quasar | 0492d6d567045871e1ee3c888f02e38848020a07a261615a931782419bd3cbe3

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iamsupersmart.exe
Size

3.1MB
MD5

dda3d825becc420ec452daaff079f6b4
SHA1

903ab84afdb605cb965f087d10c2ec84f6facbc3
SHA256

0492d6d567045871e1ee3c888f02e38848020a07a261615a931782419bd3cbe3
SHA512

4ab3cc498ae01aa2ecf1b351746a7bb35cbae4975a1f24805a070c6421415972c0b443fb92f5f6e61d7362921c86e37e2983fd77f62d61ec229c941cd3d4209e
SSDEEP

49152:Nv+lL26AaNeWgPhlmVqvMQ7XSK5qOH9oGdRjvTHHB72eh2NT:NvuL26AaNeWgPhlmVqkQ7XSKkOd

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

meming-28826.portmap.host:28826

Mutex

6396d47d-b301-4dbd-a1c2-f92271440b4b

Attributes

encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System Notification Tray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2104-1-0x0000000001370000-0x0000000001696000-memory.dmp	family_quasar
behavioral1/files/0x000800000001960c-6.dat	family_quasar
behavioral1/memory/2380-8-0x0000000000250000-0x0000000000576000-memory.dmp	family_quasar
behavioral1/memory/2888-23-0x0000000000EC0000-0x00000000011E6000-memory.dmp	family_quasar
behavioral1/memory/1740-34-0x0000000000080000-0x00000000003A6000-memory.dmp	family_quasar
behavioral1/memory/2540-45-0x0000000000B40000-0x0000000000E66000-memory.dmp	family_quasar
behavioral1/memory/2496-56-0x0000000001140000-0x0000000001466000-memory.dmp	family_quasar
behavioral1/memory/668-99-0x00000000012F0000-0x0000000001616000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2380	Client.exe
2888	Client.exe
1740	Client.exe
2540	Client.exe
2496	Client.exe
456	Client.exe
1312	Client.exe
1072	Client.exe
668	Client.exe
3052	Client.exe
2352	Client.exe
3016	Client.exe
1612	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3020	PING.EXE
1732	PING.EXE
744	PING.EXE
1784	PING.EXE
3016	PING.EXE
1908	PING.EXE
1440	PING.EXE
940	PING.EXE
2560	PING.EXE
2748	PING.EXE
2888	PING.EXE
1672	PING.EXE
836	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
744	PING.EXE
1784	PING.EXE
3016	PING.EXE
1440	PING.EXE
940	PING.EXE
1732	PING.EXE
2748	PING.EXE
1672	PING.EXE
3020	PING.EXE
1908	PING.EXE
2560	PING.EXE
2888	PING.EXE
836	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1884	schtasks.exe
1676	schtasks.exe
2372	schtasks.exe
2272	schtasks.exe
2112	schtasks.exe
2416	schtasks.exe
1640	schtasks.exe
2896	schtasks.exe
2296	schtasks.exe
1460	schtasks.exe
2872	schtasks.exe
2992	schtasks.exe
2852	schtasks.exe
2596	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	iamsupersmart.exe
Token: SeDebugPrivilege	2380	Client.exe
Token: SeDebugPrivilege	2888	Client.exe
Token: SeDebugPrivilege	1740	Client.exe
Token: SeDebugPrivilege	2540	Client.exe
Token: SeDebugPrivilege	2496	Client.exe
Token: SeDebugPrivilege	456	Client.exe
Token: SeDebugPrivilege	1312	Client.exe
Token: SeDebugPrivilege	1072	Client.exe
Token: SeDebugPrivilege	668	Client.exe
Token: SeDebugPrivilege	3052	Client.exe
Token: SeDebugPrivilege	2352	Client.exe
Token: SeDebugPrivilege	3016	Client.exe
Token: SeDebugPrivilege	1612	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1640	2104	iamsupersmart.exe	30
PID 2104 wrote to memory of 1640	2104	iamsupersmart.exe	30
PID 2104 wrote to memory of 1640	2104	iamsupersmart.exe	30
PID 2104 wrote to memory of 2380	2104	iamsupersmart.exe	32
PID 2104 wrote to memory of 2380	2104	iamsupersmart.exe	32
PID 2104 wrote to memory of 2380	2104	iamsupersmart.exe	32
PID 2380 wrote to memory of 2852	2380	Client.exe	33
PID 2380 wrote to memory of 2852	2380	Client.exe	33
PID 2380 wrote to memory of 2852	2380	Client.exe	33
PID 2380 wrote to memory of 584	2380	Client.exe	35
PID 2380 wrote to memory of 584	2380	Client.exe	35
PID 2380 wrote to memory of 584	2380	Client.exe	35
PID 584 wrote to memory of 2988	584	cmd.exe	37
PID 584 wrote to memory of 2988	584	cmd.exe	37
PID 584 wrote to memory of 2988	584	cmd.exe	37
PID 584 wrote to memory of 3020	584	cmd.exe	38
PID 584 wrote to memory of 3020	584	cmd.exe	38
PID 584 wrote to memory of 3020	584	cmd.exe	38
PID 584 wrote to memory of 2888	584	cmd.exe	39
PID 584 wrote to memory of 2888	584	cmd.exe	39
PID 584 wrote to memory of 2888	584	cmd.exe	39
PID 2888 wrote to memory of 2896	2888	Client.exe	40
PID 2888 wrote to memory of 2896	2888	Client.exe	40
PID 2888 wrote to memory of 2896	2888	Client.exe	40
PID 2888 wrote to memory of 2768	2888	Client.exe	42
PID 2888 wrote to memory of 2768	2888	Client.exe	42
PID 2888 wrote to memory of 2768	2888	Client.exe	42
PID 2768 wrote to memory of 2708	2768	cmd.exe	44
PID 2768 wrote to memory of 2708	2768	cmd.exe	44
PID 2768 wrote to memory of 2708	2768	cmd.exe	44
PID 2768 wrote to memory of 1784	2768	cmd.exe	45
PID 2768 wrote to memory of 1784	2768	cmd.exe	45
PID 2768 wrote to memory of 1784	2768	cmd.exe	45
PID 2768 wrote to memory of 1740	2768	cmd.exe	46
PID 2768 wrote to memory of 1740	2768	cmd.exe	46
PID 2768 wrote to memory of 1740	2768	cmd.exe	46
PID 1740 wrote to memory of 2272	1740	Client.exe	47
PID 1740 wrote to memory of 2272	1740	Client.exe	47
PID 1740 wrote to memory of 2272	1740	Client.exe	47
PID 1740 wrote to memory of 1348	1740	Client.exe	49
PID 1740 wrote to memory of 1348	1740	Client.exe	49
PID 1740 wrote to memory of 1348	1740	Client.exe	49
PID 1348 wrote to memory of 296	1348	cmd.exe	51
PID 1348 wrote to memory of 296	1348	cmd.exe	51
PID 1348 wrote to memory of 296	1348	cmd.exe	51
PID 1348 wrote to memory of 3016	1348	cmd.exe	52
PID 1348 wrote to memory of 3016	1348	cmd.exe	52
PID 1348 wrote to memory of 3016	1348	cmd.exe	52
PID 1348 wrote to memory of 2540	1348	cmd.exe	53
PID 1348 wrote to memory of 2540	1348	cmd.exe	53
PID 1348 wrote to memory of 2540	1348	cmd.exe	53
PID 2540 wrote to memory of 2112	2540	Client.exe	54
PID 2540 wrote to memory of 2112	2540	Client.exe	54
PID 2540 wrote to memory of 2112	2540	Client.exe	54
PID 2540 wrote to memory of 760	2540	Client.exe	56
PID 2540 wrote to memory of 760	2540	Client.exe	56
PID 2540 wrote to memory of 760	2540	Client.exe	56
PID 760 wrote to memory of 2148	760	cmd.exe	58
PID 760 wrote to memory of 2148	760	cmd.exe	58
PID 760 wrote to memory of 2148	760	cmd.exe	58
PID 760 wrote to memory of 1908	760	cmd.exe	59
PID 760 wrote to memory of 1908	760	cmd.exe	59
PID 760 wrote to memory of 1908	760	cmd.exe	59
PID 760 wrote to memory of 2496	760	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\iamsupersmart.exe
"C:\Users\Admin\AppData\Local\Temp\iamsupersmart.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1640
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\gnLF6RPiNJWr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2988
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3020
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hbid2JmXadQY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2708
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zrVdhytPnVww.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SHusTx50v0GA.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NIMtnI7JbimM.bat" "
        11⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mfpcOVu19Qt4.bat" "
        13⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OJKft78KeNfE.bat" "
        15⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9VufxQrWMrQJ.bat" "
        17⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nhp1zfyBiU9O.bat" "
        19⤵
        
        PID:1236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKDRqI0Dgeer.bat" "
        21⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ByqpxcET4gq.bat" "
        23⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bPSz8GtZM07E.bat" "
        25⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuIN4WgxwQVj.bat" "
        27⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ByqpxcET4gq.bat

Filesize
207B

MD5
d02bcfeee4e48ffabafaf51cd5cde52d

SHA1
e148e040ada85d5523a769cadbf8c2884707b6a5

SHA256
2ce91c1fc5e33ca6a9b2dc0e43e69a09a898b4dcc9027b55d605380c969d2222

SHA512
ab0731e87e68ca239eb1c55315fb06195f9ca38867216b5e6e42e8987a410803a49186798e284ddaa93a75be66939170821ca4fc3f17885379079d53660ff1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9VufxQrWMrQJ.bat

Filesize
207B

MD5
3fffdcf19c17a3059d641477d754bc21

SHA1
c81467f6c2d5e9c8e6524b649bac8fd67147a8f0

SHA256
3f695a783df2ff2bf0629945773aceb4fcb59ae22018bb299411fc6429b8224b

SHA512
f0de50f7d54528b982cd18cb3dd65cd24636b07574e6e3ff709ae16ffa5154bfed608f82981489af8636b13573922fc43b423e8392567fe15f7a32ccd13bbdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hbid2JmXadQY.bat

Filesize
207B

MD5
8705dd36327a5816df15f3b55b1fd4f0

SHA1
137918e142cacb644da0b4074b492f665d61485d

SHA256
956abc20bdcbdb1d12d61d86e033d77bcab7c8b2de186ae094e603b553288a5b

SHA512
1a9efb735cf9830d0e4d8165aad210c230bc1ee8bb949eddeadc8d9e075d419fb4fc5301b93614ad69b1af9c9f94a5992f76d0c2588b473cdafb6c073febfedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIMtnI7JbimM.bat

Filesize
207B

MD5
cc71aaca09033124b84cef8587dabb7f

SHA1
d5f45e89aae9f8f5a6f84a75357d7dadc3407df5

SHA256
87a1024d4b2ef57fda6babb7b9ac33f7cf07d6d4783737f0e9b14b95d0663c1a

SHA512
ee09eb877caca8115666c60eeb71087b74cef57070783b68e0f019731e5f7d64d9c414756b0ed01e5c30832521452a5fc3a41043ee60f9d6471775e44f624942

Download Submit
C:\Users\Admin\AppData\Local\Temp\OJKft78KeNfE.bat

Filesize
207B

MD5
56a2d9b4e5c7acdf348d3ca48ef4510a

SHA1
077336275b2b97575741fcb6353e76e12f1200b7

SHA256
bfdb7ed201af602df61dfac9ec732c21638fd75cd67cc955826d57fd300544c5

SHA512
3c371bba5dfc71464bb492cb9af8194aad0bbaa52a5b60ce00b8c4f607aa7ecc06aa76e7ce6ca3e50ae100e82593c650793fd691ece14fe41edec190cba5f171

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuIN4WgxwQVj.bat

Filesize
207B

MD5
fa8997089da2db83fa8fae5aedcbf940

SHA1
00edd31b7cdef57f9ba4adaf81adf61761500795

SHA256
4a4bae92fcccf5ccf79d12629dca2d509c649b52f8ef08e2c13bf862737e9594

SHA512
2dc70cb70bbba4215c4808687c3119f8603af86d143eb33deda30445ef25feba95b23a1e372e5d08e4b2e4b49282387740c05b734351f23832281dad98916078

Download Submit
C:\Users\Admin\AppData\Local\Temp\SHusTx50v0GA.bat

Filesize
207B

MD5
076cf505e52925f3445e476a62b80868

SHA1
15d45f0e0c5a7ef1d9beca898dcdd3304578cd1f

SHA256
90954a0be18385b838072328679ca45566df648a82e27394af23d914b2a9dd06

SHA512
4e1e9739381a7fe6192fc3e76e18d64fd7c484684fad8a8c2ec7093e543a014793e30e12f1d7ed4e2b5a79303cbaa334749334915641d34024cad0884084ee58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKDRqI0Dgeer.bat

Filesize
207B

MD5
83a7740c6cc00c44ba3600abb77a6e65

SHA1
e9e6210b8e4aa58c0289fdfc61263ff1dd31f29d

SHA256
4a6932ba3ce3ed8ae1465ff0857f995c7db4fae0b9d159d178b2d5fecf068b7e

SHA512
4057d2b387fe699c0988975d1c9f9823f169fae823ca86d9eff780e8eaff1233e6bb2fb8269a05802548a054562a77ee518db8c892b0f40b8205cda2d3787355

Download Submit
C:\Users\Admin\AppData\Local\Temp\bPSz8GtZM07E.bat

Filesize
207B

MD5
31f6b1c2a12ebdf37af84be747d84795

SHA1
6c64fb4900042faadbf8ea42098afdc5e6f429b6

SHA256
a46722be6d5527e2f711a7a392e48ddc69da453953def915ac28420370f66f19

SHA512
b38bcc1a98b3ffb0e822305c2e8f77e7159069063b6fe5df4b8e0c22aa736126fe67eb67b8acee467d461aac91a298910ff71a3917d7ec0c03091eb9e02c9f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnLF6RPiNJWr.bat

Filesize
207B

MD5
4f4da258aaa3de61ebc71ea00b9070c6

SHA1
015b303b0d2bf10e29ae2aa3fd2bfb7a3781e853

SHA256
361c0d4fbe4af3a2fc99a3ce6a9ddd22560a42c415b7dcc385c03b77ed8f8ec7

SHA512
0725c53b9b45305433c127c317c2998c8a58491e4dba065e1ba3fa1a5baa2cb6dadf5e03c7394cf30835a83295ded07e2f36b8c91c4adbf6f5dc893198f6ba82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfpcOVu19Qt4.bat

Filesize
207B

MD5
4271905019bb2c2a2f763fddeca513ad

SHA1
26b9326839e3243d129fc90aebe6099efe3f91a3

SHA256
6b8608e16d5bd4ea8875da9822635e38c18a50d45e13ccc3f96d5f59651906c3

SHA512
a216c387cfbc85de8b9848d358dd8c0b8c5ed9a1659647944436af2776e17ebce9a44082a551febadc521395d6723471b28dde4c9fcc39f454f3b715d0344f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhp1zfyBiU9O.bat

Filesize
207B

MD5
5c97f250af78c1ec6cbd4dc8ab1ca214

SHA1
518b04e7709fcf8dca6bd42bfb40c755fc5bd30d

SHA256
ed9676ff78c2c3b4415df70149383751a57297873ad1bd71fb194ed44222d48c

SHA512
314cc41beed440c9d6d8efb0066b9ca298426502f272c05f6733796029ef2547a83245f3b530dca3034c62cc5458fdfb1c078772b782fe671c60ffff9ebb0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrVdhytPnVww.bat

Filesize
207B

MD5
fc3ce03e4191e695c6539eb6fcd70116

SHA1
1663f743ebed275db5f47b326bb0d27b351605b1

SHA256
16dab58d2cfab75ef447b02bb6ebc16b7a7e497737edd2cd98a9448473d4bf3c

SHA512
382be061388b4e9dbe8eb93ae6c1b2e13bcd713bb9853b898d92d4efd9922f03fcb0014345ad3d08018be72289714339e3f448b10c789d052443e98f81988003

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
dda3d825becc420ec452daaff079f6b4

SHA1
903ab84afdb605cb965f087d10c2ec84f6facbc3

SHA256
0492d6d567045871e1ee3c888f02e38848020a07a261615a931782419bd3cbe3

SHA512
4ab3cc498ae01aa2ecf1b351746a7bb35cbae4975a1f24805a070c6421415972c0b443fb92f5f6e61d7362921c86e37e2983fd77f62d61ec229c941cd3d4209e

Download Submit
memory/668-99-0x00000000012F0000-0x0000000001616000-memory.dmp

Filesize
3.1MB

Download
memory/1740-34-0x0000000000080000-0x00000000003A6000-memory.dmp

Filesize
3.1MB

Download
memory/2104-11-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x0000000001370000-0x0000000001696000-memory.dmp

Filesize
3.1MB

Download
memory/2380-21-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-10-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-8-0x0000000000250000-0x0000000000576000-memory.dmp

Filesize
3.1MB

Download
memory/2380-9-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-56-0x0000000001140000-0x0000000001466000-memory.dmp

Filesize
3.1MB

Download
memory/2540-45-0x0000000000B40000-0x0000000000E66000-memory.dmp

Filesize
3.1MB

Download
memory/2888-23-0x0000000000EC0000-0x00000000011E6000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads