quasar | 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Size

3.1MB
MD5

3d5f1d38a92807e7de7d98838e05c7e8
SHA1

38382972e6317a6e7010a8d48041e0960188fc48
SHA256

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA512

35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5032-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c95-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2348	Client.exe
2944	Client.exe
980	Client.exe
3980	Client.exe
4444	Client.exe
1396	Client.exe
2976	Client.exe
1740	Client.exe
4924	Client.exe
3096	Client.exe
5028	Client.exe
1760	Client.exe
5056	Client.exe
4652	Client.exe
2832	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4672	PING.EXE
2764	PING.EXE
5112	PING.EXE
3304	PING.EXE
1364	PING.EXE
3784	PING.EXE
3572	PING.EXE
1892	PING.EXE
1972	PING.EXE
860	PING.EXE
4064	PING.EXE
2544	PING.EXE
4340	PING.EXE
2176	PING.EXE
472	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1364	PING.EXE
4672	PING.EXE
2544	PING.EXE
472	PING.EXE
3572	PING.EXE
3304	PING.EXE
1972	PING.EXE
2764	PING.EXE
5112	PING.EXE
4340	PING.EXE
4064	PING.EXE
3784	PING.EXE
1892	PING.EXE
860	PING.EXE
2176	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
228	schtasks.exe
4472	schtasks.exe
1728	schtasks.exe
1940	schtasks.exe
3908	schtasks.exe
2988	schtasks.exe
1764	schtasks.exe
2572	schtasks.exe
4976	schtasks.exe
3576	schtasks.exe
544	schtasks.exe
3680	schtasks.exe
2544	schtasks.exe
1488	schtasks.exe
772	schtasks.exe
2356	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Token: SeDebugPrivilege	2348	Client.exe
Token: SeDebugPrivilege	2944	Client.exe
Token: SeDebugPrivilege	980	Client.exe
Token: SeDebugPrivilege	3980	Client.exe
Token: SeDebugPrivilege	4444	Client.exe
Token: SeDebugPrivilege	1396	Client.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	1740	Client.exe
Token: SeDebugPrivilege	4924	Client.exe
Token: SeDebugPrivilege	3096	Client.exe
Token: SeDebugPrivilege	5028	Client.exe
Token: SeDebugPrivilege	1760	Client.exe
Token: SeDebugPrivilege	5056	Client.exe
Token: SeDebugPrivilege	4652	Client.exe
Token: SeDebugPrivilege	2832	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 772	5032	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	82
PID 5032 wrote to memory of 772	5032	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	82
PID 5032 wrote to memory of 2348	5032	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	84
PID 5032 wrote to memory of 2348	5032	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	84
PID 2348 wrote to memory of 1940	2348	Client.exe	85
PID 2348 wrote to memory of 1940	2348	Client.exe	85
PID 2348 wrote to memory of 5064	2348	Client.exe	87
PID 2348 wrote to memory of 5064	2348	Client.exe	87
PID 5064 wrote to memory of 1612	5064	cmd.exe	89
PID 5064 wrote to memory of 1612	5064	cmd.exe	89
PID 5064 wrote to memory of 1364	5064	cmd.exe	90
PID 5064 wrote to memory of 1364	5064	cmd.exe	90
PID 5064 wrote to memory of 2944	5064	cmd.exe	96
PID 5064 wrote to memory of 2944	5064	cmd.exe	96
PID 2944 wrote to memory of 2356	2944	Client.exe	97
PID 2944 wrote to memory of 2356	2944	Client.exe	97
PID 2944 wrote to memory of 3572	2944	Client.exe	99
PID 2944 wrote to memory of 3572	2944	Client.exe	99
PID 3572 wrote to memory of 1188	3572	cmd.exe	101
PID 3572 wrote to memory of 1188	3572	cmd.exe	101
PID 3572 wrote to memory of 4672	3572	cmd.exe	102
PID 3572 wrote to memory of 4672	3572	cmd.exe	102
PID 3572 wrote to memory of 980	3572	cmd.exe	105
PID 3572 wrote to memory of 980	3572	cmd.exe	105
PID 980 wrote to memory of 1764	980	Client.exe	106
PID 980 wrote to memory of 1764	980	Client.exe	106
PID 980 wrote to memory of 828	980	Client.exe	108
PID 980 wrote to memory of 828	980	Client.exe	108
PID 828 wrote to memory of 632	828	cmd.exe	110
PID 828 wrote to memory of 632	828	cmd.exe	110
PID 828 wrote to memory of 1972	828	cmd.exe	111
PID 828 wrote to memory of 1972	828	cmd.exe	111
PID 828 wrote to memory of 3980	828	cmd.exe	113
PID 828 wrote to memory of 3980	828	cmd.exe	113
PID 3980 wrote to memory of 4976	3980	Client.exe	114
PID 3980 wrote to memory of 4976	3980	Client.exe	114
PID 3980 wrote to memory of 4472	3980	Client.exe	116
PID 3980 wrote to memory of 4472	3980	Client.exe	116
PID 4472 wrote to memory of 400	4472	cmd.exe	118
PID 4472 wrote to memory of 400	4472	cmd.exe	118
PID 4472 wrote to memory of 3784	4472	cmd.exe	119
PID 4472 wrote to memory of 3784	4472	cmd.exe	119
PID 4472 wrote to memory of 4444	4472	cmd.exe	121
PID 4472 wrote to memory of 4444	4472	cmd.exe	121
PID 4444 wrote to memory of 2988	4444	Client.exe	122
PID 4444 wrote to memory of 2988	4444	Client.exe	122
PID 4444 wrote to memory of 1760	4444	Client.exe	124
PID 4444 wrote to memory of 1760	4444	Client.exe	124
PID 1760 wrote to memory of 4340	1760	cmd.exe	126
PID 1760 wrote to memory of 4340	1760	cmd.exe	126
PID 1760 wrote to memory of 2764	1760	cmd.exe	127
PID 1760 wrote to memory of 2764	1760	cmd.exe	127
PID 1760 wrote to memory of 1396	1760	cmd.exe	128
PID 1760 wrote to memory of 1396	1760	cmd.exe	128
PID 1396 wrote to memory of 3908	1396	Client.exe	129
PID 1396 wrote to memory of 3908	1396	Client.exe	129
PID 1396 wrote to memory of 468	1396	Client.exe	131
PID 1396 wrote to memory of 468	1396	Client.exe	131
PID 468 wrote to memory of 3180	468	cmd.exe	133
PID 468 wrote to memory of 3180	468	cmd.exe	133
PID 468 wrote to memory of 2544	468	cmd.exe	134
PID 468 wrote to memory of 2544	468	cmd.exe	134
PID 468 wrote to memory of 2976	468	cmd.exe	135
PID 468 wrote to memory of 2976	468	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:772
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3eLl8vsf21Ae.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1612
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1364
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m4Amz93mwoYh.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1188
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S3D2tjbCiZlw.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xTH17h3o4nK2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8YyLsE1wnJwl.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aPRZdye3O8Fg.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aZDzfUqGlwvN.bat" "
        15⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aMZM1lMTjFr.bat" "
        17⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8wkQbLO5I7xP.bat" "
        19⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SG2SZcy9BG30.bat" "
        21⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqpTJ9P0TvZf.bat" "
        23⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcPYOdb4Rg8N.bat" "
        25⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q9pxB2YzU6Dz.bat" "
        27⤵
        
        PID:5092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wq9r1VxU3CuD.bat" "
        29⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fknNtV1j2GbB.bat" "
        31⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3eLl8vsf21Ae.bat

Filesize
207B

MD5
5a7846494f7551d07118877cd16642bd

SHA1
cd6977e00a2a111ccfd69e7f8b86f8eb90b3fb63

SHA256
749284ef2c1da48b9f3ee93b3f3265aea637fdae751b584fc48a00779f21cbad

SHA512
632e425270fa9f8d7b858d02941ca5bd8484bb3e89e789637a4ae26d29cfc9761d3e5c6a20356d25d7cd850d35bb06d5a083e8fdad86b7fa266cb030b6c87ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YyLsE1wnJwl.bat

Filesize
207B

MD5
6f89263f98117c1a90d1bcdaf04acb33

SHA1
f3718b70359744dcde7ecdc777697edd734d84fd

SHA256
9dd9afa1de4e5329ab47eeb59a87e07b5d8fa08ae34c202f0df447a09a9b9bba

SHA512
f51ef08f054cabf2faaa73b442ab04caa08cb50e96c7a7b98f7cbf949691feaebbfd8371db9543ae987fe73d55d00f8f649f75cb3c8a0ab394122a623d761fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aMZM1lMTjFr.bat

Filesize
207B

MD5
6e648a6ce89774d032343e5f9ff3f4cc

SHA1
c8b88f195d46ab7d745266a68a111b059076ee37

SHA256
77deeff24ebb06d471b28423a363845dfc16d2f482305509fd113d96c19f103c

SHA512
2db6fa3e3b0f36f6a40baa91ac7eb581162253b1c0e424105a25b82ce86a1901b297049fef3a8f12a5282e3e2240992dbf9998d47c3ff49197783654578ae7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wkQbLO5I7xP.bat

Filesize
207B

MD5
d9f4744a2889ae5415408b1a1888abe4

SHA1
286c3e9a39777bdbf6d0573a21de7820b45c4f5e

SHA256
9d46ce18c68d9f46d40f8cde11f9137d44c549aacf08c473211147d8114b7e09

SHA512
118d95a54e9d0ac81d4dfcb699abc4c39a0a35908be9608eb5f9d9522296acf06e0732cbeed6cea725843627690242923ac523fa7d2bd4ad44f9c9e0bb887d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcPYOdb4Rg8N.bat

Filesize
207B

MD5
a0341e29ee06abf7668b41495d2e156b

SHA1
1d164bcc173a60c00871fa7d508c3ed773a7608a

SHA256
1a8de12bd8e7481ccd43d6643332bacfaf2378668bdd2553e5d5e891ad8ebb68

SHA512
08919e85728da45033fd26145502f3d609c8efa54e9545042080646d28fdf75f3051bc6de62a5f87cfc8776f2ba7c51dc6005b43a527ac2a3e137c77914400a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\S3D2tjbCiZlw.bat

Filesize
207B

MD5
ceb20c3208379d74b6a7901565992d80

SHA1
56b51c0bd31bcbc0f6d989b1e3cf9aca9f2c603f

SHA256
bb18a04e6e374de1dde76110e101e7e83054a802b03e781a10302f7c538968df

SHA512
5da92f17edb9110296ed0f202dd471fe00ab0c37023c1f3abbb6a23c9cb31459d3ef3ccfabbb7749ca6b8f01bd4ba0eb787932318f7f1037d1d7bd5969b5a447

Download Submit
C:\Users\Admin\AppData\Local\Temp\SG2SZcy9BG30.bat

Filesize
207B

MD5
1aa9fe4597ae77f3ff95c3021130567a

SHA1
fbd77056753ffc4632fb1b3fdaf11d6edb2c2e1d

SHA256
063c6cca23f6a103ce14621eb817c566149229cce9eaab2d439058e99c5012aa

SHA512
0070d9a18ffd8fa9b8ca8ea5f486762534b5def9a48ffb07d210f4691a0885d4b5e1a8e9bfcb03423853a8707876fa525cc19dce973381b208dba2093f321776

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wq9r1VxU3CuD.bat

Filesize
207B

MD5
a448694399543791ea3f2c4fea71ecd5

SHA1
f569faacf2b6c46b53ecb523ef653f91328a7d20

SHA256
f0dbd9c3d0410efcf5ed04616db9d2b2e5b91619d7345f875fefa85e9c35e57c

SHA512
3dc56fc370fe2012a412b482feb784217e01ad9e6e6245136949acad60b7c13ff4371911c4ad37b42f82e6ef50327799119f23af17f178bec3769c8bfd87431e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPRZdye3O8Fg.bat

Filesize
207B

MD5
b86c7240ee1540ef222b8d21d004c9cf

SHA1
2b99eda83f0ad3f3bc2e320b4b51c164017d8224

SHA256
8b4c2e1d688fd403fbb42f78a05d925f1f1fe66361d3ebac1d4d84f279d1bbb7

SHA512
376c8fecc3a4d1d22240fa92806fedf26d92b43785468504db7cde6abc84bdd3a67057252bf5a343fd087632ce08ada8b73b0498acc5be06c2524c7dd7077af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aZDzfUqGlwvN.bat

Filesize
207B

MD5
e64b3424c579dea40a68377b9346535a

SHA1
e7dba609b84efaf55c254898565832933f2da5dc

SHA256
31f561ce68165ad65ef7ff379c9ef4fd9c5e17f7eacb5799d2e0858974380c05

SHA512
09ba8979d20c19843f78b365691db275030c59760271064e2ae45c26b11c7c4cb769325e6a1a465bb33f95f5385f83b97493395902d343f29f34b395191cd588

Download Submit
C:\Users\Admin\AppData\Local\Temp\fknNtV1j2GbB.bat

Filesize
207B

MD5
6212aa99940c55d2c4a8860979da22e4

SHA1
e9e4ecaaf9ef044895c4dec6a8a289d2d9811aa1

SHA256
1104fadd66031ca32c32d0969be9bd28683b819224fddc2d21c3326442cd1867

SHA512
34c787adae6a305cf2f48ad2462e9ed463811c58416ab377fa8c39d6a88123d00bf035b8a8f7d46605c5f7ad20462232ca5c78f81eda64d9cbe38b16c9b2d54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqpTJ9P0TvZf.bat

Filesize
207B

MD5
cec21340740f88d38881ec19d96af332

SHA1
0cb4ea25495e4f882b4059f65997b84993071c99

SHA256
cea1c2d4f25bf667d7abf206ed003cadcbc52aef6c51c2b50d4d61ec15c02c0e

SHA512
87b3f0df2a47b5206d9160ae21ee7d1a0743f9119064212ebae8e47337dff7fcff2824dcec7fadf55e7a7ac358d7787ebcc5a96febfe1cbac8e72d083c3bffe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\m4Amz93mwoYh.bat

Filesize
207B

MD5
9dad277580ba7f5145367f29eb6209b7

SHA1
e33285c23e99096d9184d536ad0008e50eadb163

SHA256
f4cb45356d2c9c000ef5a8b660f51d79b93a314522551d0df8737da873973ef4

SHA512
6fd4d4d9b3c04c9aee1c8468ddef51e9704ee8a10a783db09ef0e435ff176dad3250f00a5e0d899960cb7adef3737932012cbd41734c3f9f18a12af4a5a9708f

Download Submit
C:\Users\Admin\AppData\Local\Temp\q9pxB2YzU6Dz.bat

Filesize
207B

MD5
7947aac79ba73f650e97f7a45c5fa1a9

SHA1
f3f7d1699e18fc33d558cacf23994bbc2d0bf5d6

SHA256
860294acf75b653fb72e22b571a2c9383673799c3ec86f37db7bcdb4e9e22b25

SHA512
62d0b2c619bc61c6b862889bd663902f52c99aa4d42363c996250215426921ec4d0ca0e534f61e89af928427ed01f12c5c1870c3a88abe525ad6ba3f91b03657

Download Submit
C:\Users\Admin\AppData\Local\Temp\xTH17h3o4nK2.bat

Filesize
207B

MD5
63c25ebd3c1dda5e93814e72eb4b0c24

SHA1
602024190e1803d34b61233316604f9ad2331055

SHA256
7b3e65bb6dccd045d1c6cc65a445488c2844b4d176ad57992952cc660a1b274b

SHA512
7903ef03fe56c2f38095bbdc825cc4f49c71ba15c721e1796e70a71de0928fc513cbff3ac692336da68e1f00ae0c35b1110fe4c08456658ba588741cbef27832

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3d5f1d38a92807e7de7d98838e05c7e8

SHA1
38382972e6317a6e7010a8d48041e0960188fc48

SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0

Download Submit
memory/2348-19-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2348-13-0x000000001C690000-0x000000001C742000-memory.dmp

Filesize
712KB

Download
memory/2348-12-0x000000001BAB0000-0x000000001BB00000-memory.dmp

Filesize
320KB

Download
memory/2348-11-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2348-10-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/5032-9-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-2-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads