quasar | d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Summrs.exe
Size

3.1MB
MD5

77d34210e82e24fb0b5adbb1094f272f
SHA1

bc20888016a83b6628e7ab460e68b0a467bf3bf3
SHA256

d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e
SHA512

766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04
SSDEEP

49152:CvgG42pda6D+/PjlLOlg6yQipVSyRJ6hbR3LoGd4jTHHB72eh2NT:Cvj42pda6D+/PjlLOlZyQipVSyRJ6DI

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

89.187.179.:4782

185.236.200.245:4782

Mutex

af4f2a23-513c-4ee2-8078-c3d27d9ee2fb

Attributes

encryption_key
1FFE2594933531CEBE3AD34C62F3DC58273CA88E
install_name
Isass.exe
log_directory
Fxs-Temp
reconnect_delay
1000
startup_key
Quasar Client Startup
subdirectory
da-DT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3472-1-0x0000000000C00000-0x0000000000F24000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b88-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 15 IoCs

pid	Process
3600	Isass.exe
620	Isass.exe
4488	Isass.exe
3440	Isass.exe
2208	Isass.exe
4704	Isass.exe
1728	Isass.exe
2800	Isass.exe
4164	Isass.exe
2580	Isass.exe
3536	Isass.exe
2040	Isass.exe
1436	Isass.exe
428	Isass.exe
3860	Isass.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File created	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1780	PING.EXE
1780	PING.EXE
4300	PING.EXE
2776	PING.EXE
4992	PING.EXE
1156	PING.EXE
2264	PING.EXE
3248	PING.EXE
4636	PING.EXE
2860	PING.EXE
3304	PING.EXE
2848	PING.EXE
1536	PING.EXE
456	PING.EXE
4200	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3304	PING.EXE
2848	PING.EXE
456	PING.EXE
3248	PING.EXE
1780	PING.EXE
4200	PING.EXE
1780	PING.EXE
2860	PING.EXE
2264	PING.EXE
4636	PING.EXE
4992	PING.EXE
1536	PING.EXE
4300	PING.EXE
2776	PING.EXE
1156	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	Summrs.exe
Token: SeDebugPrivilege	3600	Isass.exe
Token: SeDebugPrivilege	620	Isass.exe
Token: SeDebugPrivilege	4488	Isass.exe
Token: SeDebugPrivilege	3440	Isass.exe
Token: SeDebugPrivilege	2208	Isass.exe
Token: SeDebugPrivilege	4704	Isass.exe
Token: SeDebugPrivilege	1728	Isass.exe
Token: SeDebugPrivilege	2800	Isass.exe
Token: SeDebugPrivilege	4164	Isass.exe
Token: SeDebugPrivilege	2580	Isass.exe
Token: SeDebugPrivilege	3536	Isass.exe
Token: SeDebugPrivilege	2040	Isass.exe
Token: SeDebugPrivilege	1436	Isass.exe
Token: SeDebugPrivilege	428	Isass.exe
Token: SeDebugPrivilege	3860	Isass.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3600	Isass.exe
620	Isass.exe
4488	Isass.exe
3440	Isass.exe
2208	Isass.exe
4704	Isass.exe
1728	Isass.exe
2800	Isass.exe
4164	Isass.exe
2580	Isass.exe
3536	Isass.exe
2040	Isass.exe
1436	Isass.exe
428	Isass.exe
3860	Isass.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3600	Isass.exe
620	Isass.exe
4488	Isass.exe
3440	Isass.exe
2208	Isass.exe
4704	Isass.exe
1728	Isass.exe
2800	Isass.exe
4164	Isass.exe
2580	Isass.exe
3536	Isass.exe
2040	Isass.exe
1436	Isass.exe
428	Isass.exe
3860	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3600	3472	Summrs.exe	83
PID 3472 wrote to memory of 3600	3472	Summrs.exe	83
PID 3600 wrote to memory of 3116	3600	Isass.exe	84
PID 3600 wrote to memory of 3116	3600	Isass.exe	84
PID 3116 wrote to memory of 4860	3116	cmd.exe	86
PID 3116 wrote to memory of 4860	3116	cmd.exe	86
PID 3116 wrote to memory of 456	3116	cmd.exe	87
PID 3116 wrote to memory of 456	3116	cmd.exe	87
PID 3116 wrote to memory of 620	3116	cmd.exe	94
PID 3116 wrote to memory of 620	3116	cmd.exe	94
PID 620 wrote to memory of 1744	620	Isass.exe	96
PID 620 wrote to memory of 1744	620	Isass.exe	96
PID 1744 wrote to memory of 3212	1744	cmd.exe	98
PID 1744 wrote to memory of 3212	1744	cmd.exe	98
PID 1744 wrote to memory of 3248	1744	cmd.exe	99
PID 1744 wrote to memory of 3248	1744	cmd.exe	99
PID 1744 wrote to memory of 4488	1744	cmd.exe	106
PID 1744 wrote to memory of 4488	1744	cmd.exe	106
PID 4488 wrote to memory of 740	4488	Isass.exe	108
PID 4488 wrote to memory of 740	4488	Isass.exe	108
PID 740 wrote to memory of 1672	740	cmd.exe	110
PID 740 wrote to memory of 1672	740	cmd.exe	110
PID 740 wrote to memory of 4636	740	cmd.exe	111
PID 740 wrote to memory of 4636	740	cmd.exe	111
PID 740 wrote to memory of 3440	740	cmd.exe	115
PID 740 wrote to memory of 3440	740	cmd.exe	115
PID 3440 wrote to memory of 4828	3440	Isass.exe	118
PID 3440 wrote to memory of 4828	3440	Isass.exe	118
PID 4828 wrote to memory of 2936	4828	cmd.exe	120
PID 4828 wrote to memory of 2936	4828	cmd.exe	120
PID 4828 wrote to memory of 1780	4828	cmd.exe	121
PID 4828 wrote to memory of 1780	4828	cmd.exe	121
PID 4828 wrote to memory of 2208	4828	cmd.exe	122
PID 4828 wrote to memory of 2208	4828	cmd.exe	122
PID 2208 wrote to memory of 4760	2208	Isass.exe	124
PID 2208 wrote to memory of 4760	2208	Isass.exe	124
PID 4760 wrote to memory of 3256	4760	cmd.exe	126
PID 4760 wrote to memory of 3256	4760	cmd.exe	126
PID 4760 wrote to memory of 4300	4760	cmd.exe	127
PID 4760 wrote to memory of 4300	4760	cmd.exe	127
PID 4760 wrote to memory of 4704	4760	cmd.exe	129
PID 4760 wrote to memory of 4704	4760	cmd.exe	129
PID 4704 wrote to memory of 3468	4704	Isass.exe	131
PID 4704 wrote to memory of 3468	4704	Isass.exe	131
PID 3468 wrote to memory of 3244	3468	cmd.exe	133
PID 3468 wrote to memory of 3244	3468	cmd.exe	133
PID 3468 wrote to memory of 2776	3468	cmd.exe	134
PID 3468 wrote to memory of 2776	3468	cmd.exe	134
PID 3468 wrote to memory of 1728	3468	cmd.exe	137
PID 3468 wrote to memory of 1728	3468	cmd.exe	137
PID 1728 wrote to memory of 3168	1728	Isass.exe	139
PID 1728 wrote to memory of 3168	1728	Isass.exe	139
PID 3168 wrote to memory of 2840	3168	cmd.exe	141
PID 3168 wrote to memory of 2840	3168	cmd.exe	141
PID 3168 wrote to memory of 4992	3168	cmd.exe	142
PID 3168 wrote to memory of 4992	3168	cmd.exe	142
PID 3168 wrote to memory of 2800	3168	cmd.exe	144
PID 3168 wrote to memory of 2800	3168	cmd.exe	144
PID 2800 wrote to memory of 1804	2800	Isass.exe	146
PID 2800 wrote to memory of 1804	2800	Isass.exe	146
PID 1804 wrote to memory of 320	1804	cmd.exe	148
PID 1804 wrote to memory of 320	1804	cmd.exe	148
PID 1804 wrote to memory of 2860	1804	cmd.exe	149
PID 1804 wrote to memory of 2860	1804	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\Summrs.exe
"C:\Users\Admin\AppData\Local\Temp\Summrs.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\system32\da-DT\Isass.exe
  "C:\Windows\system32\da-DT\Isass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9QKIaCWDY7x.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4860
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:456
  - - C:\Windows\system32\da-DT\Isass.exe
      "C:\Windows\system32\da-DT\Isass.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcqTr753UcWl.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3212
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3248
      - C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ufssEsEMPPae.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4636
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9tHgVtceMlY7.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L38FYNhnA0d5.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUfWptw6OLck.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcLLeNpMFOGY.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oz90VmyqCxNv.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SJR0r6kJoXAf.bat" "
        19⤵
        
        PID:4832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyMUCywyq1HB.bat" "
        21⤵
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jPJbcguZNOCO.bat" "
        23⤵
        
        PID:4604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4200
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F5qO2t6sRWLx.bat" "
        25⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reFG22ncqWgo.bat" "
        27⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EjVcNIIeuvX.bat" "
        29⤵
        
        PID:4088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qg1hdDJIpxCu.bat" "
        31⤵
        
        PID:4904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Isass.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EjVcNIIeuvX.bat

Filesize
194B

MD5
8d794845fe280222606fd0210e6de736

SHA1
f36768075cab71640374123ffd228e6d154cb63c

SHA256
c51b7c10439befa30020baff38c96ee7ff70f2f4a12f867cc175039e98e87076

SHA512
7a4df2f64f346c5df5c2a6f8dc24078c8e63f62036822a05712ef57a7312c5ed32c3fe4a30b6ef78d5b9ad42f1ec2eef63c822612c704d64cc98d203959e5431

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tHgVtceMlY7.bat

Filesize
194B

MD5
e1e0e588c807e406fb91f198a0153998

SHA1
c1b99d975a864c5ae8c872f38fd892e06da42ec1

SHA256
35d1c9b475ec554bdcb192e80bf9e25fd1d68306193ad9aa98e9595dacd82db7

SHA512
18b42f1103c75c53753f340509b98b34aba02201d3585ba06ec203b4af297e36461d0db996d509b4e9a89af8b30c494f6efc37dd84d1a4ad60e6b7bba1b94e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9QKIaCWDY7x.bat

Filesize
194B

MD5
c9aadecd4af586d14c354601b24ab277

SHA1
b342b0ac4839e81e4980e60a5903d07c53590562

SHA256
e2a098c3bcf6bbe949c2db69c32606c97637b2ae6405b44f618c38f592dfa16e

SHA512
18d03faf70f3a7f0186506a19ee22b4effd25bf975539658e0660816269c903620613424bfee619f52b1878e7722c8006e09bd589e023caa87cb2908ffd9b780

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5qO2t6sRWLx.bat

Filesize
194B

MD5
53964738ed69bb4af2158bcf4c65647f

SHA1
65ad2914202d20215f490741c8a4790dfcae59f9

SHA256
f89ff81e1c720b9902df8e0bdd838aa1948d6ac9d3c2ab7332a16ae90c0b5f24

SHA512
8bae6c2a90a10c6cf41c6c37c17c5e72a196f3ec9eb4462c23771bca5e35490e49d368adbc8419de892fe633cea206b710cf0115ac7610700707241fa0dea868

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcqTr753UcWl.bat

Filesize
194B

MD5
dfa98923d722dbe1b05766de0f3abab8

SHA1
3d6b9e5182de2f3ee424b410f9a1ae36dc700433

SHA256
fa5dc25478da369ee54470e613dd1c8b72e742e3900adc24b611e7c67ecf0311

SHA512
226a377ac12862dd4e888fb189cef5620840d425362f69df77496ebcd3ff2ca401c551da1ae40495d72fb65ef5d48e431871947f417c5c077a720b58a4ac53b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\L38FYNhnA0d5.bat

Filesize
194B

MD5
f69daede641caf79e8260ab33ec11e19

SHA1
ffbc56359e6fd6b0687f84c718c7f65aef29c178

SHA256
18c75f89374d5930ab8349b5eff09b9fae91caae8a08713193becce86348d732

SHA512
4c3b494baedfbb62bb227131f93927f39cecd1750c91b4fc5492dd7eadd4a5e990a0d601dd95339a660140c88036bf43a5d02255edd9bc414e97a3eef8802671

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUfWptw6OLck.bat

Filesize
194B

MD5
b52fa593d6ecc5bc6bb91653362f8a1d

SHA1
85942d13b3a78b8cb510ac9fb99658d453b6a9c7

SHA256
3795a80fd41f01c8dff4ff184b4cebaadcd973b2b41f0049759ded69213f1663

SHA512
8478d7d501945a4dead64a2c8cdbd32afc2721d04b520301b5f7d990cf829b72dbcc9656b4de7a9f32031b34b7776569f5ee17af6831ec0cee4129480c32fa1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oz90VmyqCxNv.bat

Filesize
194B

MD5
a88b6a7b0e085cced85ab7a3b133468a

SHA1
b7dea5970b1c65198cb0de155f71de7b5012762c

SHA256
7609776e87bb95e7d7b793f160b1187a9a89803c91cf5f6a5a06516bff0fc3f3

SHA512
b7be859fab05bd702d85e1feda087917b1ee458b1ec6dcc2b8e0d21c3e98258f15d39377679d4936f36ac958ab69d005320f711b259d6b5c906b849bfc2b9c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJR0r6kJoXAf.bat

Filesize
194B

MD5
d1bd89b7d6525fecdfd6d6fd62eddee9

SHA1
51ddd052faab84265a7ac9efc4a710af72c9df54

SHA256
ab11911dab79915f8754ff87f75344f6d8c65c35bfa0343c0a6596e00668aa13

SHA512
82b22dd9fe93036b7a7d277b2ca65f96083137570af3246a4c036b72865f9bbf4248c03f564cb66293e315d63419f5411b800faf89f12fe193dd762e398518a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcLLeNpMFOGY.bat

Filesize
194B

MD5
3b55d77f75a80f966e0a8fcd08584a34

SHA1
f002e51cb90589af4e01250a3a1fde4178ec0f06

SHA256
4a388c6735d0a8d0844236bef6feb21346a4d2b18250e89487f35fb149869748

SHA512
763abf157e42a061df958ad2c81e202263427d92cbc14d73d8c5b6425c20e6b896706bdf52de8189d3b34fcf158be146af67eba7092ba2bcd1f367f99f080857

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyMUCywyq1HB.bat

Filesize
194B

MD5
3b6da37f225c7352a28c22da92f763f6

SHA1
51034f325e3d15f5d7f5ecd2d5c668358fa4fc40

SHA256
f9206f51b1f5c9d1154263d43158d92650da40ce1a6dc3ed8750dcde5665626f

SHA512
fc82b17f1dd5dac58a6ac60be77120de5650bf252de52f65807734be0d082c7fc03f4cb4c9da85be5119ea717ce7d4cd5db8967721038327057b6f5a791c07a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jPJbcguZNOCO.bat

Filesize
194B

MD5
3f056a05407b4519fc30b0cec264e606

SHA1
b590d18e71a99b1356f8b03709ba045a5a880fae

SHA256
4162366d09178041f1f03c2cb4dd16ba7edb5d009405f42f127b647c84b6d2f8

SHA512
280e97e568770962a35d2950110846edff98d8a07487493b80ec90133d9e654765e0b7b99294a8ac93e401bcaa9dabf8b2ddae9cbc4a02478324715a9cae81b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qg1hdDJIpxCu.bat

Filesize
194B

MD5
8c480e7b844e592f6e0a4d83d6af7a32

SHA1
dfaa766b874dc5b43a44dffe0bca8b4563fb892a

SHA256
fb89203b53fde7449874aa751c3bd09ef5c280033811a64db08db04c637896ed

SHA512
9fb5cb1f224a00b4f5db2e76a61688b9fb693bf402740090f2527ffa3ba80661897f2da49c55a75c8b69634b592e3412009cc30ab8a9019040b9674a32017bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\reFG22ncqWgo.bat

Filesize
194B

MD5
cd9a8a33b3af90e0276a09c9006d38c3

SHA1
45725e3c498fea72cf44172b993b95b71bfe5946

SHA256
4327228b9479af1501369937e8afc84d7234596302dc5655c3aa777dfca93100

SHA512
998f77776b98b425c0aab3bdcb4401d0bf5f0a43e4a282e6522af44dcd7d6f7c242770745aca006954b605baaca9fa40f6d85c56419a87c31f90ed43185cdf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufssEsEMPPae.bat

Filesize
194B

MD5
6cd1550b9ec654edfeb1a89a6254e030

SHA1
460a2f02decfcd48f4a3554150cacce19c9bdada

SHA256
43f2908780420d1e638d4c5ecee891c91d25bfda2f0c5754af57dbde461eeff8

SHA512
6929ae7cee866eb2aa22dc890dd10a1603e2c3e6babc3b206b7c1e50533b788e9660ff69f221502bb4df986a3595be8585dc484d1700d0e141957f2b5cabb30b

Download Submit
C:\Windows\system32\da-DT\Isass.exe

Filesize
3.1MB

MD5
77d34210e82e24fb0b5adbb1094f272f

SHA1
bc20888016a83b6628e7ab460e68b0a467bf3bf3

SHA256
d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

SHA512
766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04

Download Submit
memory/3472-2-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3472-0-0x00007FFA20943000-0x00007FFA20945000-memory.dmp

Filesize
8KB

Download
memory/3472-1-0x0000000000C00000-0x0000000000F24000-memory.dmp

Filesize
3.1MB

Download
memory/3472-10-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3600-12-0x000000001BF80000-0x000000001BFD0000-memory.dmp

Filesize
320KB

Download
memory/3600-19-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3600-13-0x000000001C090000-0x000000001C142000-memory.dmp

Filesize
712KB

Download
memory/3600-11-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3600-9-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download