quasar | bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c9861630ff205557654616ce62525119
SHA1

5c60d40d59b7795186022c630b232a5dcead5ef3
SHA256

bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA512

18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
SSDEEP

49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

/meming-28826.portmap.host:28826

Mutex

0d852c3a-6700-4e42-85af-0da8a2a2fd2a

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1996-1-0x0000000000B60000-0x0000000000E86000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cc2-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1764	Client.exe
4816	Client.exe
3308	Client.exe
3628	Client.exe
1008	Client.exe
2472	Client.exe
4932	Client.exe
4488	Client.exe
3676	Client.exe
1276	Client.exe
3060	Client.exe
3976	Client.exe
4384	Client.exe
2572	Client.exe
1804	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2252	PING.EXE
4836	PING.EXE
4804	PING.EXE
720	PING.EXE
468	PING.EXE
264	PING.EXE
1764	PING.EXE
3848	PING.EXE
3536	PING.EXE
2856	PING.EXE
3816	PING.EXE
4472	PING.EXE
4880	PING.EXE
4400	PING.EXE
1512	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1764	PING.EXE
3536	PING.EXE
720	PING.EXE
4880	PING.EXE
1512	PING.EXE
468	PING.EXE
2856	PING.EXE
4472	PING.EXE
4804	PING.EXE
4400	PING.EXE
264	PING.EXE
2252	PING.EXE
3816	PING.EXE
3848	PING.EXE
4836	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
4876	schtasks.exe
1644	schtasks.exe
1736	schtasks.exe
4420	schtasks.exe
1980	schtasks.exe
4532	schtasks.exe
2244	schtasks.exe
2344	schtasks.exe
3012	schtasks.exe
4692	schtasks.exe
1972	schtasks.exe
2108	schtasks.exe
4216	schtasks.exe
2752	schtasks.exe
4424	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	Client-built.exe
Token: SeDebugPrivilege	1764	Client.exe
Token: SeDebugPrivilege	4816	Client.exe
Token: SeDebugPrivilege	3308	Client.exe
Token: SeDebugPrivilege	3628	Client.exe
Token: SeDebugPrivilege	1008	Client.exe
Token: SeDebugPrivilege	2472	Client.exe
Token: SeDebugPrivilege	4932	Client.exe
Token: SeDebugPrivilege	4488	Client.exe
Token: SeDebugPrivilege	3676	Client.exe
Token: SeDebugPrivilege	1276	Client.exe
Token: SeDebugPrivilege	3060	Client.exe
Token: SeDebugPrivilege	3976	Client.exe
Token: SeDebugPrivilege	4384	Client.exe
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	1804	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3004	1996	Client-built.exe	85
PID 1996 wrote to memory of 3004	1996	Client-built.exe	85
PID 1996 wrote to memory of 1764	1996	Client-built.exe	87
PID 1996 wrote to memory of 1764	1996	Client-built.exe	87
PID 1764 wrote to memory of 1980	1764	Client.exe	88
PID 1764 wrote to memory of 1980	1764	Client.exe	88
PID 1764 wrote to memory of 720	1764	Client.exe	90
PID 1764 wrote to memory of 720	1764	Client.exe	90
PID 720 wrote to memory of 2236	720	cmd.exe	92
PID 720 wrote to memory of 2236	720	cmd.exe	92
PID 720 wrote to memory of 1512	720	cmd.exe	93
PID 720 wrote to memory of 1512	720	cmd.exe	93
PID 720 wrote to memory of 4816	720	cmd.exe	97
PID 720 wrote to memory of 4816	720	cmd.exe	97
PID 4816 wrote to memory of 4216	4816	Client.exe	98
PID 4816 wrote to memory of 4216	4816	Client.exe	98
PID 4816 wrote to memory of 3488	4816	Client.exe	101
PID 4816 wrote to memory of 3488	4816	Client.exe	101
PID 3488 wrote to memory of 4316	3488	cmd.exe	104
PID 3488 wrote to memory of 4316	3488	cmd.exe	104
PID 3488 wrote to memory of 3536	3488	cmd.exe	105
PID 3488 wrote to memory of 3536	3488	cmd.exe	105
PID 3488 wrote to memory of 3308	3488	cmd.exe	114
PID 3488 wrote to memory of 3308	3488	cmd.exe	114
PID 3308 wrote to memory of 4876	3308	Client.exe	115
PID 3308 wrote to memory of 4876	3308	Client.exe	115
PID 3308 wrote to memory of 4740	3308	Client.exe	117
PID 3308 wrote to memory of 4740	3308	Client.exe	117
PID 4740 wrote to memory of 4484	4740	cmd.exe	120
PID 4740 wrote to memory of 4484	4740	cmd.exe	120
PID 4740 wrote to memory of 2856	4740	cmd.exe	121
PID 4740 wrote to memory of 2856	4740	cmd.exe	121
PID 4740 wrote to memory of 3628	4740	cmd.exe	126
PID 4740 wrote to memory of 3628	4740	cmd.exe	126
PID 3628 wrote to memory of 1644	3628	Client.exe	127
PID 3628 wrote to memory of 1644	3628	Client.exe	127
PID 3628 wrote to memory of 3864	3628	Client.exe	129
PID 3628 wrote to memory of 3864	3628	Client.exe	129
PID 3864 wrote to memory of 3888	3864	cmd.exe	132
PID 3864 wrote to memory of 3888	3864	cmd.exe	132
PID 3864 wrote to memory of 3816	3864	cmd.exe	133
PID 3864 wrote to memory of 3816	3864	cmd.exe	133
PID 3864 wrote to memory of 1008	3864	cmd.exe	134
PID 3864 wrote to memory of 1008	3864	cmd.exe	134
PID 1008 wrote to memory of 1736	1008	Client.exe	135
PID 1008 wrote to memory of 1736	1008	Client.exe	135
PID 1008 wrote to memory of 1836	1008	Client.exe	138
PID 1008 wrote to memory of 1836	1008	Client.exe	138
PID 1836 wrote to memory of 640	1836	cmd.exe	140
PID 1836 wrote to memory of 640	1836	cmd.exe	140
PID 1836 wrote to memory of 720	1836	cmd.exe	141
PID 1836 wrote to memory of 720	1836	cmd.exe	141
PID 1836 wrote to memory of 2472	1836	cmd.exe	142
PID 1836 wrote to memory of 2472	1836	cmd.exe	142
PID 2472 wrote to memory of 2344	2472	Client.exe	143
PID 2472 wrote to memory of 2344	2472	Client.exe	143
PID 2472 wrote to memory of 2672	2472	Client.exe	146
PID 2472 wrote to memory of 2672	2472	Client.exe	146
PID 2672 wrote to memory of 4648	2672	cmd.exe	148
PID 2672 wrote to memory of 4648	2672	cmd.exe	148
PID 2672 wrote to memory of 4472	2672	cmd.exe	149
PID 2672 wrote to memory of 4472	2672	cmd.exe	149
PID 2672 wrote to memory of 4932	2672	cmd.exe	152
PID 2672 wrote to memory of 4932	2672	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3004
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niljpqy95MBk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2236
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1512
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzTRSCckChNH.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4316
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3536
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGgV9q9kx1Rj.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6OPawt9CuJ2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8JBP5RzFsW3.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UEtfW8ZtW4C.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l6s9H1uxOKQs.bat" "
        15⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QlVpcVJDCeEa.bat" "
        17⤵
        
        PID:3528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEiwyx8Oees.bat" "
        19⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0KnoJm9C8wf.bat" "
        21⤵
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZnRbOKfrrCkY.bat" "
        23⤵
        
        PID:3836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vD8cVeGmc1Y3.bat" "
        25⤵
        
        PID:3448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7a1bWv5aD8O.bat" "
        27⤵
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsGBd4PnkYC4.bat" "
        29⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6GIpjsle5W55.bat" "
        31⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2UEtfW8ZtW4C.bat

Filesize
207B

MD5
81c8785a2d66b4e4780e82d7e0ecd3e4

SHA1
8d25cb5465d5a7950266e59e4f75843f4dccb244

SHA256
a40d55318dfc74929e091cba5c2171aec26464d2d0b5157cacff834c180c591e

SHA512
2b8eab6c24fdc1f9a2b1a7c9edf6dd90f1459ca1072cf60402ceb35ec21f88c065c96e3609ea25051ec69f849ad640f1ccea55af7b82bfa03a68337f99bfb8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6GIpjsle5W55.bat

Filesize
207B

MD5
75e06c22940817f73578bb3cdaca6f88

SHA1
403d12e765b63b16d2c700d116aa8b1db84a924c

SHA256
fdc70209f80fac7a32f125b7c3cb6ca8eb7e9bdd0d566429c4580eada62e0c1d

SHA512
a0bd517007b101ae963ab352173aa43b0a93f4eb6680ac0ed9dcb65b231e1c2e0f49e51d5168e48dd6ae3118584d2bcde69422710d7396f9bcbb5e5604d54151

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsGBd4PnkYC4.bat

Filesize
207B

MD5
23e19bc7c3955cb3500b61a0c82baa24

SHA1
d46b8532b1a7457c0f84f54c6fcb6a0e504753ed

SHA256
9261b07b3211847156b5e735afb2a33c7cbc5a40c79090437671b8934201d2cd

SHA512
33b852ebd3450697151b7cf357fddc4d192204fa7fc840091ca30887133b4d70e2ce707bda46ed105ceed84bdc8cd990bf2c9deb1244d5b87f41b34b114196d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\O0KnoJm9C8wf.bat

Filesize
207B

MD5
50c61930f5e22a3b772f9ef629c741d0

SHA1
ad0c1c9648de3859d16940bfa71c6a530c30db14

SHA256
9e128352fa363d8696cb3c937e5842b6f7ed12b3a956d605316f042fd423433e

SHA512
80d3fb233a7e3d960d1ee079ebe2e05851361c1c594968f80e3a43aeb66b926af73ae570e8f2d2a2bb73afdb7f5cb9d1bbc4472d03f1a231ba6f77abccb00b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\OzTRSCckChNH.bat

Filesize
207B

MD5
9a0cf6d44258b4b6d309fe9b6ebf1239

SHA1
ca84667ef07076290d952b706fe166ca85f24c05

SHA256
30034932d059423a8a558b44ee3178430851b799f507deaa237559cc0e3e29b8

SHA512
6971c50f95328557f318a15f0b27e63b2e7aa91841ae245de4b5018525b0bbdfd62c8d023872819e29bb3acd01c329bf701b09246712b9a6c4bbaf4607e7fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\QlVpcVJDCeEa.bat

Filesize
207B

MD5
95249b2ff9a8f3032427810bf11c5922

SHA1
4f7b0f786b4111b8c41c51effb95028aa018b9d5

SHA256
d2cdabe3a735ff7218ba60bd7866916ba8bcee8f920f720d76fb72dd86955957

SHA512
ff638abac9856c9ef1a06ece313139c26c01ef44ff205ae5efcfbf7d6598356ceffd137de57c2610d75da8e3b7db6d01aec0c10194bfdc6695898e0db6cf57a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZnRbOKfrrCkY.bat

Filesize
207B

MD5
619a5ddd96d069a3c77060d0b2d2d6a8

SHA1
c17599e23824c54803cc273b9328df62cd422688

SHA256
ec75987c2cc631deca508776ea18d76bcde5107c344f1c52a6e3917cf5bd591c

SHA512
930d8212dfc1ae3961e435c96e9a8387d55aba52bd5ca27d95e677a18c41f4385c57b292be1b20d087592c4cfa2b8408edd67082172ed8fd4e61a44b0e22ed2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7a1bWv5aD8O.bat

Filesize
207B

MD5
1fbce7f6445bc09dac776f0e9419eeef

SHA1
f49d0c8ab84a46a3c4123581fe6addad31d0a2df

SHA256
90aa2130679b5fc2e7136f72c64ff6817aa91cb3caa394dbf414c47a81ee9bff

SHA512
5db4ce559bb9980269d5859212e357ff2977303a4b96c8cdd3ae436118f90af8623d2b0dbcbea18b57bfae504e2ac7ee91e88c6e751b7b04d5af197ceea15c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8JBP5RzFsW3.bat

Filesize
207B

MD5
7fb83eaff61bc67d74416b1252e3eb52

SHA1
312f53271593c18a7fe3279c09fc1359ee635c41

SHA256
f88ede8b984db627ddc0bbe6e7307b6eb8539e4b5a371b4568f46bd76c54fc26

SHA512
e2c26bcc1dfb5f4f7e0a48f17acd4a73953984cdee91569629aefdbff29473b8529c2ce5518e0e766541d633c8954a3beb3c7fb97f1c639b39510c44090ebded

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKEiwyx8Oees.bat

Filesize
207B

MD5
11eda56f9ef67457ea9bc753327fecea

SHA1
37512e240de3b20bf9e6a4ff03d0a087f11a103f

SHA256
7d50e42597656ae5f82472166725442e8842e6639bf3afc8560317451d409ab1

SHA512
5baaadbe5a5795b10eaad57944d18874c75ea94901b27c995f6b88d70825fab363cf39b730f4b18392d678b827f0f393285c989f565e1528fe53bf8664e04f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGgV9q9kx1Rj.bat

Filesize
207B

MD5
958c59717ba88793a5f8d4b11c6f1291

SHA1
b233ed98a96c0f344e278f6bf749fab394119714

SHA256
e5f93c5c19926f4910c9e443cc9521c660bb785a24ecec72c555835ab469f927

SHA512
75d118c7d3bb49f871e675cfd19ce2b20e1333038d1b3984c9aa28fb84ee939b073726eed3c34c8076c2636d45029aa61585581632b0bf4cf60b97254c8220a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6s9H1uxOKQs.bat

Filesize
207B

MD5
81397273ecdd3d328b158c8a37d226bb

SHA1
ab3014a5b2c6711957f94c66792e6cf28150736d

SHA256
fde302664dd2af893023f5c99c3c768ed9985364a3416da4fcd47a6feb646208

SHA512
bb582a287ffa2abacb35dab6a1b75d80bf105a179ff58f895ec0ccc34b2ea358c729bfaace9fa58f4b91db6e57fe832e3810c961e828d0a16e8f47891c5461c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\niljpqy95MBk.bat

Filesize
207B

MD5
71285c916b9acf7e75cd1da22950eb33

SHA1
79d9c1b501e08e00069d49b3af455f0f6051bd43

SHA256
334bf1b23e733affa1621c87dbab3fb6275a09f8027fb9fd9e85e49a030f60bd

SHA512
efdb5af1d08915bdf663b37f917dd3ac116f6369abb9030410d9810f5cede32a7d1b5312013a9d6e940446fa085b560e92132d4aa101343ab09bfaabf703d8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vD8cVeGmc1Y3.bat

Filesize
207B

MD5
9cb885a62376841fa0dd7deb729aabe4

SHA1
e61f1d490c255e5dabd7f1fb470e73d5114b144c

SHA256
1fa80502929a146f08bd5b26edec8c5dec67a883a73a58b1c4167f15b337b296

SHA512
829094e442187aef096698249bdfb7fc6d817ad34bcc4f8ef420ba93621cada15fa35bb2df59449e47af6f09f9bce60d923a18742e01f4d46729ea4cb8bfc64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y6OPawt9CuJ2.bat

Filesize
207B

MD5
bff8713361546ca0f2307ee27b5e42e2

SHA1
78a5fc338f5e5aaf3b597030e5bc810d2c9fde64

SHA256
66d524916d5eb720d759d4cdf675b477b0622dc481a434069215cb0c454f5f97

SHA512
340166499ea8675c3f08db7c762308053d11ddf95495cc8d8fed74379fe643e8eac3d2b5026a7f30d683f82c4e08c6c5e859b5d6bc1c289b09df24e1359969ea

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
c9861630ff205557654616ce62525119

SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3

SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53

SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8

Download Submit
memory/1764-9-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-11-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-12-0x0000000003160000-0x00000000031B0000-memory.dmp

Filesize
320KB

Download
memory/1764-18-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-13-0x000000001C3A0000-0x000000001C452000-memory.dmp

Filesize
712KB

Download
memory/1996-0-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

Filesize
8KB

Download
memory/1996-10-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-2-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-1-0x0000000000B60000-0x0000000000E86000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads