quasar | d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Summrs.exe
Size

3.1MB
MD5

77d34210e82e24fb0b5adbb1094f272f
SHA1

bc20888016a83b6628e7ab460e68b0a467bf3bf3
SHA256

d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e
SHA512

766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04
SSDEEP

49152:CvgG42pda6D+/PjlLOlg6yQipVSyRJ6hbR3LoGd4jTHHB72eh2NT:Cvj42pda6D+/PjlLOlZyQipVSyRJ6DI

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

89.187.179.:4782

185.236.200.245:4782

Mutex

af4f2a23-513c-4ee2-8078-c3d27d9ee2fb

Attributes

encryption_key
1FFE2594933531CEBE3AD34C62F3DC58273CA88E
install_name
Isass.exe
log_directory
Fxs-Temp
reconnect_delay
1000
startup_key
Quasar Client Startup
subdirectory
da-DT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4792-1-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023c94-8.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 15 IoCs

pid	Process
2480	Isass.exe
4944	Isass.exe
4412	Isass.exe
1728	Isass.exe
1604	Isass.exe
4240	Isass.exe
3452	Isass.exe
3884	Isass.exe
2808	Isass.exe
5104	Isass.exe
436	Isass.exe
4960	Isass.exe
4064	Isass.exe
3480	Isass.exe
716	Isass.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File created	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3172	PING.EXE
412	PING.EXE
3208	PING.EXE
4644	PING.EXE
644	PING.EXE
4840	PING.EXE
4852	PING.EXE
5032	PING.EXE
2876	PING.EXE
1676	PING.EXE
4008	PING.EXE
2476	PING.EXE
4712	PING.EXE
4516	PING.EXE
4900	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4712	PING.EXE
3172	PING.EXE
2876	PING.EXE
4900	PING.EXE
1676	PING.EXE
4516	PING.EXE
4840	PING.EXE
4852	PING.EXE
4644	PING.EXE
644	PING.EXE
5032	PING.EXE
4008	PING.EXE
2476	PING.EXE
412	PING.EXE
3208	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	Summrs.exe
Token: SeDebugPrivilege	2480	Isass.exe
Token: SeDebugPrivilege	4944	Isass.exe
Token: SeDebugPrivilege	4412	Isass.exe
Token: SeDebugPrivilege	1728	Isass.exe
Token: SeDebugPrivilege	1604	Isass.exe
Token: SeDebugPrivilege	4240	Isass.exe
Token: SeDebugPrivilege	3452	Isass.exe
Token: SeDebugPrivilege	3884	Isass.exe
Token: SeDebugPrivilege	2808	Isass.exe
Token: SeDebugPrivilege	5104	Isass.exe
Token: SeDebugPrivilege	436	Isass.exe
Token: SeDebugPrivilege	4960	Isass.exe
Token: SeDebugPrivilege	4064	Isass.exe
Token: SeDebugPrivilege	3480	Isass.exe
Token: SeDebugPrivilege	716	Isass.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2480	Isass.exe
4944	Isass.exe
4412	Isass.exe
1728	Isass.exe
1604	Isass.exe
4240	Isass.exe
3452	Isass.exe
3884	Isass.exe
2808	Isass.exe
5104	Isass.exe
436	Isass.exe
4960	Isass.exe
4064	Isass.exe
3480	Isass.exe
716	Isass.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2480	Isass.exe
4944	Isass.exe
4412	Isass.exe
1728	Isass.exe
1604	Isass.exe
4240	Isass.exe
3452	Isass.exe
3884	Isass.exe
2808	Isass.exe
5104	Isass.exe
436	Isass.exe
4960	Isass.exe
4064	Isass.exe
3480	Isass.exe
716	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2480	4792	Summrs.exe	83
PID 4792 wrote to memory of 2480	4792	Summrs.exe	83
PID 2480 wrote to memory of 2988	2480	Isass.exe	84
PID 2480 wrote to memory of 2988	2480	Isass.exe	84
PID 2988 wrote to memory of 2840	2988	cmd.exe	86
PID 2988 wrote to memory of 2840	2988	cmd.exe	86
PID 2988 wrote to memory of 1676	2988	cmd.exe	87
PID 2988 wrote to memory of 1676	2988	cmd.exe	87
PID 2988 wrote to memory of 4944	2988	cmd.exe	99
PID 2988 wrote to memory of 4944	2988	cmd.exe	99
PID 4944 wrote to memory of 3468	4944	Isass.exe	101
PID 4944 wrote to memory of 3468	4944	Isass.exe	101
PID 3468 wrote to memory of 2676	3468	cmd.exe	103
PID 3468 wrote to memory of 2676	3468	cmd.exe	103
PID 3468 wrote to memory of 4712	3468	cmd.exe	104
PID 3468 wrote to memory of 4712	3468	cmd.exe	104
PID 3468 wrote to memory of 4412	3468	cmd.exe	112
PID 3468 wrote to memory of 4412	3468	cmd.exe	112
PID 4412 wrote to memory of 4024	4412	Isass.exe	114
PID 4412 wrote to memory of 4024	4412	Isass.exe	114
PID 4024 wrote to memory of 3572	4024	cmd.exe	116
PID 4024 wrote to memory of 3572	4024	cmd.exe	116
PID 4024 wrote to memory of 644	4024	cmd.exe	117
PID 4024 wrote to memory of 644	4024	cmd.exe	117
PID 4024 wrote to memory of 1728	4024	cmd.exe	121
PID 4024 wrote to memory of 1728	4024	cmd.exe	121
PID 1728 wrote to memory of 4768	1728	Isass.exe	123
PID 1728 wrote to memory of 4768	1728	Isass.exe	123
PID 4768 wrote to memory of 816	4768	cmd.exe	125
PID 4768 wrote to memory of 816	4768	cmd.exe	125
PID 4768 wrote to memory of 4840	4768	cmd.exe	126
PID 4768 wrote to memory of 4840	4768	cmd.exe	126
PID 4768 wrote to memory of 1604	4768	cmd.exe	128
PID 4768 wrote to memory of 1604	4768	cmd.exe	128
PID 1604 wrote to memory of 4344	1604	Isass.exe	130
PID 1604 wrote to memory of 4344	1604	Isass.exe	130
PID 4344 wrote to memory of 556	4344	cmd.exe	132
PID 4344 wrote to memory of 556	4344	cmd.exe	132
PID 4344 wrote to memory of 4852	4344	cmd.exe	133
PID 4344 wrote to memory of 4852	4344	cmd.exe	133
PID 4344 wrote to memory of 4240	4344	cmd.exe	134
PID 4344 wrote to memory of 4240	4344	cmd.exe	134
PID 4240 wrote to memory of 1400	4240	Isass.exe	136
PID 4240 wrote to memory of 1400	4240	Isass.exe	136
PID 1400 wrote to memory of 3536	1400	cmd.exe	138
PID 1400 wrote to memory of 3536	1400	cmd.exe	138
PID 1400 wrote to memory of 4644	1400	cmd.exe	139
PID 1400 wrote to memory of 4644	1400	cmd.exe	139
PID 1400 wrote to memory of 3452	1400	cmd.exe	140
PID 1400 wrote to memory of 3452	1400	cmd.exe	140
PID 3452 wrote to memory of 2992	3452	Isass.exe	142
PID 3452 wrote to memory of 2992	3452	Isass.exe	142
PID 2992 wrote to memory of 872	2992	cmd.exe	144
PID 2992 wrote to memory of 872	2992	cmd.exe	144
PID 2992 wrote to memory of 5032	2992	cmd.exe	145
PID 2992 wrote to memory of 5032	2992	cmd.exe	145
PID 2992 wrote to memory of 3884	2992	cmd.exe	147
PID 2992 wrote to memory of 3884	2992	cmd.exe	147
PID 3884 wrote to memory of 2532	3884	Isass.exe	149
PID 3884 wrote to memory of 2532	3884	Isass.exe	149
PID 2532 wrote to memory of 4848	2532	cmd.exe	151
PID 2532 wrote to memory of 4848	2532	cmd.exe	151
PID 2532 wrote to memory of 4008	2532	cmd.exe	152
PID 2532 wrote to memory of 4008	2532	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\Summrs.exe
"C:\Users\Admin\AppData\Local\Temp\Summrs.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\da-DT\Isass.exe
  "C:\Windows\system32\da-DT\Isass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S4wpn4snjzg6.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2840
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1676
  - - C:\Windows\system32\da-DT\Isass.exe
      "C:\Windows\system32\da-DT\Isass.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oseernNtbuWJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2676
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
      - C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqGgeuY5mW6Q.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:644
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wNZiRvbtGL62.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4840
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSQAYuiqwLYm.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4852
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCcxsg02kFRg.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4644
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2SMDSAZRjY41.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5032
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H28ouuoxad5e.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4008
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wqvx7aCDaVBv.bat" "
        19⤵
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGNkutJyfat5.bat" "
        21⤵
        
        PID:3268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azznAouDQ8Hm.bat" "
        23⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bLz5NsiBV75i.bat" "
        25⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYsaceq6dKXX.bat" "
        27⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iktypMVeEa9J.bat" "
        29⤵
        
        PID:4384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3208
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKUERpm141N6.bat" "
        31⤵
        
        PID:3740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Isass.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SMDSAZRjY41.bat

Filesize
194B

MD5
990ab83708a5d5bb1c395c8cd5c3a78d

SHA1
48cb8e3a6a39d8c00ecd73d6d5322db8d64806aa

SHA256
f6f9571ed8ef2744bbf41504281d54afd2a315ce6eff96553dc7a0fb3f1b4696

SHA512
eb45837b13c57b35d254a1bd216c2365086ec47f91d0f5dac29aca992a69c2490bd806459fe5a481acb4bbfe02b2b2d6944306f5ad3676d9dc0897dc3a59f6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGNkutJyfat5.bat

Filesize
194B

MD5
4873e757e7edff83f0a607afff6134bf

SHA1
7179b3fe2f102e8fc58e08174a1c40d888e2837d

SHA256
187e1287b4acb0eab4f97f445e03354572e8bdeaea323e436d54527f4942c1ee

SHA512
3fd56bf5b6b886980740216d42af6243bfeb5bdcbfa729f271ac28d243c807f91216007e4953bedaadf2300c5c4f4fea24aef0c23e88065bdc885b75161e1fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYsaceq6dKXX.bat

Filesize
194B

MD5
192aa8483d3b0b1518478c3b0792b495

SHA1
2b25a6668de7b3d4058b3a4a2c9a84d736795dc3

SHA256
cb5b46452c7eeedaccef817a73d2860383ac724924dd69fbb2d42a5e93688a50

SHA512
7df86d3765912eb3cc47022c0bbde69324bc5e6eb34f39159b01d71e8465b880ecdd565c3f057a906856d8eb8cae7cbab3234cb81cc208e85707275927f79b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\H28ouuoxad5e.bat

Filesize
194B

MD5
825034674d3b1ca8714ce590b40b85c4

SHA1
d25d1d08535a9c77a7036fe17761e75cc5bbf2ed

SHA256
94f34910cfd463120a04d50da5921b9b46384c036fa76f1834c2f3070ede5fb4

SHA512
61d2f2b24dc29d16bfa326cb223ef5d261120b5141aa059c9c688afbc7cb50d5fceaac85ffffb9897ecea0e6f333bc4b46e2b28a7322ac1c0aad9a10d27ed042

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCcxsg02kFRg.bat

Filesize
194B

MD5
d227e40d0f46ca21a75312f8060cbd4b

SHA1
1de8638b237009fd2c8d13de43b54c0c195eee7d

SHA256
bb03442084acdfc621076ea97099c1fec0b640dc47bbd0f1d35ef133e526938f

SHA512
ba1f81e17716a58091408debbc6c43095208023b59b305550611cecddc7f76f1efbfef7251a63344e987d938038bc4b5d5acfa6d190bc7d7bf2251fafca6dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S4wpn4snjzg6.bat

Filesize
194B

MD5
66a0e25afd0fcf40fd2fe780204d099e

SHA1
aace05b46d998b11e4715eee199f8357fae0f81d

SHA256
46f40afb8d1dd84cf1c1fbe77533d172cfcf5b9bb0edb7003ee8e20b1641076b

SHA512
77535f92b43891db77c292f2a92362546719a6a2ec359b6a3c5cb73eef46180aadfd110a1cf4174316e852c1c095039c9b1a997cf362d126ae1e70019ee70e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqvx7aCDaVBv.bat

Filesize
194B

MD5
f5fce9a39739d477a9445bdc084d3dba

SHA1
a0459d427d77318ceadbcb7317c9ccb0e6572879

SHA256
81afc821431f03e356ab3283ba8a800dab0ff4e37c5e4d1877b76fa4a5776208

SHA512
1e21b7635f8f4d2c5cbe9457a0f0d2b8885e274f0ed8c44524339cf5df63d237e491752df3781508e013150ccb2839c55116755b489e2f389cf8f8ac13c959e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\azznAouDQ8Hm.bat

Filesize
194B

MD5
c552a7ec565b9a5d2bb1925ffc261e58

SHA1
702545876193a7abae5d16bfe127da280cb7cd3b

SHA256
0b5d5a96ecbec1daa4f0cd1c27ae9327dbc07686574ffb0c9bf8933992c63516

SHA512
78a3f277ef16d80504ec6865570a35aa6d77b5e1fd8aa39775216a4ae54d1965d4762d750b50de3359e33ab98b0fb18f67d762f7ec6caf9a6318ba0a631855a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bLz5NsiBV75i.bat

Filesize
194B

MD5
aeeab0a8aa753f26fb7e905c4cde537e

SHA1
f13a604366fcbdf8d16fd7c54e54dce396f40291

SHA256
e9f77b70a3ca44d3c8555fa64ef2a4ce3b781a9682ad0aafc489405b0827be60

SHA512
34c7f06846b357d1362c59c83a33435b41c8d8549c0d52d1852bbf83ed6c0106aa9c819dfa635621b1f3c01dda18a9ebbde5cc91831a0087eb07fc2aa7f6c2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSQAYuiqwLYm.bat

Filesize
194B

MD5
079d0f093bff43d53ac425b3d2f94107

SHA1
f1880686a9f852024b6f2cdc30ea5f3e99557b0b

SHA256
acd504a654819a584634e5e99b1dfe95a13235f028f1706b6e04171f022dbc61

SHA512
dc39496c75bd3b619f057d03105532c0bf3c26196df97aa228b67939bc4e8ce3b63ce0acd2933f6336879748804c094fdc03290659a880029000d5f4134d8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqGgeuY5mW6Q.bat

Filesize
194B

MD5
be4b1a13064063b27eb80a852c213e4a

SHA1
d37d6388a326224959f50982b8e69e0eca0971d6

SHA256
c8d96f52875af94ac7e1dd10d143162861308485e8cac3eee204e3c12b8d2c4e

SHA512
6507ee00ae4ee469cb305afb7fff291df34e6ee4fa5e38586c60385f949a1f9d6782d2e50606656def2f0674f66ab8e66af7ba5155f478c924744e3ccb4435e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iktypMVeEa9J.bat

Filesize
194B

MD5
fc7e8e70fa4ebd83746ead501e7126d8

SHA1
d09d3aacaf11e01c688f4d7c24e170a047494a0e

SHA256
3ca42bebe13f5591a2daa6b22aa08225846fc2b297dbabe5fe7dd29898dc1df7

SHA512
870ee1643784214e622a5ce6c4112d060f530c6604327aaa92c95c7b9a144df0fc0cda535543e9765c9fe1398373083ad1f270e6f02a8ae3ccc3d33aed954f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oseernNtbuWJ.bat

Filesize
194B

MD5
e2a9d4c2597e40ccc275af8683be94ff

SHA1
20446037a7c778cf90cde1e8077df15d60b1ce16

SHA256
309731f7d14156c9dfa795a1baef2e3739f61808ef4b9dbe07f58e82c60d1b8f

SHA512
4307e48826fd88f9829064b0bd04d03cfdc7827b4ce1e4c3e9dc0b93ef1c0b9727720828913c5c1895644fb91380160b147052adcab12549997920153ba583d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKUERpm141N6.bat

Filesize
194B

MD5
065fadd2ace7615546bbc7599d433294

SHA1
031fd4a11f0d9f5669cdac9e34c0d3f8ca0d2698

SHA256
c14dbdcadf04609ec36478f9d93c18688a729ed634c41f5532d1192e6391280f

SHA512
9dd8cb78610ccdcba644acc5d53e0b3ecd49e411e81719744b54bf13aa70a5816efe6ebd605a1e5277347f3b4ee5cb73cd7a42731604a5d6292272f81916b904

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNZiRvbtGL62.bat

Filesize
194B

MD5
1d821bb1887ad9b7ad40c9803f11a552

SHA1
c3042ee9b2e1b114bd4f75b14f237ff7277d0091

SHA256
9d73093208c2ab65842b5d9d02a8c7f12f630ce8efb2131b8143cf06aa31b53c

SHA512
dfc2777638a198f965257cf42a1dd438eb3e7ec7f156c5f6688a398239b22db6a5df0efac766cea81b641204900739e4921995ca5b476c27817164d90baaf8c4

Download Submit
C:\Windows\system32\da-DT\Isass.exe

Filesize
3.1MB

MD5
77d34210e82e24fb0b5adbb1094f272f

SHA1
bc20888016a83b6628e7ab460e68b0a467bf3bf3

SHA256
d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

SHA512
766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04

Download Submit
memory/2480-18-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-13-0x000000001BEE0000-0x000000001BF92000-memory.dmp

Filesize
712KB

Download
memory/2480-12-0x000000001BDD0000-0x000000001BE20000-memory.dmp

Filesize
320KB

Download
memory/2480-11-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-9-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/4792-0-0x00007FFC18A33000-0x00007FFC18A35000-memory.dmp

Filesize
8KB

Download
memory/4792-10-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/4792-2-0x00007FFC18A30000-0x00007FFC194F1000-memory.dmp

Filesize
10.8MB

Download
memory/4792-1-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download