quasar | ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7dbac71bcc7920b66e8c4fc04fbc30dd
SHA1

c746b4358c2a15765a010c1890979239f152d6f7
SHA256

ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA512

56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
SSDEEP

49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hojex31104-23437.portmap.host:23437

Mutex

de505f8f-b6d9-44cb-b9ce-7e2f491eb29e

Attributes

encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2956-1-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016eca-5.dat	family_quasar
behavioral1/memory/2204-8-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar
behavioral1/memory/2704-22-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/792-34-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/memory/2876-46-0x0000000001070000-0x0000000001394000-memory.dmp	family_quasar
behavioral1/memory/2224-57-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/1324-69-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral1/memory/1552-80-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2356-103-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
behavioral1/memory/2088-116-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
behavioral1/memory/396-139-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/2228-150-0x0000000001240000-0x0000000001564000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2204	Client.exe
2704	Client.exe
792	Client.exe
2876	Client.exe
2224	Client.exe
1324	Client.exe
1552	Client.exe
2956	Client.exe
2356	Client.exe
2088	Client.exe
2404	Client.exe
396	Client.exe
2228	Client.exe
3008	Client.exe
1028	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2364	PING.EXE
2016	PING.EXE
2256	PING.EXE
2424	PING.EXE
2416	PING.EXE
2248	PING.EXE
2812	PING.EXE
2652	PING.EXE
868	PING.EXE
1484	PING.EXE
276	PING.EXE
1684	PING.EXE
936	PING.EXE
2684	PING.EXE
1756	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE
2424	PING.EXE
1484	PING.EXE
936	PING.EXE
1684	PING.EXE
2684	PING.EXE
2652	PING.EXE
2016	PING.EXE
276	PING.EXE
2416	PING.EXE
1756	PING.EXE
2248	PING.EXE
2364	PING.EXE
2256	PING.EXE
868	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
2068	schtasks.exe
2740	schtasks.exe
2500	schtasks.exe
2112	schtasks.exe
992	schtasks.exe
2248	schtasks.exe
276	schtasks.exe
2752	schtasks.exe
2264	schtasks.exe
2468	schtasks.exe
2208	schtasks.exe
1056	schtasks.exe
496	schtasks.exe
2820	schtasks.exe
2360	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Client-built.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	2704	Client.exe
Token: SeDebugPrivilege	792	Client.exe
Token: SeDebugPrivilege	2876	Client.exe
Token: SeDebugPrivilege	2224	Client.exe
Token: SeDebugPrivilege	1324	Client.exe
Token: SeDebugPrivilege	1552	Client.exe
Token: SeDebugPrivilege	2956	Client.exe
Token: SeDebugPrivilege	2356	Client.exe
Token: SeDebugPrivilege	2088	Client.exe
Token: SeDebugPrivilege	2404	Client.exe
Token: SeDebugPrivilege	396	Client.exe
Token: SeDebugPrivilege	2228	Client.exe
Token: SeDebugPrivilege	3008	Client.exe
Token: SeDebugPrivilege	1028	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2204	Client.exe
2704	Client.exe
792	Client.exe
2876	Client.exe
2224	Client.exe
1324	Client.exe
1552	Client.exe
2956	Client.exe
2356	Client.exe
2088	Client.exe
2404	Client.exe
396	Client.exe
2228	Client.exe
3008	Client.exe
1028	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2204	Client.exe
2704	Client.exe
792	Client.exe
2876	Client.exe
2224	Client.exe
1324	Client.exe
1552	Client.exe
2956	Client.exe
2356	Client.exe
2088	Client.exe
2404	Client.exe
396	Client.exe
2228	Client.exe
3008	Client.exe
1028	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2248	2956	Client-built.exe	31
PID 2956 wrote to memory of 2248	2956	Client-built.exe	31
PID 2956 wrote to memory of 2248	2956	Client-built.exe	31
PID 2956 wrote to memory of 2204	2956	Client-built.exe	33
PID 2956 wrote to memory of 2204	2956	Client-built.exe	33
PID 2956 wrote to memory of 2204	2956	Client-built.exe	33
PID 2204 wrote to memory of 2208	2204	Client.exe	34
PID 2204 wrote to memory of 2208	2204	Client.exe	34
PID 2204 wrote to memory of 2208	2204	Client.exe	34
PID 2204 wrote to memory of 2660	2204	Client.exe	36
PID 2204 wrote to memory of 2660	2204	Client.exe	36
PID 2204 wrote to memory of 2660	2204	Client.exe	36
PID 2660 wrote to memory of 2900	2660	cmd.exe	38
PID 2660 wrote to memory of 2900	2660	cmd.exe	38
PID 2660 wrote to memory of 2900	2660	cmd.exe	38
PID 2660 wrote to memory of 2652	2660	cmd.exe	39
PID 2660 wrote to memory of 2652	2660	cmd.exe	39
PID 2660 wrote to memory of 2652	2660	cmd.exe	39
PID 2660 wrote to memory of 2704	2660	cmd.exe	40
PID 2660 wrote to memory of 2704	2660	cmd.exe	40
PID 2660 wrote to memory of 2704	2660	cmd.exe	40
PID 2704 wrote to memory of 2544	2704	Client.exe	41
PID 2704 wrote to memory of 2544	2704	Client.exe	41
PID 2704 wrote to memory of 2544	2704	Client.exe	41
PID 2704 wrote to memory of 2508	2704	Client.exe	43
PID 2704 wrote to memory of 2508	2704	Client.exe	43
PID 2704 wrote to memory of 2508	2704	Client.exe	43
PID 2508 wrote to memory of 320	2508	cmd.exe	45
PID 2508 wrote to memory of 320	2508	cmd.exe	45
PID 2508 wrote to memory of 320	2508	cmd.exe	45
PID 2508 wrote to memory of 2364	2508	cmd.exe	46
PID 2508 wrote to memory of 2364	2508	cmd.exe	46
PID 2508 wrote to memory of 2364	2508	cmd.exe	46
PID 2508 wrote to memory of 792	2508	cmd.exe	47
PID 2508 wrote to memory of 792	2508	cmd.exe	47
PID 2508 wrote to memory of 792	2508	cmd.exe	47
PID 792 wrote to memory of 2068	792	Client.exe	48
PID 792 wrote to memory of 2068	792	Client.exe	48
PID 792 wrote to memory of 2068	792	Client.exe	48
PID 792 wrote to memory of 1944	792	Client.exe	50
PID 792 wrote to memory of 1944	792	Client.exe	50
PID 792 wrote to memory of 1944	792	Client.exe	50
PID 1944 wrote to memory of 1440	1944	cmd.exe	52
PID 1944 wrote to memory of 1440	1944	cmd.exe	52
PID 1944 wrote to memory of 1440	1944	cmd.exe	52
PID 1944 wrote to memory of 2016	1944	cmd.exe	53
PID 1944 wrote to memory of 2016	1944	cmd.exe	53
PID 1944 wrote to memory of 2016	1944	cmd.exe	53
PID 1944 wrote to memory of 2876	1944	cmd.exe	54
PID 1944 wrote to memory of 2876	1944	cmd.exe	54
PID 1944 wrote to memory of 2876	1944	cmd.exe	54
PID 2876 wrote to memory of 2740	2876	Client.exe	55
PID 2876 wrote to memory of 2740	2876	Client.exe	55
PID 2876 wrote to memory of 2740	2876	Client.exe	55
PID 2876 wrote to memory of 1668	2876	Client.exe	57
PID 2876 wrote to memory of 1668	2876	Client.exe	57
PID 2876 wrote to memory of 1668	2876	Client.exe	57
PID 1668 wrote to memory of 1328	1668	cmd.exe	59
PID 1668 wrote to memory of 1328	1668	cmd.exe	59
PID 1668 wrote to memory of 1328	1668	cmd.exe	59
PID 1668 wrote to memory of 2256	1668	cmd.exe	60
PID 1668 wrote to memory of 2256	1668	cmd.exe	60
PID 1668 wrote to memory of 2256	1668	cmd.exe	60
PID 1668 wrote to memory of 2224	1668	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2248
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2208
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyNOMULB4cls.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2900
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2652
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L9zXF19ZOnOf.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:320
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lVHDMU8T2mDY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcXCt0QT3Lmy.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2224
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o0R4N92AxMaP.bat" "
        11⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1324
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4DgNOA8COcc5.bat" "
        13⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gjsJQkzrfY6H.bat" "
        15⤵
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bNfXFmAhPYlT.bat" "
        17⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2356
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JrvC18H6Rwtn.bat" "
        19⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BtBKODOSzJA5.bat" "
        21⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CrEbev4LIig6.bat" "
        23⤵
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XeFFqBorwtBl.bat" "
        25⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2228
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OzUTh62K8vkV.bat" "
        27⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7m24ZvginIrB.bat" "
        29⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wfuAAz1GP88v.bat" "
        31⤵
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4DgNOA8COcc5.bat

Filesize
207B

MD5
126498ddc162b72417e43aec125df530

SHA1
e73d80e956b8d12559f4badd9955f943bf9e16bc

SHA256
61ba972de895637a7c2e774c0bf04d7523e89c18ac3dd3930ece0a3c32f595fd

SHA512
8684155ff38f4856605b33446b4a509a2f81031bdcfe5ab97fe37bc7382dc52e2a93c7e518fc9fdead9d2d751123600c7a7d6d3807651f608262cb1470618f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7m24ZvginIrB.bat

Filesize
207B

MD5
7d0ac6809355c9fc6a6248e659bec89a

SHA1
662bfce830e8c2bc057a65d96a94be1b2ab66653

SHA256
6996a99d59d745fc78f54725f6e41fea4138ebd288eb736461d0dba8282e4d10

SHA512
f644d3a1b908bb69153677255d24716205874cb51e82db097ec52c9ebc4dc50769196873ec67e5271ca39119ad62e50a28ab17698ff1cef43b56ae38b7b5180d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BtBKODOSzJA5.bat

Filesize
207B

MD5
a806453026d7da0305230a9317f3fbb6

SHA1
047bfa08c581d8cc5c02262584b3431129a0492a

SHA256
fcf5669ca851e7dfe315dd659f67f6e812c58932d3747dd66862f786935ef03c

SHA512
713605382285b5534b5b9ea8c32660607b2355503501fa36972cb6be3793e8afbaa7cc6fd065b8411bf927e01a8d37a3665505759711bb2c9e90618de08da57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrEbev4LIig6.bat

Filesize
207B

MD5
447151e7774eece8d16403270a517458

SHA1
ae5765775e7deef8adb59001a7baa523df3abe29

SHA256
a8df1c317e84531cf0184ec91f15cbb1f2fac964788f6070398154fa82bb398b

SHA512
315df272c933bd4466db6a1bc5559fdea6aba2d81724f13c8760a99713f4ff17a1453ac9690e0414594dd682e61cdd63427a1799b6f2583b9280a7b43484a95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrvC18H6Rwtn.bat

Filesize
207B

MD5
ad445c8a6765c543d1556f86094d164f

SHA1
0d18817474c9a05c6a7596bb72043b310d57ee2b

SHA256
088ce6944c6b91503f8c6ba76329b30a4b94ed67706c03b20771c419785ee282

SHA512
51398e250ab6da70724eb5d5a1b8041c7e128d66b6228ad9eedec20e26c879b01f0575dceffbbac7de4c0f37f42bfa5630478f6c3222c0d56ca9711925cd28b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9zXF19ZOnOf.bat

Filesize
207B

MD5
986d9fd8805cd52bf88fa7c9bf78da87

SHA1
e7e92753d0e4eb721be8df1ab3f8a941572d5fe0

SHA256
f29905ed2b71e16c296de1796a8684970a53bdf9e3accce62374f4645ebc9db8

SHA512
6b4dfe1f5affef710ac19021ac5e605b703239c793e7d0514777c223cc1c99d584955833c873ba146c4baa067e4cebc3e149d2de877df297b46f78cddac69146

Download Submit
C:\Users\Admin\AppData\Local\Temp\OzUTh62K8vkV.bat

Filesize
207B

MD5
2191cd48a03533bddb782702d981488c

SHA1
a097edbbe557c9f0108f1b6205677d7437e244c1

SHA256
bbc5c52f2b32ece6dd774a0296dda5917a99b7fce38695775ad6c1a9a8b12363

SHA512
be614b3c225f8a5f6dd6f8a35b3e7808d001a150d798f8b6aeaf05f6d99530fb191a09ed33eecdb1710c14d2253ec9863a47e8d145aff27fccc509cd81b5625f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeFFqBorwtBl.bat

Filesize
207B

MD5
88913c5c0a0f045ba3eaf9400df305ca

SHA1
db6f6e3fd1cc3846a23b6c31299190be331ed785

SHA256
5ee45b6e35e76f4adaec1e82c048fb36d8729cfe1db06ddf70a80ed9c932c530

SHA512
95fa15e5f5d673fbd467bb24afcb031223f6d845e9d8c4ecf0b04b7b7b9394ac71510a4e84e5aab571970bc64f62cc4b5b7a8d9f0817847a617bf22507721ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNfXFmAhPYlT.bat

Filesize
207B

MD5
3ed6c30ca21f9d71d27254b48093f0fc

SHA1
2d8b05dc2bcceaed38fe629b4a1896de2c826b8d

SHA256
b7bb75e662a07be114e7b01ae30c6832b0691e2b7f96cff73c4b24ccdbd9eb5d

SHA512
012246621903ef7268bc998b3f58c8ab165a19a7bd83d5215ec11ebef3770d80ebb674590e16fd7869ace7e248e11ae10effd10ed49c9f178ed90d5b30098ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyNOMULB4cls.bat

Filesize
207B

MD5
69280cbb34551b584b6e9aa3164e1b88

SHA1
a974862a2cbb10d843ee59fa8d19e9bbfffc3be6

SHA256
56eed181a6fb63a557330f740a4f08380bc1eb564f2d0f44c0d5466e13aef44f

SHA512
2ff924f2093b4de73be1388fd9fd9712be2d11f71a2f0f8efc6110f4f620b48301016f1e675e4505ef9b48df83d155a2947356b9f10228e71dfb596fcf130634

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjsJQkzrfY6H.bat

Filesize
207B

MD5
38eb74a331de03c1ee36f6a21ce62837

SHA1
c5968541ba8658c0c52ca5ac96c5e13321847f82

SHA256
429c383b58de8d481a47d758cf50b6efe84535e4c21c955e10186a0926d809ef

SHA512
4684db58bea213f4bec3e2efedbe0091a8ac5022071cfeb3be2395aec0611aae8a3d29ff5589efb2a31f0163c601bdfeabee6b6174b957d0c6b87e6ca37761f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lVHDMU8T2mDY.bat

Filesize
207B

MD5
538fca467389de2324bc937dff9a91af

SHA1
623064370b0d9434ab8acb7da1b2e515674d2e0c

SHA256
5f8ede5875957d8e4727098c7dfbacd69cdb334c8f382f41e2457eec746ad794

SHA512
e4fd96bc339c71de3ac0768a9bc264a74a5b6e9bfac1f8dcc87cf1c17a8730461379e4ac53ded44703293a8c2440a77582f72b822ce51f8e4f5d7c89380eeaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0R4N92AxMaP.bat

Filesize
207B

MD5
682dae9f489db0da2e8263aabe4da7d7

SHA1
f482e34c2b67e9145dee7287a790600497eceec9

SHA256
f215fb32f6e34e9bf13532003cd4b36de7bf039a783aeea8537c4397255ae7af

SHA512
a7aa887f9ec3eda82bedff7fcc5a237fd1845cf9a49fcbfb28d7862c15ed32f65c003ea0a255b8b656078bb8045337bb2b098f206aafd4d6778bddedf565470d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfuAAz1GP88v.bat

Filesize
207B

MD5
b89bd0220827bf046d280ade8a9f354d

SHA1
d9b9cd7b4845fa70a2dabf02cabdb4b938924260

SHA256
b82b98eab4645a256db026acebc11163bcd3dbb550d5782a8ebd35b9498a0998

SHA512
950440d3388ab33651107c31b30b19d80ce6accc69327ac9a65f97570d091e592dbccb090500efc13ebe08c1abad279c2060d15c5283601d9f17204e0de90b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcXCt0QT3Lmy.bat

Filesize
207B

MD5
1802036401542a782ff0fb8a309c55f0

SHA1
85d6b2c189983b43205c6e39120d0b8f178da545

SHA256
4005816791a08380effc7f275533e90e2d890671923e8b5ecdbd57b0d3349ba6

SHA512
091c85a492b7bf6d38534bb684253a9d448049055ac3b254013c7be16416a6392116f7373f73e1172a878eea2d20b969ba82de5afe72f6b5a18960b3a9ffe883

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7dbac71bcc7920b66e8c4fc04fbc30dd

SHA1
c746b4358c2a15765a010c1890979239f152d6f7

SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24

Download Submit
memory/396-139-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/792-34-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/1324-69-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download
memory/1552-80-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2088-116-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/2204-10-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-19-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-8-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download
memory/2204-7-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-57-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/2228-150-0x0000000001240000-0x0000000001564000-memory.dmp

Filesize
3.1MB

Download
memory/2356-103-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2704-22-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2876-46-0x0000000001070000-0x0000000001394000-memory.dmp

Filesize
3.1MB

Download
memory/2956-9-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2956-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-1-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads