quasar | 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Size

3.1MB
MD5

3d5f1d38a92807e7de7d98838e05c7e8
SHA1

38382972e6317a6e7010a8d48041e0960188fc48
SHA256

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA512

35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/1888-1-0x0000000001090000-0x00000000013B4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015d18-6.dat	family_quasar
behavioral1/memory/2748-9-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/2908-23-0x0000000000CC0000-0x0000000000FE4000-memory.dmp	family_quasar
behavioral1/memory/2728-97-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/2036-130-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/564-141-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2748	Client.exe
2908	Client.exe
784	Client.exe
1756	Client.exe
1108	Client.exe
844	Client.exe
1940	Client.exe
2552	Client.exe
2728	Client.exe
2852	Client.exe
2896	Client.exe
2036	Client.exe
564	Client.exe
1592	Client.exe
2112	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1152	PING.EXE
1480	PING.EXE
1732	PING.EXE
2136	PING.EXE
2780	PING.EXE
2024	PING.EXE
2536	PING.EXE
2776	PING.EXE
1504	PING.EXE
2844	PING.EXE
1716	PING.EXE
836	PING.EXE
1716	PING.EXE
2608	PING.EXE
3040	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1716	PING.EXE
1504	PING.EXE
1152	PING.EXE
1480	PING.EXE
2844	PING.EXE
2780	PING.EXE
1732	PING.EXE
2776	PING.EXE
1716	PING.EXE
2608	PING.EXE
2024	PING.EXE
2536	PING.EXE
3040	PING.EXE
836	PING.EXE
2136	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
2800	schtasks.exe
564	schtasks.exe
2120	schtasks.exe
2292	schtasks.exe
2308	schtasks.exe
2716	schtasks.exe
2980	schtasks.exe
2652	schtasks.exe
3044	schtasks.exe
3060	schtasks.exe
676	schtasks.exe
2280	schtasks.exe
2788	schtasks.exe
1044	schtasks.exe
1600	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Token: SeDebugPrivilege	2748	Client.exe
Token: SeDebugPrivilege	2908	Client.exe
Token: SeDebugPrivilege	784	Client.exe
Token: SeDebugPrivilege	1756	Client.exe
Token: SeDebugPrivilege	1108	Client.exe
Token: SeDebugPrivilege	844	Client.exe
Token: SeDebugPrivilege	1940	Client.exe
Token: SeDebugPrivilege	2552	Client.exe
Token: SeDebugPrivilege	2728	Client.exe
Token: SeDebugPrivilege	2852	Client.exe
Token: SeDebugPrivilege	2896	Client.exe
Token: SeDebugPrivilege	2036	Client.exe
Token: SeDebugPrivilege	564	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	2112	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2308	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 1888 wrote to memory of 2308	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 1888 wrote to memory of 2308	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 1888 wrote to memory of 2748	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 1888 wrote to memory of 2748	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 1888 wrote to memory of 2748	1888	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 2748 wrote to memory of 2800	2748	Client.exe	33
PID 2748 wrote to memory of 2800	2748	Client.exe	33
PID 2748 wrote to memory of 2800	2748	Client.exe	33
PID 2748 wrote to memory of 2132	2748	Client.exe	35
PID 2748 wrote to memory of 2132	2748	Client.exe	35
PID 2748 wrote to memory of 2132	2748	Client.exe	35
PID 2132 wrote to memory of 1260	2132	cmd.exe	37
PID 2132 wrote to memory of 1260	2132	cmd.exe	37
PID 2132 wrote to memory of 1260	2132	cmd.exe	37
PID 2132 wrote to memory of 2780	2132	cmd.exe	38
PID 2132 wrote to memory of 2780	2132	cmd.exe	38
PID 2132 wrote to memory of 2780	2132	cmd.exe	38
PID 2132 wrote to memory of 2908	2132	cmd.exe	40
PID 2132 wrote to memory of 2908	2132	cmd.exe	40
PID 2132 wrote to memory of 2908	2132	cmd.exe	40
PID 2908 wrote to memory of 2716	2908	Client.exe	41
PID 2908 wrote to memory of 2716	2908	Client.exe	41
PID 2908 wrote to memory of 2716	2908	Client.exe	41
PID 2908 wrote to memory of 540	2908	Client.exe	43
PID 2908 wrote to memory of 540	2908	Client.exe	43
PID 2908 wrote to memory of 540	2908	Client.exe	43
PID 540 wrote to memory of 884	540	cmd.exe	45
PID 540 wrote to memory of 884	540	cmd.exe	45
PID 540 wrote to memory of 884	540	cmd.exe	45
PID 540 wrote to memory of 1480	540	cmd.exe	46
PID 540 wrote to memory of 1480	540	cmd.exe	46
PID 540 wrote to memory of 1480	540	cmd.exe	46
PID 540 wrote to memory of 784	540	cmd.exe	47
PID 540 wrote to memory of 784	540	cmd.exe	47
PID 540 wrote to memory of 784	540	cmd.exe	47
PID 784 wrote to memory of 2652	784	Client.exe	48
PID 784 wrote to memory of 2652	784	Client.exe	48
PID 784 wrote to memory of 2652	784	Client.exe	48
PID 784 wrote to memory of 568	784	Client.exe	50
PID 784 wrote to memory of 568	784	Client.exe	50
PID 784 wrote to memory of 568	784	Client.exe	50
PID 568 wrote to memory of 1116	568	cmd.exe	52
PID 568 wrote to memory of 1116	568	cmd.exe	52
PID 568 wrote to memory of 1116	568	cmd.exe	52
PID 568 wrote to memory of 2024	568	cmd.exe	53
PID 568 wrote to memory of 2024	568	cmd.exe	53
PID 568 wrote to memory of 2024	568	cmd.exe	53
PID 568 wrote to memory of 1756	568	cmd.exe	54
PID 568 wrote to memory of 1756	568	cmd.exe	54
PID 568 wrote to memory of 1756	568	cmd.exe	54
PID 1756 wrote to memory of 3044	1756	Client.exe	55
PID 1756 wrote to memory of 3044	1756	Client.exe	55
PID 1756 wrote to memory of 3044	1756	Client.exe	55
PID 1756 wrote to memory of 2760	1756	Client.exe	57
PID 1756 wrote to memory of 2760	1756	Client.exe	57
PID 1756 wrote to memory of 2760	1756	Client.exe	57
PID 2760 wrote to memory of 2184	2760	cmd.exe	59
PID 2760 wrote to memory of 2184	2760	cmd.exe	59
PID 2760 wrote to memory of 2184	2760	cmd.exe	59
PID 2760 wrote to memory of 1732	2760	cmd.exe	60
PID 2760 wrote to memory of 1732	2760	cmd.exe	60
PID 2760 wrote to memory of 1732	2760	cmd.exe	60
PID 2760 wrote to memory of 1108	2760	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2308
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\z1x4aRJ5yDf2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1260
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2780
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\97YoUMNTSEYV.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:884
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hPAm5uZjETY1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qv0VSWUmDBuf.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8U0x9slfCqrW.bat" "
        11⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cLCrnOqLCmgP.bat" "
        13⤵
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GNdpHfbVXrZM.bat" "
        15⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jfsk4UkUCutk.bat" "
        17⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0dVVspSAAiPB.bat" "
        19⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\36OyHk4cXooM.bat" "
        21⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKhhqWGLAZXN.bat" "
        23⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\d7YHl3cu9JsO.bat" "
        25⤵
        
        PID:2240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K2uC7WFGlOHL.bat" "
        27⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z6fFWUVu5M4P.bat" "
        29⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqV8Ywmsw8S9.bat" "
        31⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0dVVspSAAiPB.bat

Filesize
207B

MD5
c9f7d3465b0f8da98cc66aa60b83a6b8

SHA1
5a924db59f2009b664256611c2a0d0025b7f0565

SHA256
288c0657c639827e231137478bb2e54b7b8144f56dd99097308c6f0dffd660aa

SHA512
f8ad16749ffb0a30074d1c5514d049b228ef2099283f2799acb2d5c466caa6f7d894ba8b111f2cbc6d2ff968902f86f22872794d7ddc783e5ff9b17b4f2bf4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\36OyHk4cXooM.bat

Filesize
207B

MD5
0fc0c0c997274e7cbea4a49525ce4589

SHA1
3654c624f45319eacd6e3470fa2bc4b474d4e5e3

SHA256
5e3d55c7045aaf632146480edd49abf764a8da6c783d35bc2a33ea550ad299ce

SHA512
13d82b8350bc67e6d1180f4df0f7ace729549235d5bfd499b730b6838d3a366fe2dc50054d94a58ddb99b4cae4d56ce9868a8635090d4ec98a50a0f837d9c792

Download Submit
C:\Users\Admin\AppData\Local\Temp\8U0x9slfCqrW.bat

Filesize
207B

MD5
76af40205311d43f12db6d844c60405e

SHA1
c4194869435e3a448e2e13c1df9cc003982e3773

SHA256
ec1724ea4d3dbc338e3219ac772b4b6c2bd79599bfab3403f7a5a898eaec40b0

SHA512
04c9465567325830e4630d03be2be1f66422f8035df46f862f2b1d833b944501b3655406bf4a0c0d43d63db287282f1b5eff1ce4fca81998a85cdc431cfdd05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\97YoUMNTSEYV.bat

Filesize
207B

MD5
14b4b8bcd00d511d9a180feb1d080811

SHA1
4e67955b200df7aae5c308d476b1bd125720bf89

SHA256
d90fe7ab2628f6fbd1799b6612cec8ae9ce2e64dc914b67afa36d3405000c2d0

SHA512
f3b1b48f81faa06a3dedbaec8b846ea77aa401222df65433f6b1123a7438f381ca5054485e286251e430cb67a09970da110ba5b06c1ff5138f3c1960c45b3fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNdpHfbVXrZM.bat

Filesize
207B

MD5
2709753b6a04cabac08de1023a00c35c

SHA1
53521265ccd3bb91d5745a1a449009e7972bbe91

SHA256
4439d41cf97d47b5acd12f372961a3a824d7b4daea364413f1261b26885c37ed

SHA512
80ec89cabd90dbac34be5c8608ffeb1fba5d988ad63f7ef32678f06dd6ed5a91f2ab693576dec3230a438d990e2c80480b396c3d378b903c4dc8d4a0007dc079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jfsk4UkUCutk.bat

Filesize
207B

MD5
95363a7eda1a2897f8f44e40c49c6ef2

SHA1
8acf46ae78e898a6a1697ac2ff563f60a2b14f7e

SHA256
55d46fc7388ce6d2fe6ccfac2dfc0c6b604a17f66abc8a76cd5af892827a9ffd

SHA512
cd1e439cb43727694181534be5a8679bc0a690086bb59048378ca2c4e953a9e0e04f4fcd4459db918c90219e725db53e6dd3bc88538f947b46f217d2420177c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\K2uC7WFGlOHL.bat

Filesize
207B

MD5
a007e41d3cb5e8ebff15c62ea33b612d

SHA1
fd6712718b1eb6833bae0e075be4a2d66c8f67c2

SHA256
d86e65364615738bc680dda86ec885eaf3402815b7459dc93891444244e28253

SHA512
7febab4937fbae8a04803c7ddaf26ff6da43ffc0f52f62dad5fe0d16c798929a6b0c4786745e004c99fc9961671be804c28fc40220f0c4216348a19d1d9287e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqV8Ywmsw8S9.bat

Filesize
207B

MD5
d6e48bf7292ffa20adf6be1854ddcb62

SHA1
05511d3c6e2f61a6a35f0e46d72b57718207a1cb

SHA256
980c97007b1c241676f8c47246c9eb4d9c278cbf16ef2db5991f56b2305d0a8f

SHA512
b3ed387b4fc7b97102223ab2498cbbf378005f9f8883a32e6f6afa67a4558c8a8b7ed88ab803729a9f5869b3bf111778a61a4ca8469402104b76e0bef1438c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLCrnOqLCmgP.bat

Filesize
207B

MD5
584fdb0d957667a8f237839f86ce5ffa

SHA1
8e4b794f4b19aad60ec1ab0036ce4dff41a625b0

SHA256
e80a4582d42ce9e1b1f0e09325eaee6345b0526cf27fa2ee7513bb4475dbfba8

SHA512
7d8c388688c7b8318e0be8bef9d3487b8fa173ddc851b31b09145322aca2af754edb588cd78f357e716d9a6c2144895097776557b52752c9977481dd2644070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7YHl3cu9JsO.bat

Filesize
207B

MD5
cb056a1f7654a689df0cfad6e0d01f95

SHA1
4c6226f2da8a071caa8295ac5236a52f5e6d080a

SHA256
abdb73afa5b4f156b8bbf318acf7deeb17d3b423d882de859e1c208a0b8e89c8

SHA512
947bf61069ae88c80dec4fa487888b41797b56410bb5ec70b0571d8f91432b82f420c59130bc9a1cd99f8393c8dcd45c24624d66bd98ceb8ed23bd417b6e84a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hPAm5uZjETY1.bat

Filesize
207B

MD5
6636657912d7c34aa0761e2dbc39ca71

SHA1
c8ce2cc616b258c54a58b126dc65bf34506291ce

SHA256
eb11a726f9f78910b330f66278b7364e9bc3b76607995895b20de030d6805413

SHA512
be3dd65961c9ce700324c8e8002390d2736f32eb440bae6e39a8c777d875f490c6c2832e21140bf5d7f82b091d23f1082417b9d0ad81e9a081037173357c13e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKhhqWGLAZXN.bat

Filesize
207B

MD5
8f98a5e74b8306dde5e74b88fe0e0348

SHA1
8860ee8c9724e02b8aa6196564f7f97929058455

SHA256
f4e0d70f90c8cd233d2b06cd77dcbff254bd787a5c7b8dab47581d7cbe52b5d2

SHA512
ef20738d340addcb85134261745872089a1191e17712081121e273871df9b20225bd66c11c9f32345b595144ce36284acf4247cf3feb72ac6cbffa1faa8c43f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qv0VSWUmDBuf.bat

Filesize
207B

MD5
3423fc4c382525186b4c37b0733f728c

SHA1
115024611a2fdb0d5892c4b418f243920785c51d

SHA256
d9dacbddf66c7b43c773a44d9055dcf4f88344fbe54dd3066f9fb57fe752e51d

SHA512
23221b0850c0f26ee7f428213731091dbe758de192581d41abb3488db9129d4fb075deaa7d1123a8d7bb746f639efbd698f6ae94e8a7777430abe12e12b3c2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1x4aRJ5yDf2.bat

Filesize
207B

MD5
3b2623edd844990cccebfabe3d21dd10

SHA1
d888bdae1b0f7af778c1fdb9bafed006ac407e7d

SHA256
e098c582f657f504201fed63c13c021ee3fe4dda561d3b0988a9377f539e90de

SHA512
4765a88afcb396484fbf3e5af01c4be8147ad0ae399109ef38262cbb6099b33e98f5760e1e02f6802cfc5bac6047a66b8d17cda8400e63843dceb10bb8a55c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6fFWUVu5M4P.bat

Filesize
207B

MD5
ead13efa246d0f99bfac32447e6f6c49

SHA1
2c924e485886cbf847c0812c0df6c76ebab221c4

SHA256
4059de1b224a22c7d520b7672f649bdcb1dfface3ef6d269efbe3b3850f17a0a

SHA512
b24c8aceb891f517dcd92f242c49ff0dfe17cdcef34852b427e000a6143cf5985e68fc73989a5056281e638308445ff2b14e90a0fdd3c3c0e79a5baac7579ed6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3d5f1d38a92807e7de7d98838e05c7e8

SHA1
38382972e6317a6e7010a8d48041e0960188fc48

SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0

Download Submit
memory/564-141-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/1888-8-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/1888-1-0x0000000001090000-0x00000000013B4000-memory.dmp

Filesize
3.1MB

Download
memory/2036-130-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/2728-97-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/2748-9-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/2748-11-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-10-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-21-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-23-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads