quasar | f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6

Resubmissions

22-01-2025 16:51

250122-vc161awjht 10

22-01-2025 16:48

250122-va3xtawqfp 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wawenoKey.exe
Size

348KB
MD5

19cde915d18709c0de2e5acd6acc41ce
SHA1

5478e37f33533ccb57b73c94e613f39f95db3e06
SHA256

f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6
SHA512

a1bba884336a8e7a370b218ae70427d791587c25e2e9f52ee59459df1cf60bf7ef8a488e1d159c9b501329d7049349637a23d5b2e5fbe32e4a6fd1884c0b068d
SSDEEP

6144:pX6bPXhLApfpuCmvXtjghbSS4JmtD15FJYa8O:JmhApePt0J4JmlbFJY3O

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

Client2:4782

Mutex

QSR_MUTEX_RH6ctD844WCagY5nuM

Attributes

encryption_key
nyassPD33yuypk3HMAZZ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	85	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
	11	ip-api.com	Process not Found
	57	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4592-1-0x0000000000E20000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb4-10.dat	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 12 IoCs

pid	Process
772	Client.exe
4172	Client.exe
4792	Client.exe
5024	Client.exe
4956	Client.exe
1452	Client.exe
2300	Client.exe
4484	Client.exe
800	Client.exe
2392	Client.exe
2008	Client.exe
2436	Client.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ip-api.com
11	ip-api.com
57	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3232	PING.EXE
4300	PING.EXE
620	PING.EXE
5020	PING.EXE
1660	PING.EXE
5036	PING.EXE
4408	PING.EXE
4952	PING.EXE
4712	PING.EXE
2548	PING.EXE
3428	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
5036	PING.EXE
4300	PING.EXE
4712	PING.EXE
3428	PING.EXE
5020	PING.EXE
1660	PING.EXE
3232	PING.EXE
2548	PING.EXE
620	PING.EXE
4408	PING.EXE
4952	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	wawenoKey.exe
Token: SeDebugPrivilege	772	Client.exe
Token: SeDebugPrivilege	4172	Client.exe
Token: SeDebugPrivilege	4792	Client.exe
Token: SeDebugPrivilege	5024	Client.exe
Token: SeDebugPrivilege	4956	Client.exe
Token: SeDebugPrivilege	1452	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	4484	Client.exe
Token: SeDebugPrivilege	800	Client.exe
Token: SeDebugPrivilege	2392	Client.exe
Token: SeDebugPrivilege	2008	Client.exe
Token: SeDebugPrivilege	2436	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 772	4592	wawenoKey.exe	84
PID 4592 wrote to memory of 772	4592	wawenoKey.exe	84
PID 4592 wrote to memory of 772	4592	wawenoKey.exe	84
PID 772 wrote to memory of 2392	772	Client.exe	85
PID 772 wrote to memory of 2392	772	Client.exe	85
PID 772 wrote to memory of 2392	772	Client.exe	85
PID 2392 wrote to memory of 2080	2392	cmd.exe	87
PID 2392 wrote to memory of 2080	2392	cmd.exe	87
PID 2392 wrote to memory of 2080	2392	cmd.exe	87
PID 2392 wrote to memory of 1660	2392	cmd.exe	88
PID 2392 wrote to memory of 1660	2392	cmd.exe	88
PID 2392 wrote to memory of 1660	2392	cmd.exe	88
PID 2392 wrote to memory of 4172	2392	cmd.exe	101
PID 2392 wrote to memory of 4172	2392	cmd.exe	101
PID 2392 wrote to memory of 4172	2392	cmd.exe	101
PID 4172 wrote to memory of 4820	4172	Client.exe	103
PID 4172 wrote to memory of 4820	4172	Client.exe	103
PID 4172 wrote to memory of 4820	4172	Client.exe	103
PID 4820 wrote to memory of 1776	4820	cmd.exe	105
PID 4820 wrote to memory of 1776	4820	cmd.exe	105
PID 4820 wrote to memory of 1776	4820	cmd.exe	105
PID 4820 wrote to memory of 3232	4820	cmd.exe	106
PID 4820 wrote to memory of 3232	4820	cmd.exe	106
PID 4820 wrote to memory of 3232	4820	cmd.exe	106
PID 4820 wrote to memory of 4792	4820	cmd.exe	108
PID 4820 wrote to memory of 4792	4820	cmd.exe	108
PID 4820 wrote to memory of 4792	4820	cmd.exe	108
PID 4792 wrote to memory of 444	4792	Client.exe	113
PID 4792 wrote to memory of 444	4792	Client.exe	113
PID 4792 wrote to memory of 444	4792	Client.exe	113
PID 444 wrote to memory of 3892	444	cmd.exe	115
PID 444 wrote to memory of 3892	444	cmd.exe	115
PID 444 wrote to memory of 3892	444	cmd.exe	115
PID 444 wrote to memory of 5036	444	cmd.exe	116
PID 444 wrote to memory of 5036	444	cmd.exe	116
PID 444 wrote to memory of 5036	444	cmd.exe	116
PID 444 wrote to memory of 5024	444	cmd.exe	118
PID 444 wrote to memory of 5024	444	cmd.exe	118
PID 444 wrote to memory of 5024	444	cmd.exe	118
PID 5024 wrote to memory of 392	5024	Client.exe	120
PID 5024 wrote to memory of 392	5024	Client.exe	120
PID 5024 wrote to memory of 392	5024	Client.exe	120
PID 392 wrote to memory of 2984	392	cmd.exe	122
PID 392 wrote to memory of 2984	392	cmd.exe	122
PID 392 wrote to memory of 2984	392	cmd.exe	122
PID 392 wrote to memory of 4408	392	cmd.exe	123
PID 392 wrote to memory of 4408	392	cmd.exe	123
PID 392 wrote to memory of 4408	392	cmd.exe	123
PID 392 wrote to memory of 4956	392	cmd.exe	125
PID 392 wrote to memory of 4956	392	cmd.exe	125
PID 392 wrote to memory of 4956	392	cmd.exe	125
PID 4956 wrote to memory of 4804	4956	Client.exe	127
PID 4956 wrote to memory of 4804	4956	Client.exe	127
PID 4956 wrote to memory of 4804	4956	Client.exe	127
PID 4804 wrote to memory of 3956	4804	cmd.exe	129
PID 4804 wrote to memory of 3956	4804	cmd.exe	129
PID 4804 wrote to memory of 3956	4804	cmd.exe	129
PID 4804 wrote to memory of 4300	4804	cmd.exe	130
PID 4804 wrote to memory of 4300	4804	cmd.exe	130
PID 4804 wrote to memory of 4300	4804	cmd.exe	130
PID 4804 wrote to memory of 1452	4804	cmd.exe	132
PID 4804 wrote to memory of 1452	4804	cmd.exe	132
PID 4804 wrote to memory of 1452	4804	cmd.exe	132
PID 1452 wrote to memory of 2312	1452	Client.exe	134

C:\Users\Admin\AppData\Local\Temp\wawenoKey.exe
"C:\Users\Admin\AppData\Local\Temp\wawenoKey.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsiQLqF1FsFA.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1660
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYpBj9wT9bOX.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3232
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1zsDG4W3wYCu.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUSTSwbigDMm.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3uUVzsAIUA9A.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RpYyxryU5MNj.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwmPili6sDxb.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMfz8uxWmTio.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zsDG4W3wYCu.bat

Filesize
207B

MD5
39ee90c687e65e294d363544c77df40d

SHA1
e66ba6b4d7f26fe6e6cd35db7c9fed702a41b3d3

SHA256
ad1d3a4a57bf6505fc246e5d72ff0a37ee1a8a426a767b230e78d6e69bb6b62a

SHA512
75db5b1993806a2f1f9367966ca7a280421e5de0984cafbf6c94b855d7a63076315212697e0b9f4643427b96d015523aefc434f640357575711925e1da029c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\3uUVzsAIUA9A.bat

Filesize
207B

MD5
aad85acbd791b0beb25d872b438ce34a

SHA1
b05c2bd8eb57ce485c57527d93cb19ddbf3bade5

SHA256
07eac18f18caaf2b1a1a07f14f4a52994ce261a8c3331c81dc068ec93ef9e923

SHA512
88c6d713a6b0c5dd18629526c68f444df6f9938e5d79e6a56271b87ea1b032c9f0245498acfdb720f5163c03344c664d05e78ddcd7ddc0aa3343a9a3ac472a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat

Filesize
207B

MD5
dc8847e6a864c4d67a68c47d4c093a72

SHA1
de85882294445d1e829dda604c271b833b411b92

SHA256
2abbf0f2491123498a07773c39826bcee91fabf04b7a37c876045c58ab220ecc

SHA512
354a4367c3ec3ea95a28a749e96bfd0f56121ba345ca87276ab5fcfa6cdd92cbe3a8e669536816067795765c8d4a047aea98e339f4b98e0668efe9b029c7e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMfz8uxWmTio.bat

Filesize
207B

MD5
9945bc68c22cf240cc79b3bf538e5b05

SHA1
5c27a0e5bf022fb30627f4ef9bdf5248bb734f5f

SHA256
9202579abea0790057d17ed7eed04b32e724a96b581d9a33f07b3388ea8b7c31

SHA512
bf956cfa9d8d8e909184891c617452d89ee0daafc2d3c18a312e77062defadff467c55e806a1f571ce9943e47083d43f9597084876b2fde901a584cf69e7d8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwmPili6sDxb.bat

Filesize
207B

MD5
65a92f4d37a03b4b8dfe858b0d458c72

SHA1
452c6bf59fbbf56332aeaa87dbe169e8c11698ce

SHA256
f1a576f548b151933b82111c5432f1558f3103f087c0f7b89e57de03f158d4f0

SHA512
91c80cd73522f68d625431c89352229958a6b57580e2097ccd8f3cfcfda3f3d40d7d303238f5d549760b5548a1b650cd6b32b3a649695620fcc3451de67a4196

Download Submit
C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat

Filesize
207B

MD5
3c5ee841fb936aba189f78bb7e060b89

SHA1
ab693632a08525dff05f223c04581e34546a1f26

SHA256
d8aa3433983b0dff4afcdf85b833973e573ff17ebeaccd5cd172b4ce68e32e4a

SHA512
023a635b982c8fccc84e8860ef63056e7b986140490c9b61d1faecd521b8e8c968973ad2ebd2943ad05630cd25e30713bc1a47a1a49fe7de1c1b588e0251a40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RpYyxryU5MNj.bat

Filesize
207B

MD5
85e0dfe8450d4409d8b36b07140ee0b9

SHA1
2137600f46d8641bec12e69736f51b5708de3658

SHA256
0f278244494141c0dcf13a57a258c863033d3ca249a2c6a55734c1ef2651f785

SHA512
be4f7469f6ad80d735f27ae6b616365a3a7352675a87bb985b13daa3907f3cf3e4ef41ff168d7878777fee2fbbece142f9d4ce74c0080ceef0640aa2a78c16e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYpBj9wT9bOX.bat

Filesize
207B

MD5
22ca9b7bcdfe286e14e0938e3384158b

SHA1
b0f2870cd65b7d6b2c55a528e8786a77baa5b780

SHA256
123f3144eb3dcd5c0cd32e3f5c1bc59b8656cdc9847a0c43b96c220bc50b57e6

SHA512
af88ed2d9af8060a189cdae8ec2a0d113b3beacd2bcfb18b2dc92b83e54d3619a2f7c7a65a0027fdf901cc632be6739fe0e5578c177fffb96075983c37c886ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUSTSwbigDMm.bat

Filesize
207B

MD5
ea4f9daa6ad8de7fc2e92339d91de2c1

SHA1
646e1c3f292d7b70905c41b9f61d894e184fc20b

SHA256
4251bcc03f06ef93bf972e1bea68bebb237fa75001a7e015959a2dfcf27f24e2

SHA512
4f19e27ed328869288661c7b73fb5ad536e5b96e2e5ad14a4aa3aecb9980a539443c551d37236582a7724715e8d7e565fd11b0b7ac0c555a268d57d17c176c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsiQLqF1FsFA.bat

Filesize
207B

MD5
9d8e367be07ceb644327dfb6000f6b29

SHA1
7a10a80e0c957b11858857c9048be4df908b9b25

SHA256
3e692c9cfcb226e8e57ba9f26c0720e167cf3a7878bd73ec21ae3c00d44e15de

SHA512
dcc1801002d03f9fb4569e240dfbf1bc9b81aefe6206bd280b9302fb26b11a3b51235302f4b3d2e0135c95bfc428483fce8ee04a4b0197619b8a1fc21db3fb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat

Filesize
207B

MD5
25616e647a0f34ec4b97121ee4736143

SHA1
5b27991a93430d7a9d7c33deb60bac9faceb1313

SHA256
9b63817b84a574693f3f7e89197f189de7b79210965d2ed6a11fb9aa7d544a9b

SHA512
4fb2ac19fa2207964dc6255b5906bde17f14a705179d13659a39af716ad51fc4046188094f25846f22c0b3753028636083adf4045256294dd367b2796cb073ab

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
348KB

MD5
19cde915d18709c0de2e5acd6acc41ce

SHA1
5478e37f33533ccb57b73c94e613f39f95db3e06

SHA256
f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6

SHA512
a1bba884336a8e7a370b218ae70427d791587c25e2e9f52ee59459df1cf60bf7ef8a488e1d159c9b501329d7049349637a23d5b2e5fbe32e4a6fd1884c0b068d

Download Submit
memory/772-21-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/772-15-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/772-13-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4592-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/4592-14-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4592-7-0x0000000006BD0000-0x0000000006C0C000-memory.dmp

Filesize
240KB

Download
memory/4592-6-0x0000000006690000-0x00000000066A2000-memory.dmp

Filesize
72KB

Download
memory/4592-5-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4592-4-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4592-3-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/4592-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-1-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download