quasar | df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

8b4c57a61e6c5676459af46e842c6515
SHA1

4fdd72e3c52357b8d73bfd6e41ed23900c53b864
SHA256

df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce
SHA512

0168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe
SSDEEP

49152:6vAt62XlaSFNWPjljiFa2RoUYI48RJ6bbR3LoGd8QGTHHB72eh2NT:6vs62XlaSFNWPjljiFXRoUYI48RJ6t

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sigma:4782

Mutex

dcd58018-6881-4bdc-ada3-43241c4a02d7

Attributes

encryption_key
2F0E0A6E0184EFAA28DCBF2BCF17796A6A6FA235
install_name
Flaretest.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/1644-1-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015cf1-5.dat	family_quasar
behavioral1/memory/2920-8-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/1048-22-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
behavioral1/memory/2932-33-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/1040-44-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/memory/928-55-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral1/memory/2152-67-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/2476-78-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/2652-90-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/memory/1188-122-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1340-133-0x00000000008D0000-0x0000000000BF4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2920	Flaretest.exe
1048	Flaretest.exe
2932	Flaretest.exe
1040	Flaretest.exe
928	Flaretest.exe
2152	Flaretest.exe
2476	Flaretest.exe
2652	Flaretest.exe
2680	Flaretest.exe
388	Flaretest.exe
1188	Flaretest.exe
1340	Flaretest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2928	PING.EXE
1984	PING.EXE
804	PING.EXE
1640	PING.EXE
2548	PING.EXE
2820	PING.EXE
2252	PING.EXE
2828	PING.EXE
2112	PING.EXE
2264	PING.EXE
2544	PING.EXE
1736	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1640	PING.EXE
2548	PING.EXE
2264	PING.EXE
2544	PING.EXE
804	PING.EXE
1736	PING.EXE
2820	PING.EXE
1984	PING.EXE
2252	PING.EXE
2928	PING.EXE
2828	PING.EXE
2112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
2616	schtasks.exe
2876	schtasks.exe
1888	schtasks.exe
2512	schtasks.exe
1344	schtasks.exe
2288	schtasks.exe
2656	schtasks.exe
2320	schtasks.exe
1652	schtasks.exe
2104	schtasks.exe
2476	schtasks.exe
2740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	Client-built.exe
Token: SeDebugPrivilege	2920	Flaretest.exe
Token: SeDebugPrivilege	1048	Flaretest.exe
Token: SeDebugPrivilege	2932	Flaretest.exe
Token: SeDebugPrivilege	1040	Flaretest.exe
Token: SeDebugPrivilege	928	Flaretest.exe
Token: SeDebugPrivilege	2152	Flaretest.exe
Token: SeDebugPrivilege	2476	Flaretest.exe
Token: SeDebugPrivilege	2652	Flaretest.exe
Token: SeDebugPrivilege	2680	Flaretest.exe
Token: SeDebugPrivilege	388	Flaretest.exe
Token: SeDebugPrivilege	1188	Flaretest.exe
Token: SeDebugPrivilege	1340	Flaretest.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2920	Flaretest.exe
1048	Flaretest.exe
2932	Flaretest.exe
1040	Flaretest.exe
928	Flaretest.exe
2152	Flaretest.exe
2476	Flaretest.exe
2652	Flaretest.exe
2680	Flaretest.exe
388	Flaretest.exe
1188	Flaretest.exe
1340	Flaretest.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2920	Flaretest.exe
1048	Flaretest.exe
2932	Flaretest.exe
1040	Flaretest.exe
928	Flaretest.exe
2152	Flaretest.exe
2476	Flaretest.exe
2652	Flaretest.exe
2680	Flaretest.exe
388	Flaretest.exe
1188	Flaretest.exe
1340	Flaretest.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2920	Flaretest.exe
1048	Flaretest.exe
2932	Flaretest.exe
1040	Flaretest.exe
928	Flaretest.exe
2152	Flaretest.exe
2476	Flaretest.exe
2652	Flaretest.exe
2680	Flaretest.exe
388	Flaretest.exe
1188	Flaretest.exe
1340	Flaretest.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2476	1644	Client-built.exe	30
PID 1644 wrote to memory of 2476	1644	Client-built.exe	30
PID 1644 wrote to memory of 2476	1644	Client-built.exe	30
PID 1644 wrote to memory of 2920	1644	Client-built.exe	32
PID 1644 wrote to memory of 2920	1644	Client-built.exe	32
PID 1644 wrote to memory of 2920	1644	Client-built.exe	32
PID 2920 wrote to memory of 2740	2920	Flaretest.exe	33
PID 2920 wrote to memory of 2740	2920	Flaretest.exe	33
PID 2920 wrote to memory of 2740	2920	Flaretest.exe	33
PID 2920 wrote to memory of 2796	2920	Flaretest.exe	35
PID 2920 wrote to memory of 2796	2920	Flaretest.exe	35
PID 2920 wrote to memory of 2796	2920	Flaretest.exe	35
PID 2796 wrote to memory of 2840	2796	cmd.exe	37
PID 2796 wrote to memory of 2840	2796	cmd.exe	37
PID 2796 wrote to memory of 2840	2796	cmd.exe	37
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 1048	2796	cmd.exe	39
PID 2796 wrote to memory of 1048	2796	cmd.exe	39
PID 2796 wrote to memory of 1048	2796	cmd.exe	39
PID 1048 wrote to memory of 2656	1048	Flaretest.exe	40
PID 1048 wrote to memory of 2656	1048	Flaretest.exe	40
PID 1048 wrote to memory of 2656	1048	Flaretest.exe	40
PID 1048 wrote to memory of 2184	1048	Flaretest.exe	43
PID 1048 wrote to memory of 2184	1048	Flaretest.exe	43
PID 1048 wrote to memory of 2184	1048	Flaretest.exe	43
PID 2184 wrote to memory of 1008	2184	cmd.exe	45
PID 2184 wrote to memory of 1008	2184	cmd.exe	45
PID 2184 wrote to memory of 1008	2184	cmd.exe	45
PID 2184 wrote to memory of 2828	2184	cmd.exe	46
PID 2184 wrote to memory of 2828	2184	cmd.exe	46
PID 2184 wrote to memory of 2828	2184	cmd.exe	46
PID 2184 wrote to memory of 2932	2184	cmd.exe	47
PID 2184 wrote to memory of 2932	2184	cmd.exe	47
PID 2184 wrote to memory of 2932	2184	cmd.exe	47
PID 2932 wrote to memory of 2320	2932	Flaretest.exe	48
PID 2932 wrote to memory of 2320	2932	Flaretest.exe	48
PID 2932 wrote to memory of 2320	2932	Flaretest.exe	48
PID 2932 wrote to memory of 1424	2932	Flaretest.exe	50
PID 2932 wrote to memory of 1424	2932	Flaretest.exe	50
PID 2932 wrote to memory of 1424	2932	Flaretest.exe	50
PID 1424 wrote to memory of 2076	1424	cmd.exe	52
PID 1424 wrote to memory of 2076	1424	cmd.exe	52
PID 1424 wrote to memory of 2076	1424	cmd.exe	52
PID 1424 wrote to memory of 2112	1424	cmd.exe	53
PID 1424 wrote to memory of 2112	1424	cmd.exe	53
PID 1424 wrote to memory of 2112	1424	cmd.exe	53
PID 1424 wrote to memory of 1040	1424	cmd.exe	54
PID 1424 wrote to memory of 1040	1424	cmd.exe	54
PID 1424 wrote to memory of 1040	1424	cmd.exe	54
PID 1040 wrote to memory of 1652	1040	Flaretest.exe	55
PID 1040 wrote to memory of 1652	1040	Flaretest.exe	55
PID 1040 wrote to memory of 1652	1040	Flaretest.exe	55
PID 1040 wrote to memory of 448	1040	Flaretest.exe	57
PID 1040 wrote to memory of 448	1040	Flaretest.exe	57
PID 1040 wrote to memory of 448	1040	Flaretest.exe	57
PID 448 wrote to memory of 2252	448	cmd.exe	59
PID 448 wrote to memory of 2252	448	cmd.exe	59
PID 448 wrote to memory of 2252	448	cmd.exe	59
PID 448 wrote to memory of 2264	448	cmd.exe	60
PID 448 wrote to memory of 2264	448	cmd.exe	60
PID 448 wrote to memory of 2264	448	cmd.exe	60
PID 448 wrote to memory of 928	448	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2476
- C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIZgi4uYAoiC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2840
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2928
  - - C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B55nQC2rJcBr.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1008
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
      - C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JhJg32SENOVi.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7M5igSCqjmSV.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\W3YyS1SmYg6p.bat" "
        11⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pxUM6Ib8BToy.bat" "
        13⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SVKOWDpW6en3.bat" "
        15⤵
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Oi3r3JnuSDHX.bat" "
        17⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wJp7zXevpAFF.bat" "
        19⤵
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3inyZutgt4NK.bat" "
        21⤵
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m7nHoRQzIthJ.bat" "
        23⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PY5idKesm2Nt.bat" "
        25⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3inyZutgt4NK.bat

Filesize
210B

MD5
3916e8b8b91064b4a3db93b801f1959c

SHA1
34faef94bd6ab036f509ce1f05fc82db49d79470

SHA256
56e95b0aff2bf473dd1d804336f4390c2e5a78ad782c8124cfa9a49952e30e1f

SHA512
c96f825ef798e20f368115640fc379a07642d614731a66b4a4987ba6b9e5affa4cea831d198e2440fcc33ba7f656d85bfbc3caede37302a3a25379fc36fa36ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7M5igSCqjmSV.bat

Filesize
210B

MD5
7a27b3be99d56692966bcf6003fba4fa

SHA1
e2523325a3671458a159419eed421940de699ed2

SHA256
2f25e643e21431ef5e99b1b3071da52869dd0278658be0a242b63f11f9d98c07

SHA512
f8257ade7bd67ad8747508b90ec79649e46d575a83dbe09d510e1ac7d9b1028fbc5947176b6d67367da58ff17be0297630b0ea011b3a6acff5498e6e09a0ac80

Download Submit
C:\Users\Admin\AppData\Local\Temp\B55nQC2rJcBr.bat

Filesize
210B

MD5
5e2213c89258e66ab473ef6fdb2a3b9d

SHA1
010e531a5a7ced603e3ffb363ec5e349d4a334ae

SHA256
326cd3e50599ba28a6f0008f23dac2cf68dca16b12c730dfefbc05c745010ae4

SHA512
5272f57e63cc31da21b15b51171710f8b86e3613b5cfc8337a8428fa026fa776b1550f867a95012b2aedebe0903d3126c82161da6628e08d7f91a1253e279e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIZgi4uYAoiC.bat

Filesize
210B

MD5
8f4927742f02f90d58c291cb61408883

SHA1
37ed5cf0a558d5dcaea67d95753bcde037890195

SHA256
043355de7678002af5f8a520c043cbf7c9c24fc67c0215847499fd791ae2f572

SHA512
153842d776a83396fbb85a8617bb0469a32fee8897cafda1b5654ab34fc0739bc7edcde2a73d65917891a71f778174ef59458588f35efca75a90b0a4a582a40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhJg32SENOVi.bat

Filesize
210B

MD5
1668ad9250c2c1ddb6341ab1ebdf49c1

SHA1
3a1f7cef743855594c9c2fffad48df4dfdb0aaf6

SHA256
26418f49acce94660c59420eaa3f6d13dee5ee47b059ec042a5970411241edce

SHA512
f38deb367b4735d9f9b037075620633f728878b30260af3d7c83eeceeb39e3c7263088ee34ff9aebccefd766c92b17ea5e5c79c6ca9edd1eeb16a0f9c3ee2239

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oi3r3JnuSDHX.bat

Filesize
210B

MD5
4c9d384f86e753774025bc7741875334

SHA1
5e4745e93995c16eabed11073df4a94ca76f51cf

SHA256
42337ff65aff88c16dc5e5edc4a70d529cdf9701a7d904f6e8adeee4b4afd8b4

SHA512
e3f82a74bc55104c27c309057f3f388885d232db53b440cb1b1fbbf30c818330e5905ce14777f9f63ea6a3fcdf013a048bd0500adc6f0a89616d8eb91e71f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\PY5idKesm2Nt.bat

Filesize
210B

MD5
479f2c6f3e5999cabdd075167ff01130

SHA1
47cb4d94ce1c2f14c95c8339923b38ff76d26507

SHA256
356df629efe510daabc1c48767410826b9faccb224ac235ffffa0d6efb519394

SHA512
845d970fee97f254443ec15fb6517bb251132aeea67c2e172a0225b341e5d39ad81e3f45f582f5263bde13b94f9e47a62abfdce2f4de105bb83c8acb8501208a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKOWDpW6en3.bat

Filesize
210B

MD5
dcb616a9afded8274d29420b716cde4e

SHA1
5a7c43d59cf87e09974cc79b5ae1dcd1a115a658

SHA256
0ec50eb1b92d367f78fcb97b7546e0b2e68d279700c5b69e2c1b9bd75c0fca2c

SHA512
4534c71347835654a4abd62bc6c71e48c0c09c732d9639ca490c603017a84103a58b7a65e9bb3ef5b0e7670838204bb01c5ee80126c2cedadd6fba0fe908ae79

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3YyS1SmYg6p.bat

Filesize
210B

MD5
55a206f5255a5698c23d7d5f6561fc39

SHA1
c5dc3c0cb5858ed27493e42390019d4077a75c4b

SHA256
14b8728585337beacf820602aa6e3891ba1c5649eb0161c406aa0239b2ad0136

SHA512
66273691f8299d9da35b46e9323b586b0aaf7ef5e220adad0249585146e6a27f36c076ef9106e00e55ccc70f41b55393fe84fe65e31e287cd7f3e4f36f9aeff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m7nHoRQzIthJ.bat

Filesize
210B

MD5
924230cbdbaa013784f9e0b078e8e937

SHA1
237cf9c4431ba2c70b7bb30a7d13996e32722b0b

SHA256
bc207afc138f78b53962d8efc98b2a9b2cd71a31278a940db615c3e84dad30f0

SHA512
2cdc5bed87917dfbc4e891b8275d3db005c6a305df4c434302e462b0c66c987c466a1e8d80fb6f67db733b7b8e753d996560ed58fb10f0710cfd57b168cd7b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxUM6Ib8BToy.bat

Filesize
210B

MD5
ab70d77fa7440c11cfc7b9d84af4948d

SHA1
5f6433628beed62412de21ead846e19331307218

SHA256
9d14cc87a24c00eb152cfb39c0ae3917102b7199d323bf216d7c55f0684d11ac

SHA512
864f5128d77f2c93fc8c418948552bd823474f7d516bce7945b58a4344e0cdda7fbfc79300142d56f05f279bf500ec5054b764793861685cd2549a9cab2e1a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wJp7zXevpAFF.bat

Filesize
210B

MD5
505563347992e4c9c6827d635093f5e5

SHA1
aa1bee2ca8d9300f878c188cf6bb4c9790060b07

SHA256
e5d9c6ba71003db2055680f9350f4d468baf0541878c39fe4889d36ba74ba2c4

SHA512
72bbc6c0667648262536c238b6120e80f7756e8a1fe3964744e529fc47d1bd9605f49809f94b2f4fe28af36cb6cd49d725a81e429bb762c288372b23ddf3f91d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe

Filesize
3.1MB

MD5
8b4c57a61e6c5676459af46e842c6515

SHA1
4fdd72e3c52357b8d73bfd6e41ed23900c53b864

SHA256
df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce

SHA512
0168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe

Download Submit
memory/928-55-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download
memory/1040-44-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/1048-22-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/1188-122-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/1340-133-0x00000000008D0000-0x0000000000BF4000-memory.dmp

Filesize
3.1MB

Download
memory/1644-7-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/1644-2-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-67-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/2476-78-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/2652-90-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2920-19-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/2920-10-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/2920-8-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/2920-9-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/2932-33-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads