quasar | bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c9861630ff205557654616ce62525119
SHA1

5c60d40d59b7795186022c630b232a5dcead5ef3
SHA256

bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA512

18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
SSDEEP

49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

/meming-28826.portmap.host:28826

Mutex

0d852c3a-6700-4e42-85af-0da8a2a2fd2a

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/3036-1-0x0000000000E40000-0x0000000001166000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015cd1-6.dat	family_quasar
behavioral1/memory/2212-10-0x0000000000180000-0x00000000004A6000-memory.dmp	family_quasar
behavioral1/memory/2860-23-0x0000000000FB0000-0x00000000012D6000-memory.dmp	family_quasar
behavioral1/memory/1532-44-0x0000000000220000-0x0000000000546000-memory.dmp	family_quasar
behavioral1/memory/1656-55-0x0000000001070000-0x0000000001396000-memory.dmp	family_quasar
behavioral1/memory/3000-97-0x0000000000280000-0x00000000005A6000-memory.dmp	family_quasar
behavioral1/memory/2024-109-0x0000000000E50000-0x0000000001176000-memory.dmp	family_quasar
behavioral1/memory/556-130-0x0000000000FE0000-0x0000000001306000-memory.dmp	family_quasar
behavioral1/memory/2632-162-0x0000000001160000-0x0000000001486000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2212	Client.exe
2860	Client.exe
1320	Client.exe
1532	Client.exe
1656	Client.exe
1808	Client.exe
1760	Client.exe
2568	Client.exe
3000	Client.exe
2024	Client.exe
2912	Client.exe
556	Client.exe
2244	Client.exe
2108	Client.exe
2632	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2516	PING.EXE
1048	PING.EXE
2952	PING.EXE
1676	PING.EXE
2160	PING.EXE
632	PING.EXE
2500	PING.EXE
912	PING.EXE
1380	PING.EXE
1860	PING.EXE
596	PING.EXE
2960	PING.EXE
3020	PING.EXE
2624	PING.EXE
2412	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1380	PING.EXE
596	PING.EXE
3020	PING.EXE
2516	PING.EXE
1676	PING.EXE
1048	PING.EXE
2624	PING.EXE
2500	PING.EXE
2952	PING.EXE
2412	PING.EXE
912	PING.EXE
2960	PING.EXE
632	PING.EXE
1860	PING.EXE
2160	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
676	schtasks.exe
2612	schtasks.exe
3012	schtasks.exe
1660	schtasks.exe
2992	schtasks.exe
2664	schtasks.exe
2056	schtasks.exe
2684	schtasks.exe
288	schtasks.exe
2720	schtasks.exe
3012	schtasks.exe
1872	schtasks.exe
3056	schtasks.exe
1820	schtasks.exe
2384	schtasks.exe
688	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	Client-built.exe
Token: SeDebugPrivilege	2212	Client.exe
Token: SeDebugPrivilege	2860	Client.exe
Token: SeDebugPrivilege	1320	Client.exe
Token: SeDebugPrivilege	1532	Client.exe
Token: SeDebugPrivilege	1656	Client.exe
Token: SeDebugPrivilege	1808	Client.exe
Token: SeDebugPrivilege	1760	Client.exe
Token: SeDebugPrivilege	2568	Client.exe
Token: SeDebugPrivilege	3000	Client.exe
Token: SeDebugPrivilege	2024	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	556	Client.exe
Token: SeDebugPrivilege	2244	Client.exe
Token: SeDebugPrivilege	2108	Client.exe
Token: SeDebugPrivilege	2632	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2612	3036	Client-built.exe	30
PID 3036 wrote to memory of 2612	3036	Client-built.exe	30
PID 3036 wrote to memory of 2612	3036	Client-built.exe	30
PID 3036 wrote to memory of 2212	3036	Client-built.exe	32
PID 3036 wrote to memory of 2212	3036	Client-built.exe	32
PID 3036 wrote to memory of 2212	3036	Client-built.exe	32
PID 2212 wrote to memory of 3056	2212	Client.exe	33
PID 2212 wrote to memory of 3056	2212	Client.exe	33
PID 2212 wrote to memory of 3056	2212	Client.exe	33
PID 2212 wrote to memory of 2988	2212	Client.exe	35
PID 2212 wrote to memory of 2988	2212	Client.exe	35
PID 2212 wrote to memory of 2988	2212	Client.exe	35
PID 2988 wrote to memory of 2296	2988	cmd.exe	37
PID 2988 wrote to memory of 2296	2988	cmd.exe	37
PID 2988 wrote to memory of 2296	2988	cmd.exe	37
PID 2988 wrote to memory of 2960	2988	cmd.exe	38
PID 2988 wrote to memory of 2960	2988	cmd.exe	38
PID 2988 wrote to memory of 2960	2988	cmd.exe	38
PID 2988 wrote to memory of 2860	2988	cmd.exe	40
PID 2988 wrote to memory of 2860	2988	cmd.exe	40
PID 2988 wrote to memory of 2860	2988	cmd.exe	40
PID 2860 wrote to memory of 2684	2860	Client.exe	41
PID 2860 wrote to memory of 2684	2860	Client.exe	41
PID 2860 wrote to memory of 2684	2860	Client.exe	41
PID 2860 wrote to memory of 2868	2860	Client.exe	43
PID 2860 wrote to memory of 2868	2860	Client.exe	43
PID 2860 wrote to memory of 2868	2860	Client.exe	43
PID 2868 wrote to memory of 2140	2868	cmd.exe	45
PID 2868 wrote to memory of 2140	2868	cmd.exe	45
PID 2868 wrote to memory of 2140	2868	cmd.exe	45
PID 2868 wrote to memory of 632	2868	cmd.exe	46
PID 2868 wrote to memory of 632	2868	cmd.exe	46
PID 2868 wrote to memory of 632	2868	cmd.exe	46
PID 2868 wrote to memory of 1320	2868	cmd.exe	47
PID 2868 wrote to memory of 1320	2868	cmd.exe	47
PID 2868 wrote to memory of 1320	2868	cmd.exe	47
PID 1320 wrote to memory of 288	1320	Client.exe	48
PID 1320 wrote to memory of 288	1320	Client.exe	48
PID 1320 wrote to memory of 288	1320	Client.exe	48
PID 1320 wrote to memory of 1260	1320	Client.exe	50
PID 1320 wrote to memory of 1260	1320	Client.exe	50
PID 1320 wrote to memory of 1260	1320	Client.exe	50
PID 1260 wrote to memory of 804	1260	cmd.exe	52
PID 1260 wrote to memory of 804	1260	cmd.exe	52
PID 1260 wrote to memory of 804	1260	cmd.exe	52
PID 1260 wrote to memory of 1048	1260	cmd.exe	53
PID 1260 wrote to memory of 1048	1260	cmd.exe	53
PID 1260 wrote to memory of 1048	1260	cmd.exe	53
PID 1260 wrote to memory of 1532	1260	cmd.exe	54
PID 1260 wrote to memory of 1532	1260	cmd.exe	54
PID 1260 wrote to memory of 1532	1260	cmd.exe	54
PID 1532 wrote to memory of 3012	1532	Client.exe	55
PID 1532 wrote to memory of 3012	1532	Client.exe	55
PID 1532 wrote to memory of 3012	1532	Client.exe	55
PID 1532 wrote to memory of 2128	1532	Client.exe	57
PID 1532 wrote to memory of 2128	1532	Client.exe	57
PID 1532 wrote to memory of 2128	1532	Client.exe	57
PID 2128 wrote to memory of 3028	2128	cmd.exe	59
PID 2128 wrote to memory of 3028	2128	cmd.exe	59
PID 2128 wrote to memory of 3028	2128	cmd.exe	59
PID 2128 wrote to memory of 3020	2128	cmd.exe	60
PID 2128 wrote to memory of 3020	2128	cmd.exe	60
PID 2128 wrote to memory of 3020	2128	cmd.exe	60
PID 2128 wrote to memory of 1656	2128	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2612
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3056
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\4J2EfPEIAZdu.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2296
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2960
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qjb1TAH2qEwf.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2140
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SeL89pefz6z8.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4Vl15fDoH8ij.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\A3JTzDpMXudf.bat" "
        11⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nRhdLWJg34Pv.bat" "
        13⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5U06HHeA1gL3.bat" "
        15⤵
        
        PID:2604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2YhJyBoIYbel.bat" "
        17⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3p882ZabOZy7.bat" "
        19⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiGW03aE7yfU.bat" "
        21⤵
        
        PID:1256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D6WHbxVac6Cb.bat" "
        23⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DX5xiWIoXv1V.bat" "
        25⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UTj450knkqEL.bat" "
        27⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uB19VbZsdVME.bat" "
        29⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8eKPt9vqamu9.bat" "
        31⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2YhJyBoIYbel.bat

Filesize
207B

MD5
9cbb9ae7bed3deb7358b4c188dd736ce

SHA1
0ee4c268fa6901ef9aba7d38b4eab962a15e88b4

SHA256
78ae8dab4f3b34454e7851cacde6be8aa36be6f1b69485b355df80a4761370de

SHA512
45e4dede5493ea5995c99145e1856504a906509f27d1d982ae6634ea7d5f8202919ac62d1b777c34859e9e5693d9b5e43b702f4f73040654529ad1e8069822b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3p882ZabOZy7.bat

Filesize
207B

MD5
0610c26651c3f3ee06ef8331ac444077

SHA1
dd009e93502e120af6968cd9dac1879ca0c8a4a9

SHA256
7f1ad087cdd3dbf41eff384bf22bfad3a67115d69d87fe893b45485b3d26b525

SHA512
ae400a561b7550956a339f8240a786dae57653d704c029c2cace79d755bc120b7bd3c442d2aeeb37d669e042975051bc9144fb3db6fca160e6f53292d38be493

Download Submit
C:\Users\Admin\AppData\Local\Temp\4J2EfPEIAZdu.bat

Filesize
207B

MD5
1f009c7cee7e43806454d7abceb0b696

SHA1
e306834a58b757bee2d60cf7b0650bec7b33a280

SHA256
bd442cbd41e1bef4af84722235c8c3389f3211917abaf94733f4e2bc09a7e80d

SHA512
f6d481d1298b93c7c8bcc4325ed142b7e396ff154000410ecccfc59e727b26f4200f4d0fe35b3b8ad5094c6b991a74baba3313ff90f2cead35ed8d7f79515244

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Vl15fDoH8ij.bat

Filesize
207B

MD5
6444c4d415224ef406bf6033f6c769fc

SHA1
9b70d8569b381643a8049d62853047a5e7123936

SHA256
01a4fc50958ccf476b74ec54f332a096fc4811474e34c9492b6ce470d00e261a

SHA512
c6a9bf20c792dc4089615ffdef3e5700203b6503cbab76991a91e48d202cf6f53ac308a6cefeb7fd123e070d8c137ef3757a80b0b518c4f34ca1998734e996b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5U06HHeA1gL3.bat

Filesize
207B

MD5
945599a774e24130e8860b0a87fc6ba4

SHA1
4d43638460ef118752da6d1f71cb53f24bd8d053

SHA256
9d55a71ba6e032d207a489f9481f39ffe865a56197eac900b49758cbc36b4d1d

SHA512
bbda11422152abdff811fd72889cffd80ce8be2f5460de4a7734bbf69ef733f600b597375ae7c5d4cb7b2e695321ded13e0ec43c1282f226c10e25cab1f9a9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eKPt9vqamu9.bat

Filesize
207B

MD5
90eaae115f8313c5f28be3a32d1b1451

SHA1
fb79b24796010884890cbff20ef5ca7f2fc407ae

SHA256
373f78b4d730e4ceeeb89dd267946c4b2e9f02924c2e58691835de64c09b56a3

SHA512
4b18b22463b6b00af798af44fda42efef38f67b8438a53566e4740c33cc3f87ca7c4502dbdb7c94ddc863186c869bea2f07209ac07538c19a0d09b4a96da767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3JTzDpMXudf.bat

Filesize
207B

MD5
e294b735eb0fb92573b56bc91dfb141a

SHA1
974bbec1ed917a43cca0e0abefb8062bd5b677ff

SHA256
8181309335ef74d34d1b5286a5c7d9ce8d62f0e937ce0d92dd619425d1731ce2

SHA512
3db7f5886f8c62d53e6f0c76c98dd22c0dca9f8416add55c6cf697dbdaa3d373b427ed719ddaeb158bf096f535d536395975006e5b3043e7a002523975d3a1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6WHbxVac6Cb.bat

Filesize
207B

MD5
5505c4b7452b47b3bb6f095d34ae5798

SHA1
652ddf23b8858c592b9a3a31301d9fae945fc705

SHA256
6262f985569a70182873357b21702a39e2d4397567c792a9b5766196f1e86c3b

SHA512
e0578053729689e286d62c0074e062f5c513e34e669ee66799bd5df2ecf056f6184d6f0f40d8f16e5021294eb2a5476643a245d55b6bd2f6bc6a88a5ace59652

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX5xiWIoXv1V.bat

Filesize
207B

MD5
0a6b726d598f50ee3d37cfae1c442743

SHA1
949bf0f338c2a16fd53cd7537c2ca83ddbd46989

SHA256
b38f5e8611153f87e7472468066599514fce27166a2e7f35390a67b23e1f0226

SHA512
7507213cae3d81776bf69b4a0f32a15468608cc5ebf56837a672b91c10beb9dfd7de5667daf7e5abf0e66a2591dcfb19febe789da71386f94e4cab51b790ac4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeL89pefz6z8.bat

Filesize
207B

MD5
8d0af8922d29f024b36387d5d27db211

SHA1
4cfab444f83e4689f8a232399d24822eabc1da06

SHA256
f7bd0ec965decfb01235421853f5bfd312127b83c5533ce614cc215aecf3b458

SHA512
ad666654126a9d11f92e5caf211a9921505b194c8ac1eeebec1e27fccdae3e6d03e518c118f284830c25ba650b5ea82345daed9e5b20f1792550454ca91a3806

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTj450knkqEL.bat

Filesize
207B

MD5
9477e38b2841c624bb9a347c3ba3f317

SHA1
2a6b865755b1fe222c0a8b10503cf08aa3f92c7c

SHA256
1ae3e62d4ecf88810809c1544835cb74b32cabf96dbc5f3bdf2ae3d7dd4534ae

SHA512
12f76efa834fe63214e483057decb4f384d4b6e737d675f20a966837281aac7659ec0b2283bb93e05b240f05806f035751d39ad4ade1aee1644d13f966fea495

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiGW03aE7yfU.bat

Filesize
207B

MD5
99220f9c116f188b0c660d9020ffa828

SHA1
49b29ecf510c6e2abe8d1c3488befade9f5d91f9

SHA256
7adffab8ed55176c9772adf47a68e75d30693f682f794fbc9cf8d2f4fed3d21a

SHA512
c9e03445f0433f7eafae13bcfefa5b54917ca537b31d563306b8d6ca703e06b8941438131086c3eae9a0d09fd00e7c5e9d5e52d2efed2a43fe3b328ff11bb7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nRhdLWJg34Pv.bat

Filesize
207B

MD5
03e90028366783a2df30695758143b37

SHA1
c79fdad2dcdac849d054e6e59fdaebdfed34ad57

SHA256
6730dfc13dcce896bff71bcea18ab66690fc38924f2c17d013d1c6c9a9b0eb8b

SHA512
97b6be877297a85f7633ed5785c8259f7fe05397643755c9f5ff4c06cd8009b12823b0f910a85d6f37c0d7de23ed2676dc7ec5d4a1249ca75e95b2bab840c5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjb1TAH2qEwf.bat

Filesize
207B

MD5
207b37e31859b6b21e99a34ef88a4b71

SHA1
2986aeff77ee584d9e1fcc656988ace5fdbf8a55

SHA256
147ce48461acd6472e7f476d81724002c32b89077cc53bdadafcbe0339961a68

SHA512
61a771a33366f431d469370419da400670d196da918e6b580869f020ec118024748819175a3b6fb4f76578c8a7c1a130b65188ce4e920f5389838fda8c41c96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uB19VbZsdVME.bat

Filesize
207B

MD5
0bd00114057719771adef1208f5b996f

SHA1
a1b44d00c9527bdc0111e897499b46d4f12a6a8e

SHA256
3dfddbb57388420d9374b9165371cfc1dc2033023feafd7e859c582b702acadf

SHA512
d0f9f4631ac9164b69f07cdb6a94f6e36fd4576af6966cc2d236ba704057c22808723c37daee68aab6237cd925ee2f72630979090d0ad68e2ed3213395234def

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c9861630ff205557654616ce62525119

SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3

SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8

Download Submit
memory/556-130-0x0000000000FE0000-0x0000000001306000-memory.dmp

Filesize
3.1MB

Download
memory/1532-44-0x0000000000220000-0x0000000000546000-memory.dmp

Filesize
3.1MB

Download
memory/1656-55-0x0000000001070000-0x0000000001396000-memory.dmp

Filesize
3.1MB

Download
memory/2024-109-0x0000000000E50000-0x0000000001176000-memory.dmp

Filesize
3.1MB

Download
memory/2212-20-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-9-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-10-0x0000000000180000-0x00000000004A6000-memory.dmp

Filesize
3.1MB

Download
memory/2212-11-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2632-162-0x0000000001160000-0x0000000001486000-memory.dmp

Filesize
3.1MB

Download
memory/2860-23-0x0000000000FB0000-0x00000000012D6000-memory.dmp

Filesize
3.1MB

Download
memory/3000-97-0x0000000000280000-0x00000000005A6000-memory.dmp

Filesize
3.1MB

Download
memory/3036-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3036-8-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3036-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/3036-1-0x0000000000E40000-0x0000000001166000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads