quasar | b8a2e41418a9b8a882cd0c4a43bc25835a07b273be2e3851aa57737bef0929b3

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger 3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2424-1-0x0000000001390000-0x00000000016F6000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016689-6.dat	family_quasar
behavioral1/memory/1908-9-0x0000000001070000-0x00000000013D6000-memory.dmp	family_quasar
behavioral1/memory/2616-23-0x0000000001200000-0x0000000001566000-memory.dmp	family_quasar
behavioral1/memory/872-34-0x0000000000170000-0x00000000004D6000-memory.dmp	family_quasar
behavioral1/memory/1036-46-0x0000000001310000-0x0000000001676000-memory.dmp	family_quasar
behavioral1/memory/1772-67-0x0000000000330000-0x0000000000696000-memory.dmp	family_quasar
behavioral1/memory/2176-79-0x0000000001220000-0x0000000001586000-memory.dmp	family_quasar
behavioral1/memory/1896-110-0x00000000013B0000-0x0000000001716000-memory.dmp	family_quasar
behavioral1/memory/2856-121-0x00000000002B0000-0x0000000000616000-memory.dmp	family_quasar
behavioral1/memory/296-133-0x00000000012B0000-0x0000000001616000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
1908	Client.exe
2616	Client.exe
872	Client.exe
1036	Client.exe
404	Client.exe
1772	Client.exe
2176	Client.exe
2660	Client.exe
1548	Client.exe
1896	Client.exe
2856	Client.exe
296	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2140	PING.EXE
2036	PING.EXE
2868	PING.EXE
2100	PING.EXE
2424	PING.EXE
2512	PING.EXE
2364	PING.EXE
2548	PING.EXE
3024	PING.EXE
1500	PING.EXE
2888	PING.EXE
924	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2424	PING.EXE
2888	PING.EXE
2036	PING.EXE
2548	PING.EXE
3024	PING.EXE
2868	PING.EXE
2100	PING.EXE
2140	PING.EXE
1500	PING.EXE
2512	PING.EXE
2364	PING.EXE
924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
748	schtasks.exe
1528	schtasks.exe
2708	schtasks.exe
1472	schtasks.exe
2956	schtasks.exe
2240	schtasks.exe
2756	schtasks.exe
2972	schtasks.exe
2524	schtasks.exe
2752	schtasks.exe
1900	schtasks.exe
2676	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	Image Logger 3.5.exe
Token: SeDebugPrivilege	1908	Client.exe
Token: SeDebugPrivilege	2616	Client.exe
Token: SeDebugPrivilege	872	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	404	Client.exe
Token: SeDebugPrivilege	1772	Client.exe
Token: SeDebugPrivilege	2176	Client.exe
Token: SeDebugPrivilege	2660	Client.exe
Token: SeDebugPrivilege	1548	Client.exe
Token: SeDebugPrivilege	1896	Client.exe
Token: SeDebugPrivilege	2856	Client.exe
Token: SeDebugPrivilege	296	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1908	Client.exe
2616	Client.exe
872	Client.exe
1036	Client.exe
404	Client.exe
1772	Client.exe
2176	Client.exe
2660	Client.exe
1548	Client.exe
1896	Client.exe
2856	Client.exe
296	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1908	Client.exe
2616	Client.exe
872	Client.exe
1036	Client.exe
404	Client.exe
1772	Client.exe
2176	Client.exe
2660	Client.exe
1548	Client.exe
1896	Client.exe
2856	Client.exe
296	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1908	Client.exe
2616	Client.exe
872	Client.exe
1036	Client.exe
404	Client.exe
1772	Client.exe
2176	Client.exe
2660	Client.exe
1548	Client.exe
1896	Client.exe
2856	Client.exe
296	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1528	2424	Image Logger 3.5.exe	28
PID 2424 wrote to memory of 1528	2424	Image Logger 3.5.exe	28
PID 2424 wrote to memory of 1528	2424	Image Logger 3.5.exe	28
PID 2424 wrote to memory of 1908	2424	Image Logger 3.5.exe	30
PID 2424 wrote to memory of 1908	2424	Image Logger 3.5.exe	30
PID 2424 wrote to memory of 1908	2424	Image Logger 3.5.exe	30
PID 1908 wrote to memory of 2972	1908	Client.exe	31
PID 1908 wrote to memory of 2972	1908	Client.exe	31
PID 1908 wrote to memory of 2972	1908	Client.exe	31
PID 1908 wrote to memory of 2392	1908	Client.exe	33
PID 1908 wrote to memory of 2392	1908	Client.exe	33
PID 1908 wrote to memory of 2392	1908	Client.exe	33
PID 2392 wrote to memory of 2104	2392	cmd.exe	35
PID 2392 wrote to memory of 2104	2392	cmd.exe	35
PID 2392 wrote to memory of 2104	2392	cmd.exe	35
PID 2392 wrote to memory of 2548	2392	cmd.exe	36
PID 2392 wrote to memory of 2548	2392	cmd.exe	36
PID 2392 wrote to memory of 2548	2392	cmd.exe	36
PID 2392 wrote to memory of 2616	2392	cmd.exe	39
PID 2392 wrote to memory of 2616	2392	cmd.exe	39
PID 2392 wrote to memory of 2616	2392	cmd.exe	39
PID 2616 wrote to memory of 2708	2616	Client.exe	40
PID 2616 wrote to memory of 2708	2616	Client.exe	40
PID 2616 wrote to memory of 2708	2616	Client.exe	40
PID 2616 wrote to memory of 1928	2616	Client.exe	42
PID 2616 wrote to memory of 1928	2616	Client.exe	42
PID 2616 wrote to memory of 1928	2616	Client.exe	42
PID 1928 wrote to memory of 1976	1928	cmd.exe	44
PID 1928 wrote to memory of 1976	1928	cmd.exe	44
PID 1928 wrote to memory of 1976	1928	cmd.exe	44
PID 1928 wrote to memory of 3024	1928	cmd.exe	45
PID 1928 wrote to memory of 3024	1928	cmd.exe	45
PID 1928 wrote to memory of 3024	1928	cmd.exe	45
PID 1928 wrote to memory of 872	1928	cmd.exe	46
PID 1928 wrote to memory of 872	1928	cmd.exe	46
PID 1928 wrote to memory of 872	1928	cmd.exe	46
PID 872 wrote to memory of 2524	872	Client.exe	47
PID 872 wrote to memory of 2524	872	Client.exe	47
PID 872 wrote to memory of 2524	872	Client.exe	47
PID 872 wrote to memory of 1644	872	Client.exe	49
PID 872 wrote to memory of 1644	872	Client.exe	49
PID 872 wrote to memory of 1644	872	Client.exe	49
PID 1644 wrote to memory of 2748	1644	cmd.exe	51
PID 1644 wrote to memory of 2748	1644	cmd.exe	51
PID 1644 wrote to memory of 2748	1644	cmd.exe	51
PID 1644 wrote to memory of 1500	1644	cmd.exe	52
PID 1644 wrote to memory of 1500	1644	cmd.exe	52
PID 1644 wrote to memory of 1500	1644	cmd.exe	52
PID 1644 wrote to memory of 1036	1644	cmd.exe	53
PID 1644 wrote to memory of 1036	1644	cmd.exe	53
PID 1644 wrote to memory of 1036	1644	cmd.exe	53
PID 1036 wrote to memory of 2752	1036	Client.exe	54
PID 1036 wrote to memory of 2752	1036	Client.exe	54
PID 1036 wrote to memory of 2752	1036	Client.exe	54
PID 1036 wrote to memory of 2080	1036	Client.exe	56
PID 1036 wrote to memory of 2080	1036	Client.exe	56
PID 1036 wrote to memory of 2080	1036	Client.exe	56
PID 2080 wrote to memory of 2880	2080	cmd.exe	58
PID 2080 wrote to memory of 2880	2080	cmd.exe	58
PID 2080 wrote to memory of 2880	2080	cmd.exe	58
PID 2080 wrote to memory of 2868	2080	cmd.exe	59
PID 2080 wrote to memory of 2868	2080	cmd.exe	59
PID 2080 wrote to memory of 2868	2080	cmd.exe	59
PID 2080 wrote to memory of 404	2080	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1528
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQD8JsGk51N3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2104
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2548
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIaL6OIccmCz.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1976
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PvBDmcpfwJG3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UnYz0VeN34eH.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0e9Sid0MURWY.bat" "
        11⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BW98EE8UeRQe.bat" "
        13⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EnuHK79VNHvz.bat" "
        15⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LrcpBG63giqU.bat" "
        17⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5ozzJeoHV0XF.bat" "
        19⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dExnYNAV3kSa.bat" "
        21⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M6cfdGGrxFJq.bat" "
        23⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BPoZSfun8qTC.bat" "
        25⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e9Sid0MURWY.bat

Filesize
207B

MD5
c2f077244f2f5cf59b92af8754300cf8

SHA1
f111d3b578d57e5b66f3aca73d23b058d3747131

SHA256
a36f3bbda104d2b56b1a8bb467b9be7e33ff9ecfe7a72660f57c813a28f877cc

SHA512
4d1c36cec5fa15b0e590a7dc61e431ee9dc1a0d4c3c18a79b13b3893d5c7acbdd74d0db6a4423574c16b6e028d047d555bd781edd40ca4597547d56074569051

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ozzJeoHV0XF.bat

Filesize
207B

MD5
d5f718e0caea1d1ac1fbe1794bc858da

SHA1
3d7b3764f773d2259445ad81db4f3151bdee6a5a

SHA256
6011c23738ac0d9edc10d9ee6aebc1900682166f3ab6ac8c586691273e90f284

SHA512
8f9503fa5b7adc1b8ed85c2a24783a29fd146863bd438c083166b413f14e65be7801b5dfd4def525beeab70d46a0a7b1dc4d86f726f1c6ed235f457970ca1e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPoZSfun8qTC.bat

Filesize
207B

MD5
303fa012f28fc655e3451bebb4195867

SHA1
4cc2e245cc65c8840969a86799685d0282cf0d75

SHA256
68ff04383601ce5fc708ebf8ddca43bbe05bb4afcc67454c33c95df31f0163a6

SHA512
ed97d94207a076028f85bdf7afed66736ba0e9c77fca200c4222d85cba924d921d1048c945dfe0abc7846e3ebe77e1260e4d464a2811180fb6a56b2e7bf4d728

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQD8JsGk51N3.bat

Filesize
207B

MD5
2a86fde64a1dc22cd058848ea72b5d85

SHA1
fdd84e845212ea9012bdbd6e085d6e90deea519c

SHA256
9cd3341bb81d69fd43e7d4f276abc8b86b1e072940e504706573dc5e81cd718d

SHA512
4b34ce9758f72c85a6b6cf2a840bb8731fe05f181bfb762115c1b91b93d874dd791036a22dbe39395c3e37a0549338bc0b4bfe7275744d335120cf1bd5852e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\BW98EE8UeRQe.bat

Filesize
207B

MD5
ab632f2268cea3c78eb1f46de77ef35e

SHA1
5c5068c0c3804b76f82331031f3491a5790d3e05

SHA256
eb2e37a51a33201e472304ff21eee1793d6e6549fd19ec78afd9ff8ee25852bc

SHA512
7008369428fa479bfc0f856d1c7354349e5452e1d1fc9acce206fdeb7b3817215a89e64fbc96ef5bc70098aaff7b20dc4aa36979655c050dd1a65927f8226275

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnuHK79VNHvz.bat

Filesize
207B

MD5
70877e2b4eff5cf1a7bec6f107ef7f27

SHA1
569c72e30a5cbb435ba39f40d02c57419e77959d

SHA256
cd608837a54458f1f0e76c66e4d6f88686b1127473fc5207d3fdf33122760673

SHA512
9a72d56bb41bc62b32032646143ebbdc892581049f921088011cfae5c548386efe7af239bdb9b1571ee8f62f9211a8b75740a32e12b1a6aeaee9857856b1c548

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrcpBG63giqU.bat

Filesize
207B

MD5
d6fd910bf3c22385ae9d1ee4a154235d

SHA1
56005b4767d940b2726b0fa060d4398b5d50fbe4

SHA256
7f43e1dd45eeab63feed1f9cb7a42f963d9ead04ccf2975a850940a7d7cd902a

SHA512
e9451f95f2cf674085f6909067c4fca065dce4bbaa05584030f6b41203b439da68d06319d650112a67bbabefb831892ad9713a7e71c0c28b1f0e270a10a9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\M6cfdGGrxFJq.bat

Filesize
207B

MD5
4a3d8451beeee454ba519034ae7bf38b

SHA1
ef8efcf85abf67f128b8f0b9d1690a3549b13097

SHA256
50b06e2615c8dcd020d8faef5b2a96c7347191f229d8b1389e54d461d434f78d

SHA512
949f2a75eb3cc03c416984fd24b1be09a346033da1d8f6da26fb036ef8bc05b8a63252bdace13a1ad1d525355c8e7fb80fa1434e8fb6e733bbdceba2f09426e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvBDmcpfwJG3.bat

Filesize
207B

MD5
a9994f7c8207c70c5b201ffdd2eebd07

SHA1
bef512af58f313bf3549e26341570128da43928e

SHA256
7c520823bc19bc3ee708fc8b81c32f57622e86db6a5e4c875c39726d8092e340

SHA512
8421c6b89aa06f4135c2198bf20b16cf52c37389196dc469b35ee2f3642b9b2a62f5557f2409bcb56c9f9bd77a218a3a34d603522a55f58502866865efee1bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnYz0VeN34eH.bat

Filesize
207B

MD5
699958a6a02622e667aa8b6d2ded01ce

SHA1
82578b0d2cc4047fc7e58c7c29769d31412b974e

SHA256
d31e271df3d6ed89490a5d1c68fd1e757bef486dc3b34838d931394547d14b2f

SHA512
fe30cd1d6589c14e9aa08d3b24773aa0f1fb5a6b63c68483329b2b3e7d3d4bfec9102c3d03abc512fd9113a1ceee76c740e8e7d7a4ab6df43a0f8e9e70f0d7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dExnYNAV3kSa.bat

Filesize
207B

MD5
bb9002f05fbc3ccf551c7edcc511e97a

SHA1
d25ca5dd8a636e70bdec3a4e4de67d6208afee4b

SHA256
b1f6efa7ea4f8e0721c723588ab04a1b344e70d109dfe101162262b499cd9c23

SHA512
f8d25aa26adb012fb5ad624b9f88d9eaf5c138438f0379405f98455e92ed5005082a269adabf833f990c07d3a0fa8519175de54f5681d787968503badd4fb069

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIaL6OIccmCz.bat

Filesize
207B

MD5
593e09a34d500814626fadff4f5dc946

SHA1
2241352d94f8ce27eca085ebeee1db5c34d8c2f4

SHA256
1112184ba156e93241b247e646b889648406ce9abe982b9c481aa86a380cf1fe

SHA512
7a1a7d1e27432a37b4a354224adf67939d96288505d7a53c57eee9f58e33086aec58097c6c8dd5ea2c9aa95ec7024b49f23ac322fd5b244caa3a95ac594688ae

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/296-133-0x00000000012B0000-0x0000000001616000-memory.dmp

Filesize
3.4MB

Download
memory/872-34-0x0000000000170000-0x00000000004D6000-memory.dmp

Filesize
3.4MB

Download
memory/1036-46-0x0000000001310000-0x0000000001676000-memory.dmp

Filesize
3.4MB

Download
memory/1772-67-0x0000000000330000-0x0000000000696000-memory.dmp

Filesize
3.4MB

Download
memory/1896-110-0x00000000013B0000-0x0000000001716000-memory.dmp

Filesize
3.4MB

Download
memory/1908-9-0x0000000001070000-0x00000000013D6000-memory.dmp

Filesize
3.4MB

Download
memory/1908-10-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1908-11-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1908-20-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2176-79-0x0000000001220000-0x0000000001586000-memory.dmp

Filesize
3.4MB

Download
memory/2424-8-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2424-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-1-0x0000000001390000-0x00000000016F6000-memory.dmp

Filesize
3.4MB

Download
memory/2616-23-0x0000000001200000-0x0000000001566000-memory.dmp

Filesize
3.4MB

Download
memory/2856-121-0x00000000002B0000-0x0000000000616000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads