quasar | bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c9861630ff205557654616ce62525119
SHA1

5c60d40d59b7795186022c630b232a5dcead5ef3
SHA256

bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA512

18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
SSDEEP

49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

/meming-28826.portmap.host:28826

Mutex

0d852c3a-6700-4e42-85af-0da8a2a2fd2a

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2104-1-0x0000000001010000-0x0000000001336000-memory.dmp	family_quasar
behavioral1/files/0x000700000001950c-5.dat	family_quasar
behavioral1/memory/2340-8-0x00000000001C0000-0x00000000004E6000-memory.dmp	family_quasar
behavioral1/memory/2596-23-0x00000000003C0000-0x00000000006E6000-memory.dmp	family_quasar
behavioral1/memory/1200-34-0x0000000001340000-0x0000000001666000-memory.dmp	family_quasar
behavioral1/memory/924-55-0x00000000002A0000-0x00000000005C6000-memory.dmp	family_quasar
behavioral1/memory/684-66-0x00000000009A0000-0x0000000000CC6000-memory.dmp	family_quasar
behavioral1/memory/2740-78-0x0000000001270000-0x0000000001596000-memory.dmp	family_quasar
behavioral1/memory/880-89-0x0000000000220000-0x0000000000546000-memory.dmp	family_quasar
behavioral1/memory/2164-110-0x0000000000290000-0x00000000005B6000-memory.dmp	family_quasar
behavioral1/memory/2820-121-0x00000000012E0000-0x0000000001606000-memory.dmp	family_quasar
behavioral1/memory/968-143-0x0000000000120000-0x0000000000446000-memory.dmp	family_quasar
behavioral1/memory/1648-154-0x0000000001320000-0x0000000001646000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2340	Client.exe
2596	Client.exe
1200	Client.exe
2812	Client.exe
924	Client.exe
684	Client.exe
2740	Client.exe
880	Client.exe
2720	Client.exe
2164	Client.exe
2820	Client.exe
1612	Client.exe
968	Client.exe
1648	Client.exe
804	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1112	PING.EXE
2144	PING.EXE
2660	PING.EXE
884	PING.EXE
2744	PING.EXE
2848	PING.EXE
2624	PING.EXE
2948	PING.EXE
1956	PING.EXE
2348	PING.EXE
2776	PING.EXE
2916	PING.EXE
1180	PING.EXE
1728	PING.EXE
2192	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE
2848	PING.EXE
2624	PING.EXE
2916	PING.EXE
2948	PING.EXE
2144	PING.EXE
884	PING.EXE
1956	PING.EXE
1728	PING.EXE
2660	PING.EXE
1180	PING.EXE
2192	PING.EXE
2744	PING.EXE
2348	PING.EXE
1112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
968	schtasks.exe
3044	schtasks.exe
564	schtasks.exe
2584	schtasks.exe
892	schtasks.exe
2052	schtasks.exe
2104	schtasks.exe
2556	schtasks.exe
844	schtasks.exe
1396	schtasks.exe
1892	schtasks.exe
2892	schtasks.exe
296	schtasks.exe
3068	schtasks.exe
1884	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	Client-built.exe
Token: SeDebugPrivilege	2340	Client.exe
Token: SeDebugPrivilege	2596	Client.exe
Token: SeDebugPrivilege	1200	Client.exe
Token: SeDebugPrivilege	2812	Client.exe
Token: SeDebugPrivilege	924	Client.exe
Token: SeDebugPrivilege	684	Client.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	880	Client.exe
Token: SeDebugPrivilege	2720	Client.exe
Token: SeDebugPrivilege	2164	Client.exe
Token: SeDebugPrivilege	2820	Client.exe
Token: SeDebugPrivilege	1612	Client.exe
Token: SeDebugPrivilege	968	Client.exe
Token: SeDebugPrivilege	1648	Client.exe
Token: SeDebugPrivilege	804	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2052	2104	Client-built.exe	31
PID 2104 wrote to memory of 2052	2104	Client-built.exe	31
PID 2104 wrote to memory of 2052	2104	Client-built.exe	31
PID 2104 wrote to memory of 2340	2104	Client-built.exe	33
PID 2104 wrote to memory of 2340	2104	Client-built.exe	33
PID 2104 wrote to memory of 2340	2104	Client-built.exe	33
PID 2340 wrote to memory of 2652	2340	Client.exe	34
PID 2340 wrote to memory of 2652	2340	Client.exe	34
PID 2340 wrote to memory of 2652	2340	Client.exe	34
PID 2340 wrote to memory of 2848	2340	Client.exe	36
PID 2340 wrote to memory of 2848	2340	Client.exe	36
PID 2340 wrote to memory of 2848	2340	Client.exe	36
PID 2848 wrote to memory of 1924	2848	cmd.exe	38
PID 2848 wrote to memory of 1924	2848	cmd.exe	38
PID 2848 wrote to memory of 1924	2848	cmd.exe	38
PID 2848 wrote to memory of 2776	2848	cmd.exe	39
PID 2848 wrote to memory of 2776	2848	cmd.exe	39
PID 2848 wrote to memory of 2776	2848	cmd.exe	39
PID 2848 wrote to memory of 2596	2848	cmd.exe	40
PID 2848 wrote to memory of 2596	2848	cmd.exe	40
PID 2848 wrote to memory of 2596	2848	cmd.exe	40
PID 2596 wrote to memory of 2584	2596	Client.exe	41
PID 2596 wrote to memory of 2584	2596	Client.exe	41
PID 2596 wrote to memory of 2584	2596	Client.exe	41
PID 2596 wrote to memory of 2604	2596	Client.exe	43
PID 2596 wrote to memory of 2604	2596	Client.exe	43
PID 2596 wrote to memory of 2604	2596	Client.exe	43
PID 2604 wrote to memory of 2112	2604	cmd.exe	45
PID 2604 wrote to memory of 2112	2604	cmd.exe	45
PID 2604 wrote to memory of 2112	2604	cmd.exe	45
PID 2604 wrote to memory of 1728	2604	cmd.exe	46
PID 2604 wrote to memory of 1728	2604	cmd.exe	46
PID 2604 wrote to memory of 1728	2604	cmd.exe	46
PID 2604 wrote to memory of 1200	2604	cmd.exe	47
PID 2604 wrote to memory of 1200	2604	cmd.exe	47
PID 2604 wrote to memory of 1200	2604	cmd.exe	47
PID 1200 wrote to memory of 1892	1200	Client.exe	48
PID 1200 wrote to memory of 1892	1200	Client.exe	48
PID 1200 wrote to memory of 1892	1200	Client.exe	48
PID 1200 wrote to memory of 2304	1200	Client.exe	50
PID 1200 wrote to memory of 2304	1200	Client.exe	50
PID 1200 wrote to memory of 2304	1200	Client.exe	50
PID 2304 wrote to memory of 1944	2304	cmd.exe	52
PID 2304 wrote to memory of 1944	2304	cmd.exe	52
PID 2304 wrote to memory of 1944	2304	cmd.exe	52
PID 2304 wrote to memory of 2660	2304	cmd.exe	53
PID 2304 wrote to memory of 2660	2304	cmd.exe	53
PID 2304 wrote to memory of 2660	2304	cmd.exe	53
PID 2304 wrote to memory of 2812	2304	cmd.exe	54
PID 2304 wrote to memory of 2812	2304	cmd.exe	54
PID 2304 wrote to memory of 2812	2304	cmd.exe	54
PID 2812 wrote to memory of 2892	2812	Client.exe	55
PID 2812 wrote to memory of 2892	2812	Client.exe	55
PID 2812 wrote to memory of 2892	2812	Client.exe	55
PID 2812 wrote to memory of 1844	2812	Client.exe	57
PID 2812 wrote to memory of 1844	2812	Client.exe	57
PID 2812 wrote to memory of 1844	2812	Client.exe	57
PID 1844 wrote to memory of 2928	1844	cmd.exe	59
PID 1844 wrote to memory of 2928	1844	cmd.exe	59
PID 1844 wrote to memory of 2928	1844	cmd.exe	59
PID 1844 wrote to memory of 2916	1844	cmd.exe	60
PID 1844 wrote to memory of 2916	1844	cmd.exe	60
PID 1844 wrote to memory of 2916	1844	cmd.exe	60
PID 1844 wrote to memory of 924	1844	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2052
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2652
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XaJHGzluVBhE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1924
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2776
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2584
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQGvBeA6JLwS.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2112
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDEdQv41fByS.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKpB7gPmLBkE.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7NILjIUvTrfu.bat" "
        11⤵
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yr9Xj9Z8nKw2.bat" "
        13⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y80m7W35gSUO.bat" "
        15⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NzyiBhjYQ9cF.bat" "
        17⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0kHRf1vuirzF.bat" "
        19⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\puC5U2mMGdId.bat" "
        21⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8MP4k1C9ooSX.bat" "
        23⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E25sraqJ3vYz.bat" "
        25⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\b2aYKkh4jRsR.bat" "
        27⤵
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkkdehJDEnJF.bat" "
        29⤵
        
        PID:864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YDNKOw82f6BW.bat" "
        31⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0kHRf1vuirzF.bat

Filesize
207B

MD5
0a7e9e5038b91d6f1ea58dfb87d14047

SHA1
93abde133b5326c006833fa1a9490352247fb435

SHA256
502873c85d5ea9cfadbb3e3358b86178a5c29314175fd5c3796889133be112e1

SHA512
3647cec2f399067f22b8c78d670487062cbc72fdead47327e72d17dfa71532dbe07538a29db3ddc8e5b0b43e2c30a55ce99559ee68a2b60328406206f61ac90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7NILjIUvTrfu.bat

Filesize
207B

MD5
1fe40518e182b1668a84a05cc6e60df1

SHA1
839404582f2c81ef4d37c4763c793c52ab0e8ec8

SHA256
6fb9e9eb1040a86454826994ad075064cc8ec9140524f961203a99ea29874e53

SHA512
6c917ec7933ebc4ae58b3510b7c50d869629135dc2c6082318c5e6b3f7f934dc53d7f4729f24495cc1b8a9ec7a8079fb52d31f65979f2c6813bd42bdf4109fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MP4k1C9ooSX.bat

Filesize
207B

MD5
f44e1293f8cc4f0dfcfe0e123cc83652

SHA1
a158d9dab7a139fb1e6a5ad98dcd0faa68a5f3ec

SHA256
fe368083b59c2772a0732c680f326549e2f2916d4830de496658cbafad6d9afa

SHA512
1bbe45726dcc35713f63e3028d7416173cb54dcd38dbed143d706a16413121d39b51a340796fc6f7aacbaee90bfdc79106be219b089790a6d2b8a77775b36ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E25sraqJ3vYz.bat

Filesize
207B

MD5
ab800eca5ee8254b824085c2e7553b73

SHA1
e7c17a7435f05c103096d8e3814b98bf5f369dc4

SHA256
a0ccb69c01034ef707b148ca5672227d60c274cf32980e93199b0085eeee83aa

SHA512
37ce2199b014cd247e577c1b29a1ddd720ee631ac2b2d0bab16cbe6cb18938814ecb1b96ada691e4231b2e48ff8b60b727267097cc8cadac2ae4254377b7aa93

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQGvBeA6JLwS.bat

Filesize
207B

MD5
a0abab362c6dc60518737eb5085a0fb5

SHA1
0141615e548f5740e1a98f97d4bb6d8e2787110b

SHA256
bd424602746749ee1d18217909fa7dacdafa6ed02cfc4ae87d7f7c4dd53aecbc

SHA512
180a56317f5b8c6ed9d24a16240357ea96b46c41ff4bfb53beebcbcbfbc05748adcea80e4a4ee19c608ec98d4fb7ec78ae2f8ddc6790627031ab02276a924622

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDEdQv41fByS.bat

Filesize
207B

MD5
835ef8fd1fc5d2db57f1a81c6a76dae8

SHA1
7e486c7ffa05ce4eec50e1257069d2b98e7e6916

SHA256
5defbc3372ff37bfe2f216867003ff7cb1c0abff36801719acb28c6ffb05f736

SHA512
5583c08d45f19b39732a55141a733e5e9f44a7476c5a8aeca7f986e99fe964f91240719875c2eaba65830f2c9b3326f88f1291deb7c83fb1eb56397df4000d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\NzyiBhjYQ9cF.bat

Filesize
207B

MD5
4981e3cfd86e0471221d0efda72746a8

SHA1
b0b299ab86ba86e5863acc69ba77595c8dba7531

SHA256
646485b9a8567b9655cdfa12fff94eb85aff9e2f50d16173de0b6c79febff94d

SHA512
953991ac0e3f5237a7e88844d498e1c0b289e72bc59bbafeb2c93eb0c2883c5ba5da042d27108a7c74cf6350e72ca922aeb856d2d0c2f39701b19b08ff59adaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkkdehJDEnJF.bat

Filesize
207B

MD5
91771625328b50ca9061bddedf111ec8

SHA1
a956093a1cbc278bb687ddaa66f11d82ac0e71bb

SHA256
729f715b7c59c4924ad37747dcd96e7de62e246c2567dd06a83ac5a007395e89

SHA512
5d35be40e6e166028d42e6b6b8feecfcfc88c628a3b145f64723716a0e33f33d89ae01451c69a4c67bc4ba94fab3436a4feb903634099ec84a02eb9c8a02dec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaJHGzluVBhE.bat

Filesize
207B

MD5
81e27dd393bb6fc1379d5e6983408800

SHA1
ae9408a7b559790a399a30ea006435f01befb183

SHA256
8ff8fcdbff18b8318c5149859147395a652c1aabda8d09bfaff0304ab63ff490

SHA512
72a0b6d5b20638c64edb5b536853bed6d1566b68c47bdd6cf36a11cd69a47b3c7ea5e0ee6d7300ee06f9d0481125dc4e7bb125937e63939ecd98749296ae1ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDNKOw82f6BW.bat

Filesize
207B

MD5
aeed6b2a77f735695e4b7370712cf8d7

SHA1
30ddaedda910d5292f9ecca6c7bf0ae6db763c04

SHA256
c09663b985566dbc9772e34a68a15ba57b338ef5bec6e469157cfbce4eccab23

SHA512
7bb31ace445f00b9fcc6cb361a28bd50f49b761c55a2041b8c6a0bf05891f56baca85b0f708b1c03215bc9e522ce6ad80917c12539e40524e37f984829b8996d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yr9Xj9Z8nKw2.bat

Filesize
207B

MD5
c412b64877d015324f67a035a59bd3f2

SHA1
e114f89543ad52bf7f5ca90d2f2d36ba5a0111be

SHA256
2b9d5c072bc03cf45dae1625dd0bc406a5d104165137df2e6e50ad57959802f9

SHA512
bea7ea3269057a35e9045a6b7514480dc98fc48325a465ce6014d0d06cfd19f8a991ec7e2ad7c48d7a4180c5882f783a55168835d0b78a7692b051a2817fda34

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKpB7gPmLBkE.bat

Filesize
207B

MD5
5cfa34eb4e1847c7204c5b5a84c75433

SHA1
f404113c409f7698ee1f5c6fb5971628ef53387a

SHA256
6b5acfb763b4846ccf49be2f42f9597331194f9226cfa038e1372b9b2cb1fc79

SHA512
4f228b06b7ce772cd1706de0a249ddc534a096d093e8e0e7e1a1bc862297a8eed089ba0872caadd22a6800b87d8267b08aa44d7f801af07b60660ec3e52c9ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2aYKkh4jRsR.bat

Filesize
207B

MD5
d486213e847bea6b58a626888eebb966

SHA1
7f2bce3121d06cab098a4d913896581342d08ca4

SHA256
459da3f89b13212a35bbc71edd0a7f89fc6a9d4e5dac7ef7d1223ce068bd036a

SHA512
22e9df95fa5b89bc1a26b6a5fc6acced3e5650003fc86d300e8edf9022893533f8c901db4abcbd215210cbb211d28768db5e3aaef8d6423e68b7626b40fc88f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\puC5U2mMGdId.bat

Filesize
207B

MD5
45321f582b54246265d1ea5224fa5a34

SHA1
f0f3762caadbc6fc1272389692b3a701b2603bf4

SHA256
626e66dcd73461d04c721b1ea15b244f2efc306eddb84680db7c6dc2e194c5e5

SHA512
b5a9be045a0c8d41737b935b67ef8ce12fa9064786cb2ac0b037885b27ebad796e0ba11aa2c10a0b01febba35b69303aecf9b096811f98256a5159667b13205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y80m7W35gSUO.bat

Filesize
207B

MD5
c616f39b0a9c03cee2f8e6a9140d49cf

SHA1
35c39ec06e5d5ab40c6ebdb9875f220df2269e9d

SHA256
1dfca98dc8fafc5cda2eafef5400a9ebff75bfa748e1f65c72c83e45da7a2992

SHA512
10f686a0f99f9cd8104232e838fbcaaac5875e740277b75ecd88746798744672eaae40807837d6a8e0c02ef07b6ca45d736cd264bf1658294e173cf08520413a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c9861630ff205557654616ce62525119

SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3

SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8

Download Submit
memory/684-66-0x00000000009A0000-0x0000000000CC6000-memory.dmp

Filesize
3.1MB

Download
memory/880-89-0x0000000000220000-0x0000000000546000-memory.dmp

Filesize
3.1MB

Download
memory/924-55-0x00000000002A0000-0x00000000005C6000-memory.dmp

Filesize
3.1MB

Download
memory/968-143-0x0000000000120000-0x0000000000446000-memory.dmp

Filesize
3.1MB

Download
memory/1200-34-0x0000000001340000-0x0000000001666000-memory.dmp

Filesize
3.1MB

Download
memory/1648-154-0x0000000001320000-0x0000000001646000-memory.dmp

Filesize
3.1MB

Download
memory/2104-2-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-9-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x0000000001010000-0x0000000001336000-memory.dmp

Filesize
3.1MB

Download
memory/2104-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/2164-110-0x0000000000290000-0x00000000005B6000-memory.dmp

Filesize
3.1MB

Download
memory/2340-10-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-11-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-8-0x00000000001C0000-0x00000000004E6000-memory.dmp

Filesize
3.1MB

Download
memory/2340-21-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-23-0x00000000003C0000-0x00000000006E6000-memory.dmp

Filesize
3.1MB

Download
memory/2740-78-0x0000000001270000-0x0000000001596000-memory.dmp

Filesize
3.1MB

Download
memory/2820-121-0x00000000012E0000-0x0000000001606000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads