quasar | bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c9861630ff205557654616ce62525119
SHA1

5c60d40d59b7795186022c630b232a5dcead5ef3
SHA256

bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA512

18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
SSDEEP

49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

/meming-28826.portmap.host:28826

Mutex

0d852c3a-6700-4e42-85af-0da8a2a2fd2a

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2764-1-0x0000000000BB0000-0x0000000000ED6000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cbf-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4216	Client.exe
3700	Client.exe
3732	Client.exe
1928	Client.exe
2216	Client.exe
3652	Client.exe
1772	Client.exe
5084	Client.exe
2772	Client.exe
2464	Client.exe
2792	Client.exe
448	Client.exe
5052	Client.exe
1640	Client.exe
5012	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3204	PING.EXE
3272	PING.EXE
3676	PING.EXE
3960	PING.EXE
1800	PING.EXE
4056	PING.EXE
5088	PING.EXE
4260	PING.EXE
3636	PING.EXE
4220	PING.EXE
2176	PING.EXE
4880	PING.EXE
3016	PING.EXE
1680	PING.EXE
448	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
5088	PING.EXE
3960	PING.EXE
1680	PING.EXE
4260	PING.EXE
1800	PING.EXE
4056	PING.EXE
3016	PING.EXE
3204	PING.EXE
448	PING.EXE
3636	PING.EXE
3272	PING.EXE
4220	PING.EXE
4880	PING.EXE
3676	PING.EXE
2176	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4324	schtasks.exe
2320	schtasks.exe
1632	schtasks.exe
1940	schtasks.exe
1780	schtasks.exe
1956	schtasks.exe
4500	schtasks.exe
4436	schtasks.exe
4848	schtasks.exe
4900	schtasks.exe
2436	schtasks.exe
3564	schtasks.exe
4780	schtasks.exe
2176	schtasks.exe
568	schtasks.exe
1452	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	Client-built.exe
Token: SeDebugPrivilege	4216	Client.exe
Token: SeDebugPrivilege	3700	Client.exe
Token: SeDebugPrivilege	3732	Client.exe
Token: SeDebugPrivilege	1928	Client.exe
Token: SeDebugPrivilege	2216	Client.exe
Token: SeDebugPrivilege	3652	Client.exe
Token: SeDebugPrivilege	1772	Client.exe
Token: SeDebugPrivilege	5084	Client.exe
Token: SeDebugPrivilege	2772	Client.exe
Token: SeDebugPrivilege	2464	Client.exe
Token: SeDebugPrivilege	2792	Client.exe
Token: SeDebugPrivilege	448	Client.exe
Token: SeDebugPrivilege	5052	Client.exe
Token: SeDebugPrivilege	1640	Client.exe
Token: SeDebugPrivilege	5012	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4900	2764	Client-built.exe	83
PID 2764 wrote to memory of 4900	2764	Client-built.exe	83
PID 2764 wrote to memory of 4216	2764	Client-built.exe	85
PID 2764 wrote to memory of 4216	2764	Client-built.exe	85
PID 4216 wrote to memory of 1940	4216	Client.exe	86
PID 4216 wrote to memory of 1940	4216	Client.exe	86
PID 4216 wrote to memory of 2212	4216	Client.exe	88
PID 4216 wrote to memory of 2212	4216	Client.exe	88
PID 2212 wrote to memory of 4704	2212	cmd.exe	90
PID 2212 wrote to memory of 4704	2212	cmd.exe	90
PID 2212 wrote to memory of 3676	2212	cmd.exe	91
PID 2212 wrote to memory of 3676	2212	cmd.exe	91
PID 2212 wrote to memory of 3700	2212	cmd.exe	102
PID 2212 wrote to memory of 3700	2212	cmd.exe	102
PID 3700 wrote to memory of 2176	3700	Client.exe	103
PID 3700 wrote to memory of 2176	3700	Client.exe	103
PID 3700 wrote to memory of 1956	3700	Client.exe	105
PID 3700 wrote to memory of 1956	3700	Client.exe	105
PID 1956 wrote to memory of 1780	1956	cmd.exe	108
PID 1956 wrote to memory of 1780	1956	cmd.exe	108
PID 1956 wrote to memory of 5088	1956	cmd.exe	109
PID 1956 wrote to memory of 5088	1956	cmd.exe	109
PID 1956 wrote to memory of 3732	1956	cmd.exe	113
PID 1956 wrote to memory of 3732	1956	cmd.exe	113
PID 3732 wrote to memory of 2436	3732	Client.exe	114
PID 3732 wrote to memory of 2436	3732	Client.exe	114
PID 3732 wrote to memory of 3908	3732	Client.exe	116
PID 3732 wrote to memory of 3908	3732	Client.exe	116
PID 3908 wrote to memory of 640	3908	cmd.exe	119
PID 3908 wrote to memory of 640	3908	cmd.exe	119
PID 3908 wrote to memory of 3960	3908	cmd.exe	120
PID 3908 wrote to memory of 3960	3908	cmd.exe	120
PID 3908 wrote to memory of 1928	3908	cmd.exe	125
PID 3908 wrote to memory of 1928	3908	cmd.exe	125
PID 1928 wrote to memory of 568	1928	Client.exe	127
PID 1928 wrote to memory of 568	1928	Client.exe	127
PID 1928 wrote to memory of 780	1928	Client.exe	130
PID 1928 wrote to memory of 780	1928	Client.exe	130
PID 780 wrote to memory of 4276	780	cmd.exe	132
PID 780 wrote to memory of 4276	780	cmd.exe	132
PID 780 wrote to memory of 1680	780	cmd.exe	133
PID 780 wrote to memory of 1680	780	cmd.exe	133
PID 780 wrote to memory of 2216	780	cmd.exe	135
PID 780 wrote to memory of 2216	780	cmd.exe	135
PID 2216 wrote to memory of 3564	2216	Client.exe	136
PID 2216 wrote to memory of 3564	2216	Client.exe	136
PID 2216 wrote to memory of 212	2216	Client.exe	138
PID 2216 wrote to memory of 212	2216	Client.exe	138
PID 212 wrote to memory of 2980	212	cmd.exe	141
PID 212 wrote to memory of 2980	212	cmd.exe	141
PID 212 wrote to memory of 4260	212	cmd.exe	142
PID 212 wrote to memory of 4260	212	cmd.exe	142
PID 212 wrote to memory of 3652	212	cmd.exe	144
PID 212 wrote to memory of 3652	212	cmd.exe	144
PID 3652 wrote to memory of 1780	3652	Client.exe	145
PID 3652 wrote to memory of 1780	3652	Client.exe	145
PID 3652 wrote to memory of 5080	3652	Client.exe	148
PID 3652 wrote to memory of 5080	3652	Client.exe	148
PID 5080 wrote to memory of 2360	5080	cmd.exe	150
PID 5080 wrote to memory of 2360	5080	cmd.exe	150
PID 5080 wrote to memory of 448	5080	cmd.exe	151
PID 5080 wrote to memory of 448	5080	cmd.exe	151
PID 5080 wrote to memory of 1772	5080	cmd.exe	153
PID 5080 wrote to memory of 1772	5080	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4900
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMgpeCRNZZyv.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4704
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3676
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0cwBpEgYoq4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1780
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5088
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cnDOkMq25Lkj.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqxE5f9p8ZO0.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3OtjCzWVIEk1.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAT4NexGHbjp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mz4KqdacAPvp.bat" "
        15⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3636
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKFGpS3TUPpI.bat" "
        17⤵
        
        PID:3960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mm47WjSHMIm1.bat" "
        19⤵
        
        PID:4580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T9PGq9pIPliQ.bat" "
        21⤵
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I8Cn6qxbrApz.bat" "
        23⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QbIYecMbAPF1.bat" "
        25⤵
        
        PID:5004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LO3CmMvH0yKo.bat" "
        27⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4056
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kY3MRxoyPxXj.bat" "
        29⤵
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OD0MMgvK9wyd.bat" "
        31⤵
        
        PID:4180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3OtjCzWVIEk1.bat

Filesize
207B

MD5
89a516964f2a072775d9e868a32d3bff

SHA1
2f65a216115bc70a5333d399320abf9145433bd7

SHA256
376a27b69fbea9ee0daea43c1d3604cdd0750a32959bf4811ac8bc6ed93a12b4

SHA512
cc811bf38081fe41239f2809a4f18858b0aa3c77b82339dbba1145649b48db9cd8eea0abad480e4fefb482091d15642293ac1ea5296c6d5761f34691069cdfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0cwBpEgYoq4.bat

Filesize
207B

MD5
c229e5004f1b20ef8dfd4e26b1097d50

SHA1
d8fed8f1ce836fcea089b81b1481292ccef78ad9

SHA256
a81cf287d906da08335b6eff599ab45b1767a618f41208a375c3d4feed3c6d1a

SHA512
90c818ebc460532feb11fa0d04d13ab9c06d3cf0cd7f4091164f0c384b3cf372d018599693bd9f1fb820972e06f8724f4a2fefaec82e14cf72a04f0d86b9bae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAT4NexGHbjp.bat

Filesize
207B

MD5
82235f209bd4a9eba79c3014b755daa8

SHA1
3fe369cfb899aaf7e06bc1967e2baddd37c4e921

SHA256
d914784e873e190a1add0ff0ecdb5aaa06777144594be4ef9cf3df3cbeadf4ac

SHA512
d3e5458ba9e8073d680a61b71cd4f7dad4dbd5cbb43a4f2b3f6677a8fa9fea16934b68962e946d96816d7252e550a25f0ca9fce9666bbf8d9f5343e39b7941d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqxE5f9p8ZO0.bat

Filesize
207B

MD5
472d4bc2f62786a80c949bdf7f22253f

SHA1
dcf6962f710f76cb71b4bcc51bc4582884f69be2

SHA256
3e37195cb1a5d39ea0f9875b3c66d072a5b960caeb467414b83e4ac46c644543

SHA512
239ab20422b7b061ea134ac27b6751da5745958fcbe97668f5f18ca63dd7059a1a7a83cc983921d31e1ac2efb999b754152bde0ff51284b922ca9cbc51f8006f

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8Cn6qxbrApz.bat

Filesize
207B

MD5
155dc43ba38c27f521e7b561b41692a7

SHA1
5b962b94617cc8336bc6649b894fbfeeed209ff5

SHA256
7381de7304654b89dd25a896661eac3fb49d479660bf4f67f5268a0b1187d199

SHA512
a13582118ee7db0a7753efec3ac24c2e1f1ab301b7f9304e98fb7f132f929a990d32f2f6689422b52d0aee7a1d042361e3b571d2795cb6d5f5d513422c02a085

Download Submit
C:\Users\Admin\AppData\Local\Temp\LO3CmMvH0yKo.bat

Filesize
207B

MD5
6c75c1b886ac073624ee6ec0f27fb203

SHA1
f0442db4aeaf2ffba6259b1f06bdb8c6f507ff5e

SHA256
6cb0b53026f77bf0ace444f98b1762b11b3dd234817e527bc65f3b7e583ceecd

SHA512
37eec57fb4eb24b3aec6ef6ee978e58790f8c65f9f296f33a25eb72cf536c2a117f9a713c3235a60c46ffc70f35a801d8dd293eaf00215a75212133ea3c2be49

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKFGpS3TUPpI.bat

Filesize
207B

MD5
035f800895a942378aa5c19e06f7a4a2

SHA1
3ffcb882cecefcbaf7488422b408201d15f8c808

SHA256
afa3380e1813938e076f24b91923f9ab128c24dd60a677d357f1763d80194d7a

SHA512
b8c47711f7dbdce807d5b0e9435286ba000e520d12213d3464d75f548702265513701734fd83676205d066f2fd52f32de44982d30115d83227955f219120d5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgpeCRNZZyv.bat

Filesize
207B

MD5
7bda4d1ef8006a6c0b1ed6b28c718471

SHA1
648a6f046417b4f775bc0fe569db0d238765cf6c

SHA256
a91b7572b36e955ba490ad29aff3599dbb8bf84f280d4c22036b59b398074187

SHA512
e4aa91c9eb05e91d056cd9dc39282d127dbf225c2e29ecb309eeaaff85a2862fc1cc85b18e902b566e08eecbf9caff1ab6f8950b56f73c7c1b2f6e7f8fec05c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OD0MMgvK9wyd.bat

Filesize
207B

MD5
ac78da84bc5cd24dc7f0bc833fb759ed

SHA1
d280ee7e884f3057b774992777d7b899e798969d

SHA256
55242eaee0432e150451370b29e33b6937ff9bbb7d09a46e522facfcb2512112

SHA512
aaa34cd95016e010f9da6bc0499f11ca7823126eb83fd20719fe5938870619526ed18fb5eb5cae2955dd31059d0499a79c41cddc8a228a8895b82899f35b2d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\QbIYecMbAPF1.bat

Filesize
207B

MD5
cdc0665a055d94d5821009ebfa617278

SHA1
22c118ee2eb990e600f94ac5e177825d6ff95176

SHA256
df27617c8e69b65d75a5d3ca17b4a117189c2fdd1874faab9455d96a8dbfef10

SHA512
c7493fa474a8d716501acd78c037f460dd052c975b833bb552e572ab0635038c0ed6a40dd9fe56db74b9cab9c0b047f2100107357b029c739b891025b0197b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\T9PGq9pIPliQ.bat

Filesize
207B

MD5
0257fd206768ea865e85a50f97fd81d7

SHA1
3649711046019515e1c87d1a1dc48e2b85b3e48e

SHA256
2fc5617a19db2e7e0e647d3472147ffe649eec8804e7da0b575dbcedd5e464c3

SHA512
3fc2cf312c1f01a80343d1769a9cd0046ee672f788374ddbf68ed04fc7ad77bb2c6c8a98daac3fb89c3dd7dad941d617156c1f70e9ef174156f8f393f1730bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnDOkMq25Lkj.bat

Filesize
207B

MD5
131d23b5df40fda5967ebacc2e8559ef

SHA1
e0c0c6e7cb765fbd0e2bcecc8c6f6bdfc9693553

SHA256
2247a2bf10af7788775ec413d64adcaca4b4cd984f5a1c7d31d2e6fd0baccb32

SHA512
95ef0951d47b09192870a867f79adf4debf4e5b69ec4eedb4a883684a058d871fd1482f8981ff86a36aeb3d45c803a6b233db0566bca10dbf83f128f939dd044

Download Submit
C:\Users\Admin\AppData\Local\Temp\kY3MRxoyPxXj.bat

Filesize
207B

MD5
a990bef917cd40be9794506d2ce95b17

SHA1
360cfee114c837fd050f830827a386397483760a

SHA256
343858d11b6e175d590681893d65dd2467194b0867c3a06948260d2fb34b8f61

SHA512
fa0b3d2113658fa0730ebcd1610f02937db5c6d952e6e1f098667812833010fb18552e067ae527adf2131e30fbc8b8f4fcea3a9611667e570ffc6b5ba8ce8bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm47WjSHMIm1.bat

Filesize
207B

MD5
b9dd9f5cb2d3c8d24d5b719ff14f5d18

SHA1
dfe613d34fc1b26c8f12aa86ddcc08cd001ecb53

SHA256
6b174270d433fb1812d1e889fee7e41e381c6083863869ace4eccd5a1ce38e2f

SHA512
596c438db05fcd84d9c537e0e51bc2b2cc8e7fd65e11f954ca3fee9493488dd838d00cbb8b7feec18a2246076c2894f2acf85de5a455aeb2fe0ec1036e695ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mz4KqdacAPvp.bat

Filesize
207B

MD5
6c7e9c2c0dbb9a9800d0623a45648b5a

SHA1
b730057dfd02426ec9fc36c47a404c83b9e64443

SHA256
2f066a594150c00af400c8a15029b0f1f26359c3173900e8b8622b07ac4c450f

SHA512
8cb415199e10b3729348c25395cca38da2267c72e0c42f9afcb96c03b1fb0b8e963d30cf09123fe81f60104243b966b893ced2cb13a228114481c0dfb428bc80

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c9861630ff205557654616ce62525119

SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3

SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8

Download Submit
memory/2764-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

Filesize
8KB

Download
memory/2764-9-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

Filesize
10.8MB

Download
memory/2764-2-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

Filesize
10.8MB

Download
memory/2764-1-0x0000000000BB0000-0x0000000000ED6000-memory.dmp

Filesize
3.1MB

Download
memory/4216-13-0x000000001C400000-0x000000001C4B2000-memory.dmp

Filesize
712KB

Download
memory/4216-10-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

Filesize
10.8MB

Download
memory/4216-11-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

Filesize
10.8MB

Download
memory/4216-12-0x000000001C2F0000-0x000000001C340000-memory.dmp

Filesize
320KB

Download
memory/4216-18-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads