babe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0JEu5MPHjai.bat

Filesize
207B

MD5
cc7e5657c97e28924ee46d85933fb42f

SHA1
0900721c038b21d9bf46901c55d8a0fcfd7144c2

SHA256
684fe7289f29a449de0c5ff38f8f8d257c3ce34c1e52e17293488745a80dfd86

SHA512
81874e3b52ffb2c3de0dd2c7d13515a9045281fce324f01a4761526445398acddd25f5fb9e4c6214f411d0ce2e533845cc9bcb8bbdf9ce8855d26fb65f0f6595

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c0a15477ed759cacb6e41c32df4ee3b6

SHA1
1105f1a6da7fc5286fc6bbf3bb09b0640c390475

SHA256
40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

SHA512
595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa

Download Submit
memory/4312-18-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-13-0x000000001C910000-0x000000001C9C2000-memory.dmp

Filesize
712KB

Download
memory/4312-12-0x000000001C800000-0x000000001C850000-memory.dmp

Filesize
320KB

Download
memory/4312-11-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-9-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-0-0x00007FFCA1613000-0x00007FFCA1615000-memory.dmp

Filesize
8KB

Download
memory/5036-10-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-2-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-1-0x00000000006C0000-0x00000000009E4000-memory.dmp

Filesize
3.1MB

Download