quasar | 258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
Size

3.1MB
MD5

4b831b964f39059bfd95f56e78086830
SHA1

48649150d6a30522ee550b2cfc5b00fdda00889e
SHA256

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db
SHA512

ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT8:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cYp

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/1596-1-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/files/0x002e000000014733-6.dat	family_quasar
behavioral1/memory/2764-9-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2992-23-0x0000000001110000-0x0000000001434000-memory.dmp	family_quasar
behavioral1/memory/2972-34-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/2336-45-0x00000000009B0000-0x0000000000CD4000-memory.dmp	family_quasar
behavioral1/memory/2172-56-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/memory/1984-68-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
behavioral1/memory/2932-79-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/2124-121-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2764	Client.exe
2992	Client.exe
2972	Client.exe
2336	Client.exe
2172	Client.exe
1984	Client.exe
2932	Client.exe
2544	Client.exe
1380	Client.exe
2176	Client.exe
2124	Client.exe
1816	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2720	PING.EXE
1760	PING.EXE
2420	PING.EXE
1448	PING.EXE
2244	PING.EXE
828	PING.EXE
2860	PING.EXE
2720	PING.EXE
2828	PING.EXE
1772	PING.EXE
1872	PING.EXE
1496	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2720	PING.EXE
2828	PING.EXE
1760	PING.EXE
828	PING.EXE
2860	PING.EXE
1496	PING.EXE
1772	PING.EXE
2420	PING.EXE
1448	PING.EXE
2244	PING.EXE
2720	PING.EXE
1872	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1948	schtasks.exe
2072	schtasks.exe
2656	schtasks.exe
764	schtasks.exe
2376	schtasks.exe
1124	schtasks.exe
2636	schtasks.exe
1040	schtasks.exe
1832	schtasks.exe
2176	schtasks.exe
2316	schtasks.exe
300	schtasks.exe
2308	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
Token: SeDebugPrivilege	2764	Client.exe
Token: SeDebugPrivilege	2992	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	2336	Client.exe
Token: SeDebugPrivilege	2172	Client.exe
Token: SeDebugPrivilege	1984	Client.exe
Token: SeDebugPrivilege	2932	Client.exe
Token: SeDebugPrivilege	2544	Client.exe
Token: SeDebugPrivilege	1380	Client.exe
Token: SeDebugPrivilege	2176	Client.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	1816	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2072	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	28
PID 1596 wrote to memory of 2072	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	28
PID 1596 wrote to memory of 2072	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	28
PID 1596 wrote to memory of 2764	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	30
PID 1596 wrote to memory of 2764	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	30
PID 1596 wrote to memory of 2764	1596	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	30
PID 2764 wrote to memory of 2656	2764	Client.exe	31
PID 2764 wrote to memory of 2656	2764	Client.exe	31
PID 2764 wrote to memory of 2656	2764	Client.exe	31
PID 2764 wrote to memory of 2560	2764	Client.exe	33
PID 2764 wrote to memory of 2560	2764	Client.exe	33
PID 2764 wrote to memory of 2560	2764	Client.exe	33
PID 2560 wrote to memory of 2636	2560	cmd.exe	35
PID 2560 wrote to memory of 2636	2560	cmd.exe	35
PID 2560 wrote to memory of 2636	2560	cmd.exe	35
PID 2560 wrote to memory of 2720	2560	cmd.exe	36
PID 2560 wrote to memory of 2720	2560	cmd.exe	36
PID 2560 wrote to memory of 2720	2560	cmd.exe	36
PID 2560 wrote to memory of 2992	2560	cmd.exe	37
PID 2560 wrote to memory of 2992	2560	cmd.exe	37
PID 2560 wrote to memory of 2992	2560	cmd.exe	37
PID 2992 wrote to memory of 764	2992	Client.exe	38
PID 2992 wrote to memory of 764	2992	Client.exe	38
PID 2992 wrote to memory of 764	2992	Client.exe	38
PID 2992 wrote to memory of 2744	2992	Client.exe	40
PID 2992 wrote to memory of 2744	2992	Client.exe	40
PID 2992 wrote to memory of 2744	2992	Client.exe	40
PID 2744 wrote to memory of 1684	2744	cmd.exe	42
PID 2744 wrote to memory of 1684	2744	cmd.exe	42
PID 2744 wrote to memory of 1684	2744	cmd.exe	42
PID 2744 wrote to memory of 2828	2744	cmd.exe	43
PID 2744 wrote to memory of 2828	2744	cmd.exe	43
PID 2744 wrote to memory of 2828	2744	cmd.exe	43
PID 2744 wrote to memory of 2972	2744	cmd.exe	44
PID 2744 wrote to memory of 2972	2744	cmd.exe	44
PID 2744 wrote to memory of 2972	2744	cmd.exe	44
PID 2972 wrote to memory of 2176	2972	Client.exe	45
PID 2972 wrote to memory of 2176	2972	Client.exe	45
PID 2972 wrote to memory of 2176	2972	Client.exe	45
PID 2972 wrote to memory of 1644	2972	Client.exe	47
PID 2972 wrote to memory of 1644	2972	Client.exe	47
PID 2972 wrote to memory of 1644	2972	Client.exe	47
PID 1644 wrote to memory of 2416	1644	cmd.exe	49
PID 1644 wrote to memory of 2416	1644	cmd.exe	49
PID 1644 wrote to memory of 2416	1644	cmd.exe	49
PID 1644 wrote to memory of 1760	1644	cmd.exe	50
PID 1644 wrote to memory of 1760	1644	cmd.exe	50
PID 1644 wrote to memory of 1760	1644	cmd.exe	50
PID 1644 wrote to memory of 2336	1644	cmd.exe	53
PID 1644 wrote to memory of 2336	1644	cmd.exe	53
PID 1644 wrote to memory of 2336	1644	cmd.exe	53
PID 2336 wrote to memory of 2316	2336	Client.exe	54
PID 2336 wrote to memory of 2316	2336	Client.exe	54
PID 2336 wrote to memory of 2316	2336	Client.exe	54
PID 2336 wrote to memory of 2500	2336	Client.exe	56
PID 2336 wrote to memory of 2500	2336	Client.exe	56
PID 2336 wrote to memory of 2500	2336	Client.exe	56
PID 2500 wrote to memory of 1708	2500	cmd.exe	58
PID 2500 wrote to memory of 1708	2500	cmd.exe	58
PID 2500 wrote to memory of 1708	2500	cmd.exe	58
PID 2500 wrote to memory of 2420	2500	cmd.exe	59
PID 2500 wrote to memory of 2420	2500	cmd.exe	59
PID 2500 wrote to memory of 2420	2500	cmd.exe	59
PID 2500 wrote to memory of 2172	2500	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
"C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2072
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\GdAJTUT0ZSVp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2636
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:764
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GRITFOlckjCK.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1684
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUQB9VvERv3M.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiuyPbvEBBRy.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\v21jyLnxJlu1.bat" "
        11⤵
        
        PID:948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMJj9ne0PGHg.bat" "
        13⤵
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\deQCB8zLK4rP.bat" "
        15⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NE23ofPXLnM8.bat" "
        17⤵
        
        PID:2580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zta99vcSpjTX.bat" "
        19⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D8htdpu5SdUg.bat" "
        21⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pBSbWyAVoWnT.bat" "
        23⤵
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0FxywAX5XBnz.bat" "
        25⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0FxywAX5XBnz.bat

Filesize
207B

MD5
1bd16b4a8799c8e8a0561d2cb384dac4

SHA1
20510622b960e4ef38c9b300daddde8f74cc8260

SHA256
9356161b6414512bfb5ad10f305c1acec0baa1939f22679a4f9a90a725c7b260

SHA512
7042ec9b6db9c6afc306e55e21ac4542613d6b065be5a95329dc886e3ddad4edef9bd72b22e8a94d020d6e134d651a4fe78a69130b9480d427d5be58aaa83e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8htdpu5SdUg.bat

Filesize
207B

MD5
5b61b80899ae58d953244647ed317f88

SHA1
41e9a4a66b750fd2916c6cfbb8db92f2f639133a

SHA256
53497eca11ecb26c9497b58f41415b8e41ba66f3bc70c29062a2e668bcd596ac

SHA512
6f15e382d0c9c08a496db80980936bec24500962413fe14a89c624144ab82d2bb17edc965a4688bdd856c746ab80602ebb89fd6fdb66a235d6559c7105ae1c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRITFOlckjCK.bat

Filesize
207B

MD5
1ceaa0c8405554aeb76d2171d13797df

SHA1
f711b41c1f078c713610d110963cade82a8cb3ab

SHA256
5d1b7004fa432aa2b484c21d4c521741a5ee7c44e05e183937298a2dbefed120

SHA512
51f2a9632119915aabaa1f73cc34c9dec945f30fce7f17dfc6c11be9aa08c933297ac8d71f8bd47befbb8c44f871b710dc10696ed398047afe63edd6af443ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GdAJTUT0ZSVp.bat

Filesize
207B

MD5
4d5ed3a3e62f5905f3cf3c471c1f57de

SHA1
a5b92df0ac5706ab9fe48e4cccafca8849d28afb

SHA256
2c79a24739de95327234fcc79553555443d76d6b08c14b4f979c44d1629a06ed

SHA512
ac542224bf59dd1c518c10ba3c58c086150457b913d74f1eee8dad1b63dec47d738b2d1276ea8bda1d1062f414e34f9f3789501fd1f2d01bdbf8369bdcf02efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiuyPbvEBBRy.bat

Filesize
207B

MD5
aa449654f1891474bdd7d7bcfc1128c7

SHA1
8cdc40552b5c45a3306bd6a251e03d0c9e0a1d30

SHA256
8e37ab61ccb73c1ab7373bc35958278056ac2cf6dbb9ecf11b96c164e720275e

SHA512
a4a433cc76e8da3e57e6904117ea3bd181dd3d4148994dab22ac6242e0d4b19d30c3cd7c1f2049f09888f3f21291b3ad6e7e11318f6ab232f4095f352754f89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NE23ofPXLnM8.bat

Filesize
207B

MD5
59d695342323d95fa75cfc15eb0939ab

SHA1
a88dc294beb457623742a0f26b0065debe36966d

SHA256
9633c8eaca4fb3a28a0d93f38c0975f72da5839278cb7eb8bf7d01dfd5f84d77

SHA512
f7c436e0b90a0207c433dc9d172320f3e5437a07ccccaa7801497170056e98aaca532f338037c643b63ce43a541fda2e125aca59346263f9e835fc8c3f6c5497

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zta99vcSpjTX.bat

Filesize
207B

MD5
f87a25bb52dbde74183a5b0cf1c76232

SHA1
022a81b51cbb5bc21c1dd19558f6accafa5e3d9c

SHA256
28d65b98282df1221c73c247a9bf9d07352f0d2c67388db8190cd7b91d073d34

SHA512
379f939e18e8e196aae7cacdde14b42254daa63206d94d4f00f8e53c1b37692c695765909bd22a845300b3bf1b4dcfc67af7a7b165d7e9b243d9cba4bbfcf577

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMJj9ne0PGHg.bat

Filesize
207B

MD5
37e1482f198399a86bf9459b561568f6

SHA1
8183078dd64b923b5d4ddbc08fe43058b41f14f5

SHA256
325cb933d80f7e7754da57577d32b710958e36c3bde22066047678521b76056a

SHA512
b508a58b516cf8b35c04593b4d7955450927f307f2d05955d539355fe5b40720de94adf79b88935aa03b3b79518470cbcfbe6778ba598c7e6b92f79bc010b427

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUQB9VvERv3M.bat

Filesize
207B

MD5
53afd39cc70d28823c26bc76bdcee840

SHA1
b23dbc5781e59e6514578341a6d7ef267d4e5051

SHA256
c46043e2c910c1337898e55e52e040661e3bd6c47693176c70210d02e9421111

SHA512
4e9d575d51dc6f7de496c3f51bf9e050d3dd6c96aecf7fe75b10d9ee2b2fd10977690c8bc97185d06b47f6f43fc765eca54eab53d519cd4981d84103dd7c4baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\deQCB8zLK4rP.bat

Filesize
207B

MD5
929d9f24deeb8cf3bea52f332869d601

SHA1
cd95705a8665c1f73b93f24c75795d1e2926046d

SHA256
aef4c07990340483ed5e17032af037a8969e4fab9abeabc640394544fdc1613c

SHA512
b9c82884581a3f79103ee9c8967641a12f44856cc9b1612a260d33d09f482126edb1120658db4249c9c28cba27040d92b5f52d7db8abb79fd05a09a0ade4fb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pBSbWyAVoWnT.bat

Filesize
207B

MD5
6b3c81e67b231bf48d5eab9fa357a72a

SHA1
3ca2ffaffdf3638207ab05bda66c1c60a133a9a1

SHA256
da9afdb9339dff67278dc0499a803f07057149ce915230d231f0708abda3159d

SHA512
a7807ab00ff584f81883f8d0b1ab18225e4d3c585161f3a9b770ac0c4247e924455657caa141b90d53397adbefaa10eb8461baa9b7c6cc7886691c7f9c8dc65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v21jyLnxJlu1.bat

Filesize
207B

MD5
450314185e06f2668dc7ff3f159ad02b

SHA1
32418b6e1e892d271bb52a3aa2a45da7711dd693

SHA256
a82f13a0ceafbf17b83e7d71af9221f7bfdcf4fba63b1db0d4589ce08bd66390

SHA512
cc29380a7c73ff72436503497f9e420e6841f5ae0165b9a6bbc7ba8dab84d95026fe47aae001bde40c4add009917cf3bf77ab4b50d7672d3b2469c51045b176c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4b831b964f39059bfd95f56e78086830

SHA1
48649150d6a30522ee550b2cfc5b00fdda00889e

SHA256
258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

SHA512
ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398

Download Submit
memory/1596-1-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/1596-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1596-10-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-68-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/2124-121-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/2172-56-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/2336-45-0x00000000009B0000-0x0000000000CD4000-memory.dmp

Filesize
3.1MB

Download
memory/2764-11-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-21-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-9-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2764-8-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-79-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2972-34-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2992-23-0x0000000001110000-0x0000000001434000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads