quasar | df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce

Analysis

max time kernel
128s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

8b4c57a61e6c5676459af46e842c6515
SHA1

4fdd72e3c52357b8d73bfd6e41ed23900c53b864
SHA256

df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce
SHA512

0168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe
SSDEEP

49152:6vAt62XlaSFNWPjljiFa2RoUYI48RJ6bbR3LoGd8QGTHHB72eh2NT:6vs62XlaSFNWPjljiFXRoUYI48RJ6t

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

sigma:4782

Mutex

dcd58018-6881-4bdc-ada3-43241c4a02d7

Attributes

encryption_key
2F0E0A6E0184EFAA28DCBF2BCF17796A6A6FA235
install_name
Flaretest.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2640-1-0x0000000000940000-0x0000000000C64000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023bc3-5.dat	family_quasar

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Flaretest.exe

Executes dropped EXE 11 IoCs

pid	Process
1320	Flaretest.exe
1964	Flaretest.exe
3492	Flaretest.exe
4164	Flaretest.exe
3264	Flaretest.exe
3992	Flaretest.exe
1780	Flaretest.exe
4620	Flaretest.exe
4968	Flaretest.exe
4252	Flaretest.exe
2348	Flaretest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4960	PING.EXE
4732	PING.EXE
3044	PING.EXE
2468	PING.EXE
2620	PING.EXE
4576	PING.EXE
3208	PING.EXE
208	PING.EXE
3120	PING.EXE
3844	PING.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2468	PING.EXE
4576	PING.EXE
3120	PING.EXE
3844	PING.EXE
3044	PING.EXE
4732	PING.EXE
2620	PING.EXE
3208	PING.EXE
208	PING.EXE
4960	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe
4972	schtasks.exe
1700	schtasks.exe
384	schtasks.exe
4576	schtasks.exe
4376	schtasks.exe
5036	schtasks.exe
4260	schtasks.exe
1352	schtasks.exe
428	schtasks.exe
2620	schtasks.exe
1556	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	Client-built.exe
Token: SeDebugPrivilege	1320	Flaretest.exe
Token: SeDebugPrivilege	1964	Flaretest.exe
Token: SeDebugPrivilege	3492	Flaretest.exe
Token: SeDebugPrivilege	4164	Flaretest.exe
Token: SeDebugPrivilege	3264	Flaretest.exe
Token: SeDebugPrivilege	3992	Flaretest.exe
Token: SeDebugPrivilege	1780	Flaretest.exe
Token: SeDebugPrivilege	4620	Flaretest.exe
Token: SeDebugPrivilege	4968	Flaretest.exe
Token: SeDebugPrivilege	4252	Flaretest.exe
Token: SeDebugPrivilege	2348	Flaretest.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1320	Flaretest.exe
1964	Flaretest.exe
3492	Flaretest.exe
4164	Flaretest.exe
3264	Flaretest.exe
3992	Flaretest.exe
1780	Flaretest.exe
4620	Flaretest.exe
4968	Flaretest.exe
4252	Flaretest.exe
2348	Flaretest.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1320	Flaretest.exe
1964	Flaretest.exe
3492	Flaretest.exe
4164	Flaretest.exe
3264	Flaretest.exe
3992	Flaretest.exe
1780	Flaretest.exe
4620	Flaretest.exe
4968	Flaretest.exe
4252	Flaretest.exe
2348	Flaretest.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1320	Flaretest.exe
1964	Flaretest.exe
3492	Flaretest.exe
4164	Flaretest.exe
3264	Flaretest.exe
3992	Flaretest.exe
1780	Flaretest.exe
4620	Flaretest.exe
4968	Flaretest.exe
4252	Flaretest.exe
2348	Flaretest.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1700	2640	Client-built.exe	82
PID 2640 wrote to memory of 1700	2640	Client-built.exe	82
PID 2640 wrote to memory of 1320	2640	Client-built.exe	85
PID 2640 wrote to memory of 1320	2640	Client-built.exe	85
PID 1320 wrote to memory of 384	1320	Flaretest.exe	86
PID 1320 wrote to memory of 384	1320	Flaretest.exe	86
PID 1320 wrote to memory of 3676	1320	Flaretest.exe	88
PID 1320 wrote to memory of 3676	1320	Flaretest.exe	88
PID 3676 wrote to memory of 816	3676	cmd.exe	90
PID 3676 wrote to memory of 816	3676	cmd.exe	90
PID 3676 wrote to memory of 3120	3676	cmd.exe	91
PID 3676 wrote to memory of 3120	3676	cmd.exe	91
PID 3676 wrote to memory of 1964	3676	cmd.exe	92
PID 3676 wrote to memory of 1964	3676	cmd.exe	92
PID 1964 wrote to memory of 1352	1964	Flaretest.exe	93
PID 1964 wrote to memory of 1352	1964	Flaretest.exe	93
PID 1964 wrote to memory of 4360	1964	Flaretest.exe	97
PID 1964 wrote to memory of 4360	1964	Flaretest.exe	97
PID 4360 wrote to memory of 2248	4360	cmd.exe	99
PID 4360 wrote to memory of 2248	4360	cmd.exe	99
PID 4360 wrote to memory of 3208	4360	cmd.exe	100
PID 4360 wrote to memory of 3208	4360	cmd.exe	100
PID 4360 wrote to memory of 3492	4360	cmd.exe	106
PID 4360 wrote to memory of 3492	4360	cmd.exe	106
PID 3492 wrote to memory of 4576	3492	Flaretest.exe	107
PID 3492 wrote to memory of 4576	3492	Flaretest.exe	107
PID 3492 wrote to memory of 1608	3492	Flaretest.exe	109
PID 3492 wrote to memory of 1608	3492	Flaretest.exe	109
PID 1608 wrote to memory of 2012	1608	cmd.exe	112
PID 1608 wrote to memory of 2012	1608	cmd.exe	112
PID 1608 wrote to memory of 208	1608	cmd.exe	113
PID 1608 wrote to memory of 208	1608	cmd.exe	113
PID 1608 wrote to memory of 4164	1608	cmd.exe	120
PID 1608 wrote to memory of 4164	1608	cmd.exe	120
PID 4164 wrote to memory of 428	4164	Flaretest.exe	121
PID 4164 wrote to memory of 428	4164	Flaretest.exe	121
PID 4164 wrote to memory of 4408	4164	Flaretest.exe	123
PID 4164 wrote to memory of 4408	4164	Flaretest.exe	123
PID 4408 wrote to memory of 4224	4408	cmd.exe	125
PID 4408 wrote to memory of 4224	4408	cmd.exe	125
PID 4408 wrote to memory of 4960	4408	cmd.exe	126
PID 4408 wrote to memory of 4960	4408	cmd.exe	126
PID 4408 wrote to memory of 3264	4408	cmd.exe	127
PID 4408 wrote to memory of 3264	4408	cmd.exe	127
PID 3264 wrote to memory of 2620	3264	Flaretest.exe	128
PID 3264 wrote to memory of 2620	3264	Flaretest.exe	128
PID 3264 wrote to memory of 1656	3264	Flaretest.exe	130
PID 3264 wrote to memory of 1656	3264	Flaretest.exe	130
PID 1656 wrote to memory of 4396	1656	cmd.exe	132
PID 1656 wrote to memory of 4396	1656	cmd.exe	132
PID 1656 wrote to memory of 3844	1656	cmd.exe	133
PID 1656 wrote to memory of 3844	1656	cmd.exe	133
PID 1656 wrote to memory of 3992	1656	cmd.exe	134
PID 1656 wrote to memory of 3992	1656	cmd.exe	134
PID 3992 wrote to memory of 4376	3992	Flaretest.exe	135
PID 3992 wrote to memory of 4376	3992	Flaretest.exe	135
PID 3992 wrote to memory of 2820	3992	Flaretest.exe	137
PID 3992 wrote to memory of 2820	3992	Flaretest.exe	137
PID 2820 wrote to memory of 2836	2820	cmd.exe	139
PID 2820 wrote to memory of 2836	2820	cmd.exe	139
PID 2820 wrote to memory of 4732	2820	cmd.exe	140
PID 2820 wrote to memory of 4732	2820	cmd.exe	140
PID 2820 wrote to memory of 1780	2820	cmd.exe	141
PID 2820 wrote to memory of 1780	2820	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1700
- C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYTYb0oxF1jQ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:816
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3120
  - - C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ir9R3Ab7s8fX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2248
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3208
      - C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pZCKi5U2i41Z.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\44InnecQ9Yrj.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDI6pQImu7n1.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hj6sLpcEaTbH.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\869sMiwKMDVx.bat" "
        15⤵
        
        PID:216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2wTVIZl0B2vN.bat" "
        17⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DCLjml7gJcL.bat" "
        19⤵
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWrL8QzPsvJd.bat" "
        21⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Flaretest.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wTVIZl0B2vN.bat

Filesize
210B

MD5
8f940fa0d4cf2ca68d2bf5904da2b472

SHA1
c3bc67db78e49bd1892319bba501ed49b17bbc3d

SHA256
c8e910bb76e9ed1867ea61fe33d25acdb2947b2f581603bdd69c0282eb9b4ee9

SHA512
4076dd5ff3ffb24fa951ec5ed233b8058d4a32edccd62a68effbb5ed28230634b1e5f2be6fdefd1cf69ea7e8b2d6600c7823627e54261efb3e3387c9f48f7fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44InnecQ9Yrj.bat

Filesize
210B

MD5
80a5b93de4fced7f6fe2977a398e98f3

SHA1
987664d72c6f1f5583882e4d24807090c2a77d80

SHA256
4f23310b189f8a722d8bddf98cfdb9a4e409302702adc19f3b3b71bc9609b04e

SHA512
1bd2f73645375d4f3ddc011fba67054ed28d7e3cbce0bb559634fac92d6eb20e6e0bbae2a17673739af332ab2e50a4e7204bb18a9e50ac8176a87f398d52aa03

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DCLjml7gJcL.bat

Filesize
210B

MD5
6b0704757026e26c0cc12e8dd9c2fb14

SHA1
6821d140a2f1de4b9fda2c9716e428b95be2ed92

SHA256
a659070e1cfb3adcb39ce6390684ed2389acfcb523d50a33675e9b3dea0c326a

SHA512
5d52e8a830bcfce2dd998fb6368dc1a38ef402c4451c3b989a9c9b9ae07b1a8a425f143b76da4daec67f9ed04589e5ead254c28b49e6f747c3acaf486436472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\869sMiwKMDVx.bat

Filesize
210B

MD5
1112a0092882e989b8c925b627257ae1

SHA1
d603d664715286faa1660f32b69023a0226a790b

SHA256
ddaa59e29892befa4f3fa44fb898c7316bd87d187df7276d1e5216381cdd1754

SHA512
2cbf7db150edd4d37257a54cb85b666474450e330786eb1368c7475ac2e6791f9b8c97e01ae7026bf5de4b95be53b9109ebf21a1e979e76d13f166c0b8faea8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hj6sLpcEaTbH.bat

Filesize
210B

MD5
0233682e6ccf1685e036669cf7a34ac1

SHA1
68ad535968b050c00dd457ac9f6a856fd3e0df31

SHA256
7848fc0cab7bf61ec546247954277cfbe778f3cdddc043e13417b3ac2513241c

SHA512
aa7761e9cd18c950502cc3b376046ce9308dfeb8e06d47d77daf5ce10d1bb890e761d59ce24c49f43e220685730fd351fa1eb3695db6678e941c3105a91d37d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYTYb0oxF1jQ.bat

Filesize
210B

MD5
ac0b7d56deb4cc3e13e83fd4d457b6be

SHA1
3f590c725d9a331920d454aea2f0c7dbb1c19311

SHA256
93dceefe1c502c02f84cacc8c61385c964570c1f6ec3f9bbfde150ce9b70b5b9

SHA512
de07789450e086f00d6bd705d83aec8a5cb479d1489d6828f3d5bc328454a3b1aeb073d393b90e48133f4f76036b6eeced3664a8c6a0b52ef84d51567129b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWrL8QzPsvJd.bat

Filesize
210B

MD5
818dfa9342a75f957e965498dcbb2709

SHA1
bc67d0e47a9109e4742dd5f1454082c6e571e92c

SHA256
f49991ce2e602aa5242fa6b5a6fb8355740e68dadc8fe7a4e1212ac2635658d3

SHA512
f6a46496f5535f9a21e336459bad933dcec7f23bb9c5cb51311e346310e997d626291789972f76aee42dce9114ab9e3a1973476998c7eaa900a33cf1a7d30a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iDI6pQImu7n1.bat

Filesize
210B

MD5
c3859307ef39fb4042d643de3ec943dc

SHA1
51f9e819498c8dbd812075e57b864abfd55611e1

SHA256
6e97374f6cf2911d57ff6c2b5bb4aec73f9b1cdb3921d13aeab9bcb56c7cca4c

SHA512
dc23760d65c4baaec7d94ebc3684fd98adaf2e5a6d405c4ff31ceb20c026c9d97d53efb2f0ce6dffedb85171755c6e66cb6ba24fb7380c7f325b2c061c330693

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir9R3Ab7s8fX.bat

Filesize
210B

MD5
648268a1e4c70407ff8cc2b013e8884b

SHA1
89794b9d3944c890a064c63ea5ad13e0c3f7dfea

SHA256
556c1ccae00c4bf0a5400ec261d25d20b890be2c1bde47c1d0547ffabad915d6

SHA512
f2f7d0934f778f5b3df417c95b33218ecdabd229cd8a242e6f92e3023c0ccc9297fcc54fc216104aadca13e7c3d24df39e2caaea4d43b162a61bfceafc1907bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZCKi5U2i41Z.bat

Filesize
210B

MD5
b1a908e2501546848426c0bd3741ae52

SHA1
ae54ff7434c29cdee1e8992f90d2d2e23246f229

SHA256
bd60cf7f2b4b0ca3d09e0fffbb04ec2afccdaf6e792c4acdbefb53fa536ddd12

SHA512
90354a567bedd265bf99a7ec7cb928b68d7c99768992857412d5026b207b1fa170dd55f03d53cf7246746f32b398911938acf15596cfdc5271409d3b0b6e76a3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe

Filesize
3.1MB

MD5
8b4c57a61e6c5676459af46e842c6515

SHA1
4fdd72e3c52357b8d73bfd6e41ed23900c53b864

SHA256
df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce

SHA512
0168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe

Download Submit
memory/1320-9-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

Filesize
10.8MB

Download
memory/1320-18-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

Filesize
10.8MB

Download
memory/1320-12-0x000000001DF40000-0x000000001DFF2000-memory.dmp

Filesize
712KB

Download
memory/1320-11-0x000000001DE30000-0x000000001DE80000-memory.dmp

Filesize
320KB

Download
memory/1320-10-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

Filesize
10.8MB

Download
memory/2640-0-0x00007FFCD91D3000-0x00007FFCD91D5000-memory.dmp

Filesize
8KB

Download
memory/2640-8-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

Filesize
10.8MB

Download
memory/2640-2-0x00007FFCD91D0000-0x00007FFCD9C91000-memory.dmp

Filesize
10.8MB

Download
memory/2640-1-0x0000000000940000-0x0000000000C64000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads