quasar | 258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

Analysis

max time kernel
115s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
Size

3.1MB
MD5

4b831b964f39059bfd95f56e78086830
SHA1

48649150d6a30522ee550b2cfc5b00fdda00889e
SHA256

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db
SHA512

ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT8:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cYp

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2816-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cbd-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
400	Client.exe
2460	Client.exe
1440	Client.exe
3656	Client.exe
4576	Client.exe
2276	Client.exe
4372	Client.exe
4880	Client.exe
2256	Client.exe
924	Client.exe
3016	Client.exe
4952	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4880	PING.EXE
3060	PING.EXE
3044	PING.EXE
1940	PING.EXE
4512	PING.EXE
2712	PING.EXE
1328	PING.EXE
2552	PING.EXE
2928	PING.EXE
2500	PING.EXE
3532	PING.EXE
2776	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2928	PING.EXE
2500	PING.EXE
3532	PING.EXE
2776	PING.EXE
1940	PING.EXE
4512	PING.EXE
3044	PING.EXE
2552	PING.EXE
2712	PING.EXE
1328	PING.EXE
4880	PING.EXE
3060	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
2800	schtasks.exe
1444	schtasks.exe
3952	schtasks.exe
3016	schtasks.exe
2680	schtasks.exe
4964	schtasks.exe
2940	schtasks.exe
3008	schtasks.exe
2196	schtasks.exe
228	schtasks.exe
3388	schtasks.exe
5100	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
Token: SeDebugPrivilege	400	Client.exe
Token: SeDebugPrivilege	2460	Client.exe
Token: SeDebugPrivilege	1440	Client.exe
Token: SeDebugPrivilege	3656	Client.exe
Token: SeDebugPrivilege	4576	Client.exe
Token: SeDebugPrivilege	2276	Client.exe
Token: SeDebugPrivilege	4372	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	2256	Client.exe
Token: SeDebugPrivilege	924	Client.exe
Token: SeDebugPrivilege	3016	Client.exe
Token: SeDebugPrivilege	4952	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2984	2816	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	84
PID 2816 wrote to memory of 2984	2816	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	84
PID 2816 wrote to memory of 400	2816	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	86
PID 2816 wrote to memory of 400	2816	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe	86
PID 400 wrote to memory of 2800	400	Client.exe	87
PID 400 wrote to memory of 2800	400	Client.exe	87
PID 400 wrote to memory of 3532	400	Client.exe	89
PID 400 wrote to memory of 3532	400	Client.exe	89
PID 3532 wrote to memory of 4892	3532	cmd.exe	91
PID 3532 wrote to memory of 4892	3532	cmd.exe	91
PID 3532 wrote to memory of 1328	3532	cmd.exe	92
PID 3532 wrote to memory of 1328	3532	cmd.exe	92
PID 3532 wrote to memory of 2460	3532	cmd.exe	93
PID 3532 wrote to memory of 2460	3532	cmd.exe	93
PID 2460 wrote to memory of 1444	2460	Client.exe	96
PID 2460 wrote to memory of 1444	2460	Client.exe	96
PID 2460 wrote to memory of 3984	2460	Client.exe	98
PID 2460 wrote to memory of 3984	2460	Client.exe	98
PID 3984 wrote to memory of 4556	3984	cmd.exe	100
PID 3984 wrote to memory of 4556	3984	cmd.exe	100
PID 3984 wrote to memory of 4880	3984	cmd.exe	101
PID 3984 wrote to memory of 4880	3984	cmd.exe	101
PID 3984 wrote to memory of 1440	3984	cmd.exe	107
PID 3984 wrote to memory of 1440	3984	cmd.exe	107
PID 1440 wrote to memory of 3952	1440	Client.exe	108
PID 1440 wrote to memory of 3952	1440	Client.exe	108
PID 1440 wrote to memory of 1996	1440	Client.exe	110
PID 1440 wrote to memory of 1996	1440	Client.exe	110
PID 1996 wrote to memory of 4908	1996	cmd.exe	112
PID 1996 wrote to memory of 4908	1996	cmd.exe	112
PID 1996 wrote to memory of 3060	1996	cmd.exe	113
PID 1996 wrote to memory of 3060	1996	cmd.exe	113
PID 1996 wrote to memory of 3656	1996	cmd.exe	115
PID 1996 wrote to memory of 3656	1996	cmd.exe	115
PID 3656 wrote to memory of 2196	3656	Client.exe	116
PID 3656 wrote to memory of 2196	3656	Client.exe	116
PID 3656 wrote to memory of 220	3656	Client.exe	118
PID 3656 wrote to memory of 220	3656	Client.exe	118
PID 220 wrote to memory of 3012	220	cmd.exe	120
PID 220 wrote to memory of 3012	220	cmd.exe	120
PID 220 wrote to memory of 3044	220	cmd.exe	121
PID 220 wrote to memory of 3044	220	cmd.exe	121
PID 220 wrote to memory of 4576	220	cmd.exe	123
PID 220 wrote to memory of 4576	220	cmd.exe	123
PID 4576 wrote to memory of 3016	4576	Client.exe	124
PID 4576 wrote to memory of 3016	4576	Client.exe	124
PID 4576 wrote to memory of 5008	4576	Client.exe	126
PID 4576 wrote to memory of 5008	4576	Client.exe	126
PID 5008 wrote to memory of 3020	5008	cmd.exe	128
PID 5008 wrote to memory of 3020	5008	cmd.exe	128
PID 5008 wrote to memory of 2776	5008	cmd.exe	129
PID 5008 wrote to memory of 2776	5008	cmd.exe	129
PID 5008 wrote to memory of 2276	5008	cmd.exe	130
PID 5008 wrote to memory of 2276	5008	cmd.exe	130
PID 2276 wrote to memory of 228	2276	Client.exe	131
PID 2276 wrote to memory of 228	2276	Client.exe	131
PID 2276 wrote to memory of 1584	2276	Client.exe	133
PID 2276 wrote to memory of 1584	2276	Client.exe	133
PID 1584 wrote to memory of 860	1584	cmd.exe	135
PID 1584 wrote to memory of 860	1584	cmd.exe	135
PID 1584 wrote to memory of 1940	1584	cmd.exe	136
PID 1584 wrote to memory of 1940	1584	cmd.exe	136
PID 1584 wrote to memory of 4372	1584	cmd.exe	137
PID 1584 wrote to memory of 4372	1584	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe
"C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282dbN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2984
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3jTgAYHEzPDW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4892
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1328
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8qkvQaXEXxf.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4556
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LxTycuEq6yaY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jzA74ioVo6nZ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ey8def0QALoy.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jjCabZIQXFpU.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h4FphZdCLyai.bat" "
        15⤵
        
        PID:4264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YJlPQfmCmV0w.bat" "
        17⤵
        
        PID:3308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zBJckOujLSg9.bat" "
        19⤵
        
        PID:3220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wr4d4x1zFTEb.bat" "
        21⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsIgta05Sum2.bat" "
        23⤵
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JTYyqGyMrPp0.bat" "
        25⤵
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jTgAYHEzPDW.bat

Filesize
207B

MD5
e1d724859ed23627176ba15132a190cb

SHA1
87cb5070c3cde966fa7c759c77d193aaf42f0deb

SHA256
1dafa179e8eb95aa9d88001c044a1437c8cfebe80bd844b9e385363d51e38361

SHA512
5f5340ae2f8c5f3171e2418f95f924f6a5d02c5188f882e74f1f2d436f8275f5894a2fab745eb30c5147669b6cd001d1592be8c0c74db998567c743ed3982c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ey8def0QALoy.bat

Filesize
207B

MD5
2eb33cf3526dda4054182ed655894813

SHA1
7ebba23cd8ab6a99ccb07be959b3ec3983052ef7

SHA256
1f4b65fc12df603efd8791d53c6cbc4a93c038d9508a482bfb6cf1350e4c995c

SHA512
ad96edf8ae34a6595f28a1054d4788e48267b24926049e8170690df8a7dd2f3a17b9302fab5d6fde2ca6493a66d16ea206f1d04f81c4edb2abea188c92d14885

Download Submit
C:\Users\Admin\AppData\Local\Temp\JTYyqGyMrPp0.bat

Filesize
207B

MD5
3affd752aa878ff2c226040bd7fde55b

SHA1
e24b8ad72b02f264808c9d7f345f8c68f7776d15

SHA256
ce60d9f63e516501f3f80d2a329e4b22b0c114caaabbcfe28d60e7e8921817f2

SHA512
7f999f24c033fb1c70b8bceb2c02ae47e50485bd263f69d673e9ddcc8a8d1d18da3f4ceed492a91ae669e60ac6d32406eb288c9c228d361f4866c626253eaa50

Download Submit
C:\Users\Admin\AppData\Local\Temp\LxTycuEq6yaY.bat

Filesize
207B

MD5
6dbba198ea412408a49e3eb1e916bd49

SHA1
9813eb9b6d8c9f4c02a27fec21000975e64cd02b

SHA256
610ea3af6720bc17a1562525da73d47b0a5e22697bcaba0864e93612923741e8

SHA512
e4882af564a2d447c49377a3e81aa842db08037a145afc5a7a4c3f3cd8a93f49803cfe7b6dcb8cfa7eafbb31f7f944bf438f0b54f47ec3fdc89fca2643d60239

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8qkvQaXEXxf.bat

Filesize
207B

MD5
66a36bb5ce4148cd90f17e33776f000b

SHA1
5bcf099449f342b0a86c712fcb0e5156dd5db084

SHA256
8f49aecc6b2d403159ed3c110b733d224101b95be86435acabca22548830b8f4

SHA512
d892ad727285735cbae8e14c7f345aa2c47d6d89eeef21220952d1ef94f5bb35e0da2aa22efc5484c3c5a16256a8b2432db1681f3d18b582d2a88744db459607

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsIgta05Sum2.bat

Filesize
207B

MD5
ba54772f4e6880c9d6d0a6807c685130

SHA1
9895a1f26f63ce5e193bfb0c3da79dfd26c95cab

SHA256
ed15bee884d22853f8422eed99943f237a6b12570998715762e5a1cb5dd21e91

SHA512
d7b6fb8cfde84961830af9d7bcb9a54b4138eb71491c8b3e663fdfbc83cce2f13ab578ed9da56e68aaea3e1393130bb4ed00e2a5322e9d68939da7ac16e53bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wr4d4x1zFTEb.bat

Filesize
207B

MD5
c5c144645d8d7a4e683e19c0e6f66417

SHA1
36a9221c790ec50371dc40b5c8029d322adf10c8

SHA256
4b6b58d9e860c542a7e5334f99062f9c4fc21e23e5e519468363ba572ebd7389

SHA512
74c18704ec28953ef6907cee231a171f1f616384712c5a1e765df7649732c3cdcd5dfe28d39fa7443feff17b13edc33f959d6f4ac6b35e6a278643edf523cc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\YJlPQfmCmV0w.bat

Filesize
207B

MD5
83ab561e9848247d31f2751532b5b809

SHA1
0a2b4b2dffdaaade131acd331fe7d314d68e1f24

SHA256
21ff99f206cbdfa274f67da7aeb68b3c08fe7720ad9cb0d62dc30549446f7a02

SHA512
60cb4902d059109bca52100eeb380735ccd88b4742aec816c8a0cb2cffc5c681bdece58b7089fbc4335b7a96318325ebbbe2d808dea5326b7dcea5879190a6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4FphZdCLyai.bat

Filesize
207B

MD5
e3f440c91a001fde933f8675a5a6935c

SHA1
f2994e13d4b2a5653d394cad336ad7181f91634a

SHA256
ab3b0cc4e50f1dcb0b2ceefe7cca3cd205a875c1ce7c8ebdac207d49695d0218

SHA512
58f04569bab809e20c7e93943821fddad1473333052b9d77cf4d07f4c6263ebf113f916ff3bc81efff4ab8fff7433a056cdfec13842bd3a3ea3f6a4f5dba1798

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjCabZIQXFpU.bat

Filesize
207B

MD5
5335123ee1cc7a28f48e3aa8fae0f895

SHA1
e400886111e385613874229dd1b7ef01f4b18f8d

SHA256
e8975667c626ba79269ec2e02367fe3d641607da5754ccc3157f0e365e16ef42

SHA512
4d5ab3e7419b11e44dfbb0fdd8cf1fcee81d261831236072ed0a8ea9c86596a9572fa58ba820510d1b4724ea6a777710ee9e8552b7788d7c2d1591015db1ffbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzA74ioVo6nZ.bat

Filesize
207B

MD5
16bd19f0b6e2a5655f2123c5a6ab629c

SHA1
00593224d1e84ad107b67ad27ff47ffeeedf18ce

SHA256
bc6bd5ea3319ce0b326f32488c536af1fdc244be4901c34debcde25e2ea7be8e

SHA512
3b517e205a122d38e99b82a683bbe6e308c8d13f1f88dc9638f80a00053c32b7aaf72299577b0eda41023a6d051681b14fee07ea307063221265e1044178b067

Download Submit
C:\Users\Admin\AppData\Local\Temp\zBJckOujLSg9.bat

Filesize
207B

MD5
addf38eb55c959b28d5b74fbadc3f0ea

SHA1
af4fbb1b7882fe65f2cffdbbbd1a232b5740a555

SHA256
98213396b6f777dd7214ec1ba3750fb217b8281707efa254aed208288eeaccdb

SHA512
c702b528098dfe0a45c8c8e75eac6d16ba2dcc43d15fbefd45db8c4a57eb3bf69fc20cf41a7f559deb175e1a541a9891ee36ab5b7d29b7b5cd29053feefdc428

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4b831b964f39059bfd95f56e78086830

SHA1
48649150d6a30522ee550b2cfc5b00fdda00889e

SHA256
258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

SHA512
ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398

Download Submit
memory/400-18-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/400-13-0x000000001C600000-0x000000001C6B2000-memory.dmp

Filesize
712KB

Download
memory/400-12-0x000000001C4F0000-0x000000001C540000-memory.dmp

Filesize
320KB

Download
memory/400-11-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/400-10-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-0-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/2816-9-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-2-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads