quasar | bb5398474b2aa16ce6c29b681fcb98f4b19bb152413076b7b1748e41efa6dc6d

Analysis

max time kernel
145s
max time network
147s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-01-2025 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

im not verysmart.exe
Size

3.1MB
MD5

45e2aa5fff9ef27dbe69e171d2827ee1
SHA1

75344a650dc891b86060124c855ec26e5c4dfbbe
SHA256

bb5398474b2aa16ce6c29b681fcb98f4b19bb152413076b7b1748e41efa6dc6d
SHA512

c0d9824e1a8fa72ac29cd151f4331268df9839ba7a071888f08f2bbd73ab45b3f0dd61d4789839f30ebfce208d8409162abe17d316d2ac06470fee5648fbac39
SSDEEP

49152:xv+lL26AaNeWgPhlmVqvMQ7XSKtCL1JHLoGdbtTHHB72eh2NT:xvuL26AaNeWgPhlmVqkQ7XSKtC/

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

meming-28826.portmap.host:28826

Mutex

0d852c3a-6700-4e42-85af-0da8a2a2fd2a

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3352-1-0x0000000000970000-0x0000000000C96000-memory.dmp	family_quasar
behavioral1/files/0x0028000000046178-3.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
788	Client.exe
4004	Client.exe
1372	Client.exe
4316	Client.exe
5016	Client.exe
2516	Client.exe
2416	Client.exe
4076	Client.exe
4040	Client.exe
1192	Client.exe
2804	Client.exe
3116	Client.exe
3592	Client.exe
4012	Client.exe
2044	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1460	PING.EXE
4336	PING.EXE
1860	PING.EXE
2184	PING.EXE
4828	PING.EXE
1676	PING.EXE
3868	PING.EXE
4116	PING.EXE
1600	PING.EXE
4168	PING.EXE
1676	PING.EXE
1948	PING.EXE
4932	PING.EXE
3708	PING.EXE
3264	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3708	PING.EXE
4932	PING.EXE
2184	PING.EXE
4828	PING.EXE
1676	PING.EXE
4116	PING.EXE
1460	PING.EXE
1600	PING.EXE
1948	PING.EXE
4168	PING.EXE
4336	PING.EXE
1860	PING.EXE
3868	PING.EXE
3264	PING.EXE
1676	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
736	schtasks.exe
2780	schtasks.exe
2012	schtasks.exe
4236	schtasks.exe
2008	schtasks.exe
4348	schtasks.exe
3704	schtasks.exe
3928	schtasks.exe
1860	schtasks.exe
2348	schtasks.exe
3612	schtasks.exe
3080	schtasks.exe
4364	schtasks.exe
2536	schtasks.exe
4956	schtasks.exe
2952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	im not verysmart.exe
Token: SeDebugPrivilege	788	Client.exe
Token: SeDebugPrivilege	4004	Client.exe
Token: SeDebugPrivilege	1372	Client.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	5016	Client.exe
Token: SeDebugPrivilege	2516	Client.exe
Token: SeDebugPrivilege	2416	Client.exe
Token: SeDebugPrivilege	4076	Client.exe
Token: SeDebugPrivilege	4040	Client.exe
Token: SeDebugPrivilege	1192	Client.exe
Token: SeDebugPrivilege	2804	Client.exe
Token: SeDebugPrivilege	3116	Client.exe
Token: SeDebugPrivilege	3592	Client.exe
Token: SeDebugPrivilege	4012	Client.exe
Token: SeDebugPrivilege	2044	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2348	3352	im not verysmart.exe	83
PID 3352 wrote to memory of 2348	3352	im not verysmart.exe	83
PID 3352 wrote to memory of 788	3352	im not verysmart.exe	85
PID 3352 wrote to memory of 788	3352	im not verysmart.exe	85
PID 788 wrote to memory of 3612	788	Client.exe	86
PID 788 wrote to memory of 3612	788	Client.exe	86
PID 788 wrote to memory of 960	788	Client.exe	88
PID 788 wrote to memory of 960	788	Client.exe	88
PID 960 wrote to memory of 2184	960	cmd.exe	90
PID 960 wrote to memory of 2184	960	cmd.exe	90
PID 960 wrote to memory of 1600	960	cmd.exe	91
PID 960 wrote to memory of 1600	960	cmd.exe	91
PID 960 wrote to memory of 4004	960	cmd.exe	98
PID 960 wrote to memory of 4004	960	cmd.exe	98
PID 4004 wrote to memory of 3080	4004	Client.exe	99
PID 4004 wrote to memory of 3080	4004	Client.exe	99
PID 4004 wrote to memory of 764	4004	Client.exe	101
PID 4004 wrote to memory of 764	4004	Client.exe	101
PID 764 wrote to memory of 4136	764	cmd.exe	103
PID 764 wrote to memory of 4136	764	cmd.exe	103
PID 764 wrote to memory of 4932	764	cmd.exe	104
PID 764 wrote to memory of 4932	764	cmd.exe	104
PID 764 wrote to memory of 1372	764	cmd.exe	106
PID 764 wrote to memory of 1372	764	cmd.exe	106
PID 1372 wrote to memory of 2780	1372	Client.exe	107
PID 1372 wrote to memory of 2780	1372	Client.exe	107
PID 1372 wrote to memory of 1192	1372	Client.exe	109
PID 1372 wrote to memory of 1192	1372	Client.exe	109
PID 1192 wrote to memory of 3176	1192	cmd.exe	111
PID 1192 wrote to memory of 3176	1192	cmd.exe	111
PID 1192 wrote to memory of 1676	1192	cmd.exe	112
PID 1192 wrote to memory of 1676	1192	cmd.exe	112
PID 1192 wrote to memory of 4316	1192	cmd.exe	114
PID 1192 wrote to memory of 4316	1192	cmd.exe	114
PID 4316 wrote to memory of 2008	4316	Client.exe	115
PID 4316 wrote to memory of 2008	4316	Client.exe	115
PID 4316 wrote to memory of 4748	4316	Client.exe	117
PID 4316 wrote to memory of 4748	4316	Client.exe	117
PID 4748 wrote to memory of 1240	4748	cmd.exe	119
PID 4748 wrote to memory of 1240	4748	cmd.exe	119
PID 4748 wrote to memory of 1860	4748	cmd.exe	120
PID 4748 wrote to memory of 1860	4748	cmd.exe	120
PID 4748 wrote to memory of 5016	4748	cmd.exe	121
PID 4748 wrote to memory of 5016	4748	cmd.exe	121
PID 5016 wrote to memory of 2536	5016	Client.exe	122
PID 5016 wrote to memory of 2536	5016	Client.exe	122
PID 5016 wrote to memory of 3612	5016	Client.exe	124
PID 5016 wrote to memory of 3612	5016	Client.exe	124
PID 3612 wrote to memory of 3116	3612	cmd.exe	126
PID 3612 wrote to memory of 3116	3612	cmd.exe	126
PID 3612 wrote to memory of 2184	3612	cmd.exe	127
PID 3612 wrote to memory of 2184	3612	cmd.exe	127
PID 3612 wrote to memory of 2516	3612	cmd.exe	128
PID 3612 wrote to memory of 2516	3612	cmd.exe	128
PID 2516 wrote to memory of 4348	2516	Client.exe	129
PID 2516 wrote to memory of 4348	2516	Client.exe	129
PID 2516 wrote to memory of 2956	2516	Client.exe	131
PID 2516 wrote to memory of 2956	2516	Client.exe	131
PID 2956 wrote to memory of 1816	2956	cmd.exe	133
PID 2956 wrote to memory of 1816	2956	cmd.exe	133
PID 2956 wrote to memory of 3708	2956	cmd.exe	134
PID 2956 wrote to memory of 3708	2956	cmd.exe	134
PID 2956 wrote to memory of 2416	2956	cmd.exe	135
PID 2956 wrote to memory of 2416	2956	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\im not verysmart.exe
"C:\Users\Admin\AppData\Local\Temp\im not verysmart.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2348
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b0b36BRTURxf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2184
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1600
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mjgpHwgCyMUt.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4136
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4932
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FC3as8HjFF68.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMN84CnKMWBl.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bS7znA7OASlz.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1eJlRqsxQhbW.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9COoyfXpzXY0.bat" "
        15⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qB181hqZL7u3.bat" "
        17⤵
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DTSlssqHP0mv.bat" "
        19⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55x0WGzMcX8Y.bat" "
        21⤵
        
        PID:4256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyugCHsYY4v0.bat" "
        23⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6oEeSMJgjZW.bat" "
        25⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgdwrRke2GzU.bat" "
        27⤵
        
        PID:3708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lK83ctaOftrV.bat" "
        29⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zXrtKx8392Cq.bat" "
        31⤵
        
        PID:232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eJlRqsxQhbW.bat

Filesize
207B

MD5
e1fd13f08c055a4787bad9607c7be939

SHA1
a55c79a34f504ea2496f1cc4b76d202959af9c93

SHA256
3f8985483de5660796a57915e591f46ae91166f1ec2107f7f6c54b6c5a6298b8

SHA512
06421e569d3dfadf973eef5ef8fe19eafbd7f814f7480d7d7e7449698d80536432aca65d783c5a36a1f047f5a6961c1e46ac9557a7cfb3cef1f1311456c57ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\55x0WGzMcX8Y.bat

Filesize
207B

MD5
260c81def46feb7dbed738cd43c801f6

SHA1
4838f26077b3b2ccca22a6dd33447ad951b1374b

SHA256
b97dc10cdc5fee929275496095bf4b138c51eb05837e6d9d6ccf87d25b3cc2a2

SHA512
a4697208debd4e9d750c4ad3fae005960306d0091eb5fc44e6779c7db1645e90e208df51068d6e73679469fb55acf3866806348d3c890ae843bb4f53636596bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9COoyfXpzXY0.bat

Filesize
207B

MD5
f20dc8cd8715f8db5ddd00f77da4e6cc

SHA1
21d8aa5da43f38b469b6488c3874e720a8220904

SHA256
cb8a2e514f290bf077f9123e63734f2ba858bf93739f6a6fcf86106252c772c1

SHA512
40a2e55aa5e6af749105215582c0c9ec9b1ce574e9a4f85dc9757a55bd94596929bb7c2bd4ce9a1e06959ac67906424a8c2a2c6d6cad28479fa9992914fa7950

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6oEeSMJgjZW.bat

Filesize
207B

MD5
191573a7fa03ecff52694be42295bcab

SHA1
8786c30e5d575dca03ffe1f66361ca334fd5cdb5

SHA256
7e345fbf8e1e084947b114234b900fd43ba20028ef7c9cf7f0a76dda6d170892

SHA512
b3f821cc521538ba1106ed428475c30bae0ae71e062a0c561f17c0e8ce477d912da77ca7537d3fafee2aed5f4f02d9870a73cb53b8361c63f85b16079e3e84ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DTSlssqHP0mv.bat

Filesize
207B

MD5
021adfc55d02bd508c6e929468ce86dd

SHA1
503925080ceeed076a88873035a7fc63453b3093

SHA256
77bcbcfb507cd1656a296497417a75b8b5db00783c7ba71fd4b65d4a57e49a31

SHA512
2f20a88d67d704277c37474aeb275803e7d60e506a4f27af303904c0384b67562b43050b485705b0e0a0632420f7f3647a3f32df3e72b5482691d1a6f646a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC3as8HjFF68.bat

Filesize
207B

MD5
77af659023bc1901dd11793e7aef25fa

SHA1
c78b96404365ba6a2f1f32ef703d27ec6ed39a6a

SHA256
d5a14784038b06164245558a6380ccc7d50cb7364e7e070d8611f4e80405a962

SHA512
7bbc4fc307778cf77fa40579410926948b6a3d6fd19548476431bc4e11c449493e80ea4f3412ce54bbffbd11bb229981a0c61c6a2c9322f4ffc86fd7712d7e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMN84CnKMWBl.bat

Filesize
207B

MD5
fc16c47469012462effec0ec13b4f4f8

SHA1
049fe2d10646895df29de5e077260f506037c49f

SHA256
bd88fee6139b8313d324aa6333f51e40a195c057c5bc0a1a67984b2659af44ec

SHA512
0f37dd2bcb5775d6b7f3d778a33981a6a528f6ff89350f177546f618cb8fcdf8a77a3a92de4f7eff30d688a71013f080223ba5c9f2c8f0bcef8a2180ca3ff285

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgdwrRke2GzU.bat

Filesize
207B

MD5
b0d944eb1be5714e312438cbd1325e60

SHA1
565c3ad3ef2de3a794fa3909c66f577a557e0548

SHA256
66a0cd011b488b509acb9db854f1190e4aff81032203b736d71c56feeb3a7327

SHA512
4c756e471589f9ebd1bb0a15b9213676d11772b150381afc459f929ba012d6d372e2779a42aee51dfe53d5b876d05d1fe51e4c2729dbf7cb0c069ad63b606423

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b36BRTURxf.bat

Filesize
207B

MD5
e551b688f24d4ca096ab202bb55020e3

SHA1
ac616f416707adb5c057b927b2de90dc426c0fa8

SHA256
156f13f5f6506014b2115941e82521361478f1313472e9aa2d923dfbf3a01057

SHA512
5482ce04e40bb8748e934c97d63fdf45a89f718273f142d1f86e5f5748daa808351e6ca48fa245706084290dab2413dba7246530d4e7ab5c9d618964e31c9ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bS7znA7OASlz.bat

Filesize
207B

MD5
d606e46dd528f4a7dea390f16ce5af9d

SHA1
b3a69d4679cd24981ae88bb7c6ee04ae78cf6484

SHA256
bbee8e4f95aca8f24f168ede567ed767d7c47131d3d68ffd3d4bb46ab7eaa96c

SHA512
584421df880d6eff2b44d93f1130180dcce498bced61c2bd4af2c165dd148e01f70611ef377de10fb938a6865f6f5f98d3c5e93fe1ac74bcdec565b76cdb0c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lK83ctaOftrV.bat

Filesize
207B

MD5
9d3ca286480bf6bc8970d6244a1d5de1

SHA1
2cb88bee98b32c2e90f24cb680bc3bb1ec22e173

SHA256
c417ce497498f1c4e9d9138783d9c0a3037b3e3854e3d106d66e205acca0701c

SHA512
bbcab1761376248e2b65187ffe1e26ef36619af97f5822b86f3dfb54b048367d38df34489a16cc56a9906d477353f441219b8605d9304f780593e3349ac8eeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjgpHwgCyMUt.bat

Filesize
207B

MD5
e3afdced19681ca2485a6f2c2b0576db

SHA1
99a53f3916e461c64022e6c58f02e525b254e9db

SHA256
aa1a017d74d30f43a3246f81395680e5767d692ff4deea0d4b526e113fb5076f

SHA512
f17b7ca364757f487766232498ebfea1632950cc8d322a0ec130f2a8000cba613cc9c1561587a3e34cee7bdfd44dafb50acba18ed8664635763b600546b37041

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB181hqZL7u3.bat

Filesize
207B

MD5
b687d11ff762e8b01bf6d4af9b51560c

SHA1
50a47de3a16cc04e066cc02c7b78a9fd88fa55f6

SHA256
76835cf75249b5e563f83a01cc4e2d48ebe7fe3d6303bb0dac5f6f823ae1ed78

SHA512
efe039f92ecbf98060f2f941722f1ce5f65d97b3aa0690be2d42168d021a3b005738c7d427dcbb978a6485150292ac97d5dfd91123a7eff84c9c92c3ff0d4bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyugCHsYY4v0.bat

Filesize
207B

MD5
c5dada4054c5a071f0a97a7407db1e1a

SHA1
430cb7e08b17d9cf910143da16c3156a252c47c5

SHA256
8cf5fdd517db8feacc288040a34fda77937424c9462b4993639145e4dd28457c

SHA512
bceea52df05e78a8471487dcc255497f07701edaea60dba67c0f765916e0968f387102548670d4edff0f16aecd56aabe333a9818456a5fca384b0cd99b5b395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXrtKx8392Cq.bat

Filesize
207B

MD5
9c12b32da0bcdd76859fb293ce527de9

SHA1
db00e743955ca602c5ddfb601e22a58faef9fb7a

SHA256
cb8d2bcb796d97fe2df06a47b32ea12145f9488dae659cdf7ef71724be8baa40

SHA512
8e42e8ca9e9e8ae02a7172a6178a49ce4487017a2e1744803dba49a0d05c91a9a74a56badb344cdbecb65165a9363a9961bf6471a2da5620efca1a6989603263

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
45e2aa5fff9ef27dbe69e171d2827ee1

SHA1
75344a650dc891b86060124c855ec26e5c4dfbbe

SHA256
bb5398474b2aa16ce6c29b681fcb98f4b19bb152413076b7b1748e41efa6dc6d

SHA512
c0d9824e1a8fa72ac29cd151f4331268df9839ba7a071888f08f2bbd73ab45b3f0dd61d4789839f30ebfce208d8409162abe17d316d2ac06470fee5648fbac39

Download Submit
memory/788-18-0x00007FFCB0140000-0x00007FFCB0C02000-memory.dmp

Filesize
10.8MB

Download
memory/788-9-0x000000001E7C0000-0x000000001E872000-memory.dmp

Filesize
712KB

Download
memory/788-8-0x0000000003540000-0x0000000003590000-memory.dmp

Filesize
320KB

Download
memory/788-7-0x00007FFCB0140000-0x00007FFCB0C02000-memory.dmp

Filesize
10.8MB

Download
memory/788-6-0x00007FFCB0140000-0x00007FFCB0C02000-memory.dmp

Filesize
10.8MB

Download
memory/3352-0-0x00007FFCB0143000-0x00007FFCB0145000-memory.dmp

Filesize
8KB

Download
memory/3352-5-0x00007FFCB0140000-0x00007FFCB0C02000-memory.dmp

Filesize
10.8MB

Download
memory/3352-2-0x00007FFCB0140000-0x00007FFCB0C02000-memory.dmp

Filesize
10.8MB

Download
memory/3352-1-0x0000000000970000-0x0000000000C96000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads