quasar | 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

Analysis

max time kernel
116s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Size

3.1MB
MD5

3d5f1d38a92807e7de7d98838e05c7e8
SHA1

38382972e6317a6e7010a8d48041e0960188fc48
SHA256

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA512

35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c98-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	Client.exe
4880	Client.exe
4856	Client.exe
2508	Client.exe
868	Client.exe
864	Client.exe
4588	Client.exe
1032	Client.exe
1676	Client.exe
2212	Client.exe
4436	Client.exe
3536	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1780	PING.EXE
2692	PING.EXE
3572	PING.EXE
3328	PING.EXE
4728	PING.EXE
632	PING.EXE
3992	PING.EXE
1460	PING.EXE
2960	PING.EXE
1744	PING.EXE
2736	PING.EXE
3120	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1460	PING.EXE
3572	PING.EXE
3328	PING.EXE
4728	PING.EXE
3120	PING.EXE
1780	PING.EXE
2692	PING.EXE
3992	PING.EXE
2960	PING.EXE
1744	PING.EXE
2736	PING.EXE
632	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
4896	schtasks.exe
1748	schtasks.exe
3000	schtasks.exe
1136	schtasks.exe
3492	schtasks.exe
864	schtasks.exe
4120	schtasks.exe
4328	schtasks.exe
3440	schtasks.exe
1136	schtasks.exe
1000	schtasks.exe
3776	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Token: SeDebugPrivilege	4244	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	4856	Client.exe
Token: SeDebugPrivilege	2508	Client.exe
Token: SeDebugPrivilege	868	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	4588	Client.exe
Token: SeDebugPrivilege	1032	Client.exe
Token: SeDebugPrivilege	1676	Client.exe
Token: SeDebugPrivilege	2212	Client.exe
Token: SeDebugPrivilege	4436	Client.exe
Token: SeDebugPrivilege	3536	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 864	5052	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	82
PID 5052 wrote to memory of 864	5052	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	82
PID 5052 wrote to memory of 4244	5052	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	84
PID 5052 wrote to memory of 4244	5052	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	84
PID 4244 wrote to memory of 4484	4244	Client.exe	85
PID 4244 wrote to memory of 4484	4244	Client.exe	85
PID 4244 wrote to memory of 4112	4244	Client.exe	87
PID 4244 wrote to memory of 4112	4244	Client.exe	87
PID 4112 wrote to memory of 4520	4112	cmd.exe	89
PID 4112 wrote to memory of 4520	4112	cmd.exe	89
PID 4112 wrote to memory of 1780	4112	cmd.exe	90
PID 4112 wrote to memory of 1780	4112	cmd.exe	90
PID 4112 wrote to memory of 4880	4112	cmd.exe	95
PID 4112 wrote to memory of 4880	4112	cmd.exe	95
PID 4880 wrote to memory of 4120	4880	Client.exe	96
PID 4880 wrote to memory of 4120	4880	Client.exe	96
PID 4880 wrote to memory of 5088	4880	Client.exe	98
PID 4880 wrote to memory of 5088	4880	Client.exe	98
PID 5088 wrote to memory of 1916	5088	cmd.exe	100
PID 5088 wrote to memory of 1916	5088	cmd.exe	100
PID 5088 wrote to memory of 2692	5088	cmd.exe	101
PID 5088 wrote to memory of 2692	5088	cmd.exe	101
PID 5088 wrote to memory of 4856	5088	cmd.exe	105
PID 5088 wrote to memory of 4856	5088	cmd.exe	105
PID 4856 wrote to memory of 4328	4856	Client.exe	106
PID 4856 wrote to memory of 4328	4856	Client.exe	106
PID 4856 wrote to memory of 3384	4856	Client.exe	108
PID 4856 wrote to memory of 3384	4856	Client.exe	108
PID 3384 wrote to memory of 748	3384	cmd.exe	110
PID 3384 wrote to memory of 748	3384	cmd.exe	110
PID 3384 wrote to memory of 3992	3384	cmd.exe	111
PID 3384 wrote to memory of 3992	3384	cmd.exe	111
PID 3384 wrote to memory of 2508	3384	cmd.exe	114
PID 3384 wrote to memory of 2508	3384	cmd.exe	114
PID 2508 wrote to memory of 3440	2508	Client.exe	115
PID 2508 wrote to memory of 3440	2508	Client.exe	115
PID 2508 wrote to memory of 4408	2508	Client.exe	117
PID 2508 wrote to memory of 4408	2508	Client.exe	117
PID 4408 wrote to memory of 532	4408	cmd.exe	119
PID 4408 wrote to memory of 532	4408	cmd.exe	119
PID 4408 wrote to memory of 1460	4408	cmd.exe	120
PID 4408 wrote to memory of 1460	4408	cmd.exe	120
PID 4408 wrote to memory of 868	4408	cmd.exe	121
PID 4408 wrote to memory of 868	4408	cmd.exe	121
PID 868 wrote to memory of 1136	868	Client.exe	122
PID 868 wrote to memory of 1136	868	Client.exe	122
PID 868 wrote to memory of 4600	868	Client.exe	124
PID 868 wrote to memory of 4600	868	Client.exe	124
PID 4600 wrote to memory of 968	4600	cmd.exe	126
PID 4600 wrote to memory of 968	4600	cmd.exe	126
PID 4600 wrote to memory of 3572	4600	cmd.exe	127
PID 4600 wrote to memory of 3572	4600	cmd.exe	127
PID 4600 wrote to memory of 864	4600	cmd.exe	128
PID 4600 wrote to memory of 864	4600	cmd.exe	128
PID 864 wrote to memory of 4896	864	Client.exe	129
PID 864 wrote to memory of 4896	864	Client.exe	129
PID 864 wrote to memory of 2488	864	Client.exe	131
PID 864 wrote to memory of 2488	864	Client.exe	131
PID 2488 wrote to memory of 4520	2488	cmd.exe	133
PID 2488 wrote to memory of 4520	2488	cmd.exe	133
PID 2488 wrote to memory of 3328	2488	cmd.exe	134
PID 2488 wrote to memory of 3328	2488	cmd.exe	134
PID 2488 wrote to memory of 4588	2488	cmd.exe	135
PID 2488 wrote to memory of 4588	2488	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:864
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkAQBn468juo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4520
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1780
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGSc0fqOogEy.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1916
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xL2VMoHZbszK.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N1z58xmtJ0Pj.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41jHEsrBdcQj.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Cg9S74gAfGL.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIUGG2SFYr2L.bat" "
        15⤵
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvDJwbx0nSss.bat" "
        17⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eu3ljTI7oJ2H.bat" "
        19⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T5RxhVgvfBUV.bat" "
        21⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FkMIo1s3y1d.bat" "
        23⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zukOwOIzmlHB.bat" "
        25⤵
        
        PID:2192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Cg9S74gAfGL.bat

Filesize
207B

MD5
d898a4ac941aac059c0f8f1dc7d7f7d0

SHA1
745b70e2c7b86372fb2e27f1aefdb5dce96a2c0b

SHA256
ecddd5f4b3393bc6e23b2f50828f8d0069172ed15d5edb504d8ca468c424fcb4

SHA512
7022d66be989a34b54a40513cdc1a5ae6810fb0e4c7184a18bb70a6dec6d8689c7adb5aed4531d98abd747255b4f04a726f06739dbe86013aa4180b41603d3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\41jHEsrBdcQj.bat

Filesize
207B

MD5
5e19f297516000e284fab970fb65ff9a

SHA1
35b8c148f6061d7a62fecae2616ea83aac1f62a7

SHA256
9afa832cfaa901be5b7b05ad9d352135365bbdb71dd4f4f8b6242923ffe31b0b

SHA512
b10c9aaceccb658df87d9c5d13f3b8b190e0c55d7a80511b8b978f65335613a4cf4e25cd01364ed5eb53566768420cada585da48917a0b8a0cbcf560f2b66a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FkMIo1s3y1d.bat

Filesize
207B

MD5
10c582e13a14b2324bfa7c505eb5f749

SHA1
7c00eff3c0aeab6ade17c07a009c7eac0bf5fe55

SHA256
f502dcc7286df4af933821bb2ecf63ad30d82f808cce1bc62fc738b9aca4fedf

SHA512
2fe2f97f9936c97e00a970fa72cac72e5ac71d65adc6eb2da78514ffd994da39ed1ec1e6f704ca1097450e4277c2224cc85cc1519362a271b3e80d82ece6e9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eu3ljTI7oJ2H.bat

Filesize
207B

MD5
4917137cb13af781c41f6e281abc6482

SHA1
fc0113e536b7916063d2bd2762eb53e4e989b5d2

SHA256
ee5aec1b1ad309eb95061a0ded1d3d71dddb4204cb622b2982e7dfe93c14e3e1

SHA512
f55055b9258b0b081627af2f27b57fb8cd1f0028ed3e73456d611db15427500458a88ecaad4742cebe41e79e18fdaf0d13339b3ee3155e19d1f1a01c0e1e1087

Download Submit
C:\Users\Admin\AppData\Local\Temp\N1z58xmtJ0Pj.bat

Filesize
207B

MD5
7587c7f65d7a0d249515cdc516273503

SHA1
05579f3fbd48813f8bb484ffbf0b58cb4404825c

SHA256
4aace84d2e6a3b96f5f8cbf375705bbe6f964c80e0086f256e2dd37da75f4d98

SHA512
27a237ce008f177a26b195a2fb0715b96c5b7dbaff7e489a954ba9ebbd4aed22794bd1afcbff1a7acf2654bdb066ce6d27f6d2c1ec62ee69e61dc6b5502e7f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGSc0fqOogEy.bat

Filesize
207B

MD5
2109ae5bb8153f867019fb15642dfd10

SHA1
2cb304ab350aa7a9ce2ddea39e6889f857ee71c9

SHA256
ac079fa8e295105a27c4c2226397ea7a84fac6d2b5c746ae771f1b2b5965f7af

SHA512
68cc4fe30b5a1c2b7ba029f0cc4dd68e900942a9024a23127cb62e216cf2fbddb069ccda26fcf569075d2f4b618cb60b385d1e98a31b52590d53e4af2c409fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\T5RxhVgvfBUV.bat

Filesize
207B

MD5
31ed1d1f380b118097f94a78e79070e9

SHA1
672f12afe5c792430c62e69ce991941345686b9b

SHA256
8e68751dc5a2d1c9d2b4ef5393772b13593d54df62e5982e683fc94bb82a71d3

SHA512
04ff4ff1e06812d90322673872591ddb0e7f9da321bca237b478a4300b20677ef112df14fbaa9a9c12dd13e04689fd14e4e663f2d0465475154d3943e073c0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvDJwbx0nSss.bat

Filesize
207B

MD5
42d3d79b10658d921059ca03414bb19f

SHA1
081715e111fe78869fbd4a6959c8fb33f7bfd893

SHA256
54f408398e076cd47b5483e5183d61f3ba46ca1b1a36e7c5b793296389fa83ed

SHA512
e16c6b17cece4bb3afa09c0fd3b164139540fbcd93dadcf9c849da49a5b20c5513fc8b6506f83d8fd6a2c01cb9788518b204a9c1a847e682623c7fb2d866bbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUGG2SFYr2L.bat

Filesize
207B

MD5
dd99eed22782640a979e8ee4af65619d

SHA1
d789d9f21ea44230f0e5e7ac2ac68f154288c322

SHA256
edb6d471ca11a1e34201f2293aa871e3d78cbc913274a1d689e446fe1fa55e82

SHA512
d51e479e90a43467d7d3cd65fb437b4c0a77811c0a0c4d45256a87bebf37a0754deced317b80dd4935679cd8616877da982625f54340e078ce07a691a20e3090

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkAQBn468juo.bat

Filesize
207B

MD5
b2a84555d4d4f7300f029f7c61121e4c

SHA1
5ee96fa092c303d8e8f2e51444559afa6541ed4e

SHA256
27be454f57aa3c139d90bbdadf5116ff9a0e930ebcd749af19cb1ae9b3a4d5a1

SHA512
58093ddcbfc516afe8b629dbdec06ae2e6cc3468bbadef61524e8b23ccbd725b0e632c39f3b30f0845a8a6e3023349389b37ae83c7513a6a7e93a88136de58ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\xL2VMoHZbszK.bat

Filesize
207B

MD5
0b4ae50c27adb668bbd426dc62c72fb0

SHA1
060813d9846bfe53ec0ca912206f9facb7b38bf2

SHA256
e64e9ea6d10e350d1fbe746cca7c872fdccfab2611786aac9b63456d7613ffe8

SHA512
76d053605cfe894517eb25dd88a32695b70e5eb84e92ed338d6f0b4210b88e5658fc5896ef57785fd40dde5a856d4425719fff63455f644f01e3c7ebf6794652

Download Submit
C:\Users\Admin\AppData\Local\Temp\zukOwOIzmlHB.bat

Filesize
207B

MD5
0b92032001a142b594f00630888de502

SHA1
edcdc3610f2ec84061285d5c055b3cc0c50f839d

SHA256
e82335ad25a7f7b2adb56684bcf0714b18062ea10054ec09c30c8a04ccd72106

SHA512
69396effabad46fe9754b542325062a97cd96435a1b76727150bcf6171fb5f6f4ae7ae2e7b1fccf4ac9446c310bab47b6825cef0f626c99045d6e896475b9119

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3d5f1d38a92807e7de7d98838e05c7e8

SHA1
38382972e6317a6e7010a8d48041e0960188fc48

SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0

Download Submit
memory/4244-18-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/4244-13-0x000000001CF40000-0x000000001CFF2000-memory.dmp

Filesize
712KB

Download
memory/4244-12-0x0000000002750000-0x00000000027A0000-memory.dmp

Filesize
320KB

Download
memory/4244-11-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/4244-9-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/5052-0-0x00007FFCCA253000-0x00007FFCCA255000-memory.dmp

Filesize
8KB

Download
memory/5052-10-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/5052-2-0x00007FFCCA250000-0x00007FFCCAD11000-memory.dmp

Filesize
10.8MB

Download
memory/5052-1-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads