quasar | ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7dbac71bcc7920b66e8c4fc04fbc30dd
SHA1

c746b4358c2a15765a010c1890979239f152d6f7
SHA256

ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA512

56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
SSDEEP

49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hojex31104-23437.portmap.host:23437

Mutex

de505f8f-b6d9-44cb-b9ce-7e2f491eb29e

Attributes

encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/2384-1-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/files/0x000a000000015d79-5.dat	family_quasar
behavioral1/memory/2328-8-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/2716-22-0x0000000001010000-0x0000000001334000-memory.dmp	family_quasar
behavioral1/memory/2916-45-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/3040-56-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar
behavioral1/memory/2564-79-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
behavioral1/memory/2764-91-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/memory/2892-103-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/memory/584-114-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1912-135-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/memory/1512-147-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar
behavioral1/memory/1632-158-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar
behavioral1/memory/2632-170-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2328	Client.exe
2716	Client.exe
1744	Client.exe
2916	Client.exe
3040	Client.exe
2208	Client.exe
2564	Client.exe
2764	Client.exe
2892	Client.exe
584	Client.exe
2288	Client.exe
1912	Client.exe
1512	Client.exe
1632	Client.exe
2632	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1784	PING.EXE
2812	PING.EXE
1648	PING.EXE
2064	PING.EXE
1900	PING.EXE
1892	PING.EXE
2440	PING.EXE
2640	PING.EXE
896	PING.EXE
2656	PING.EXE
2072	PING.EXE
2628	PING.EXE
1288	PING.EXE
2920	PING.EXE
1600	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2640	PING.EXE
1900	PING.EXE
2072	PING.EXE
2440	PING.EXE
2812	PING.EXE
1648	PING.EXE
1784	PING.EXE
896	PING.EXE
2656	PING.EXE
2064	PING.EXE
2920	PING.EXE
1892	PING.EXE
1600	PING.EXE
2628	PING.EXE
1288	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1604	schtasks.exe
2816	schtasks.exe
2952	schtasks.exe
3068	schtasks.exe
2656	schtasks.exe
2948	schtasks.exe
1528	schtasks.exe
1304	schtasks.exe
1884	schtasks.exe
2512	schtasks.exe
948	schtasks.exe
2688	schtasks.exe
2576	schtasks.exe
1548	schtasks.exe
2704	schtasks.exe
620	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	Client-built.exe
Token: SeDebugPrivilege	2328	Client.exe
Token: SeDebugPrivilege	2716	Client.exe
Token: SeDebugPrivilege	1744	Client.exe
Token: SeDebugPrivilege	2916	Client.exe
Token: SeDebugPrivilege	3040	Client.exe
Token: SeDebugPrivilege	2208	Client.exe
Token: SeDebugPrivilege	2564	Client.exe
Token: SeDebugPrivilege	2764	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	584	Client.exe
Token: SeDebugPrivilege	2288	Client.exe
Token: SeDebugPrivilege	1912	Client.exe
Token: SeDebugPrivilege	1512	Client.exe
Token: SeDebugPrivilege	1632	Client.exe
Token: SeDebugPrivilege	2632	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2328	Client.exe
2716	Client.exe
1744	Client.exe
2916	Client.exe
3040	Client.exe
2208	Client.exe
2564	Client.exe
2764	Client.exe
2892	Client.exe
584	Client.exe
2288	Client.exe
1912	Client.exe
1512	Client.exe
1632	Client.exe
2632	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2328	Client.exe
2716	Client.exe
1744	Client.exe
2916	Client.exe
3040	Client.exe
2208	Client.exe
2564	Client.exe
2764	Client.exe
2892	Client.exe
584	Client.exe
2288	Client.exe
1912	Client.exe
1512	Client.exe
1632	Client.exe
2632	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2328	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3068	2384	Client-built.exe	30
PID 2384 wrote to memory of 3068	2384	Client-built.exe	30
PID 2384 wrote to memory of 3068	2384	Client-built.exe	30
PID 2384 wrote to memory of 2328	2384	Client-built.exe	32
PID 2384 wrote to memory of 2328	2384	Client-built.exe	32
PID 2384 wrote to memory of 2328	2384	Client-built.exe	32
PID 2328 wrote to memory of 1304	2328	Client.exe	33
PID 2328 wrote to memory of 1304	2328	Client.exe	33
PID 2328 wrote to memory of 1304	2328	Client.exe	33
PID 2328 wrote to memory of 2736	2328	Client.exe	35
PID 2328 wrote to memory of 2736	2328	Client.exe	35
PID 2328 wrote to memory of 2736	2328	Client.exe	35
PID 2736 wrote to memory of 2884	2736	cmd.exe	37
PID 2736 wrote to memory of 2884	2736	cmd.exe	37
PID 2736 wrote to memory of 2884	2736	cmd.exe	37
PID 2736 wrote to memory of 2640	2736	cmd.exe	38
PID 2736 wrote to memory of 2640	2736	cmd.exe	38
PID 2736 wrote to memory of 2640	2736	cmd.exe	38
PID 2736 wrote to memory of 2716	2736	cmd.exe	40
PID 2736 wrote to memory of 2716	2736	cmd.exe	40
PID 2736 wrote to memory of 2716	2736	cmd.exe	40
PID 2716 wrote to memory of 2656	2716	Client.exe	41
PID 2716 wrote to memory of 2656	2716	Client.exe	41
PID 2716 wrote to memory of 2656	2716	Client.exe	41
PID 2716 wrote to memory of 1288	2716	Client.exe	43
PID 2716 wrote to memory of 1288	2716	Client.exe	43
PID 2716 wrote to memory of 1288	2716	Client.exe	43
PID 1288 wrote to memory of 992	1288	cmd.exe	45
PID 1288 wrote to memory of 992	1288	cmd.exe	45
PID 1288 wrote to memory of 992	1288	cmd.exe	45
PID 1288 wrote to memory of 1900	1288	cmd.exe	46
PID 1288 wrote to memory of 1900	1288	cmd.exe	46
PID 1288 wrote to memory of 1900	1288	cmd.exe	46
PID 1288 wrote to memory of 1744	1288	cmd.exe	47
PID 1288 wrote to memory of 1744	1288	cmd.exe	47
PID 1288 wrote to memory of 1744	1288	cmd.exe	47
PID 1744 wrote to memory of 2576	1744	Client.exe	48
PID 1744 wrote to memory of 2576	1744	Client.exe	48
PID 1744 wrote to memory of 2576	1744	Client.exe	48
PID 1744 wrote to memory of 2840	1744	Client.exe	50
PID 1744 wrote to memory of 2840	1744	Client.exe	50
PID 1744 wrote to memory of 2840	1744	Client.exe	50
PID 2840 wrote to memory of 640	2840	cmd.exe	52
PID 2840 wrote to memory of 640	2840	cmd.exe	52
PID 2840 wrote to memory of 640	2840	cmd.exe	52
PID 2840 wrote to memory of 2920	2840	cmd.exe	53
PID 2840 wrote to memory of 2920	2840	cmd.exe	53
PID 2840 wrote to memory of 2920	2840	cmd.exe	53
PID 2840 wrote to memory of 2916	2840	cmd.exe	54
PID 2840 wrote to memory of 2916	2840	cmd.exe	54
PID 2840 wrote to memory of 2916	2840	cmd.exe	54
PID 2916 wrote to memory of 2948	2916	Client.exe	55
PID 2916 wrote to memory of 2948	2916	Client.exe	55
PID 2916 wrote to memory of 2948	2916	Client.exe	55
PID 2916 wrote to memory of 2052	2916	Client.exe	57
PID 2916 wrote to memory of 2052	2916	Client.exe	57
PID 2916 wrote to memory of 2052	2916	Client.exe	57
PID 2052 wrote to memory of 2984	2052	cmd.exe	59
PID 2052 wrote to memory of 2984	2052	cmd.exe	59
PID 2052 wrote to memory of 2984	2052	cmd.exe	59
PID 2052 wrote to memory of 1784	2052	cmd.exe	60
PID 2052 wrote to memory of 1784	2052	cmd.exe	60
PID 2052 wrote to memory of 1784	2052	cmd.exe	60
PID 2052 wrote to memory of 3040	2052	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3068
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1304
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQNjTWnkpJaS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2884
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2640
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bH0KLHErsuHF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:992
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yHxhw0a8FlWh.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\C4km4suULeEI.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9zYId8aoWQuI.bat" "
        11⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2208
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgMeITocxg90.bat" "
        13⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2564
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAsfDnFB6G3W.bat" "
        15⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NXoFPI2HY2Gs.bat" "
        17⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xFAxFKMIun0V.bat" "
        19⤵
        
        PID:1900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:584
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hRwsXV0gqIbz.bat" "
        21⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\w7YLHXJNKhAP.bat" "
        23⤵
        
        PID:376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQqj2ePxKssb.bat" "
        25⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1512
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a2eEV37UjMoH.bat" "
        27⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1632
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAY48madBkpe.bat" "
        29⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2632
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HbeSVSq5GKsy.bat" "
        31⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9zYId8aoWQuI.bat

Filesize
207B

MD5
f1238fd08789700e12521de7810c6b01

SHA1
edc5966d8da5da7cae7eeb122e1aa29cf57284f5

SHA256
c9dd6d00333a204fa7dbaa53aa925cd4f5942c8695d51ffb2fb37b5a1fab8704

SHA512
2d781f62aacef996dcdc192a724a176387bebf8d001fe0a12be4ccb04ecb27b31a6056adccff366856d61b99ebe88289da4eb94f40e716f2508a0ed49fcac97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMeITocxg90.bat

Filesize
207B

MD5
4bb0fa98dce786678a415bbced99ef79

SHA1
f34f821c6fa45d3d6c246398e3038fa250616416

SHA256
386b399872717d7dec01990cceb1a3eb18a213b1e23413701e59fcb42f0cf396

SHA512
8451226cfb1719dea62ad44f8112a96b877bfae0646c44b444a47dc0d4086ee5efe528626f5b728431fe977103acae2ea06d5f75abbbe59efbf61d09d47316f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4km4suULeEI.bat

Filesize
207B

MD5
528693b6394afc87d70c80c1c79a5e43

SHA1
78e9914f4554d3dc7173410d3aeeb2f446cccac5

SHA256
543d0ab01b91ad634aafaaf13c523e93e7433122877b3296c486a47d456c87d7

SHA512
d69871f2921db04b516002d1b0bc1b304caa52c4c4015f6d8aad5413e8245b4f8a4de1599241384da08dd664f99e511b696cbf50f2577cddebb53ca99d0d692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQqj2ePxKssb.bat

Filesize
207B

MD5
b91e917a4d0c243c121b25eb9986f885

SHA1
b336ebdeb2b906519193ed97865f7a5e32c7bf4b

SHA256
1d4aba2d82487605c40936b896a6dd03730b54129764d00c99ecd92e8c42481e

SHA512
9b054575bf0b49acb40a504a403774b241bbefdfe83598cd3582bb1f174d7f4aed85130095bf3f1e3a9a2499b91706e9dade57e039ef1a3bb17d4d2f31f09f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\HbeSVSq5GKsy.bat

Filesize
207B

MD5
d112aec804ffd46fb2d616501ae87d1f

SHA1
d3441ca051f3c49621ca781046966b805a4261eb

SHA256
3b58da91faaf904ea6f99269f034c8c6200043a577dc041e720221272dd4c437

SHA512
bedfe1489c96c55b523ae949351120ab185b72d4bf50b5bd23a9185f41a42737572c3308faf5ab023439887c2be987c3f88dd89250eb9383606c16d8891cb48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAsfDnFB6G3W.bat

Filesize
207B

MD5
b38fb362958d0bada75113624cbec7fe

SHA1
ee774bfde5494991b9c5d02aaaed7239441a33df

SHA256
6ecae11212f6c5c4da51b8ab00705153f8527de4f7728942ce7e367c2cf1ce8d

SHA512
283de5475b12774a5265760aa83f6df878ed822e41b9841b3f48dcff7d2381552d1a295ba19b0b8765e4f6748b58d7bd8fe0742c9d4ad8d0d42e7fa663595b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXoFPI2HY2Gs.bat

Filesize
207B

MD5
5e94d8e68704fe9fd9618eaeae146731

SHA1
c69637fab2c89d1beda1944bece55af56a3e32e4

SHA256
323f04b6dd64087a02fd6e8d7f9c6988067760408d79d1622b484074456e4a1a

SHA512
9f8112c236fcc6e383a6f6d2ea390645afbb6739abbedd03dfabe039dc5471347392ec18b00bf888e747508348428965e054020cdd3589036e4db1cfaf7bdd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2eEV37UjMoH.bat

Filesize
207B

MD5
c3a5315de399eacd3159610fc77c1572

SHA1
ec9f99dc9dc4c7f90547697926f765951bbb803e

SHA256
5cebca389a1c1784b23453623a9a2e63ce96d8e363ce37f8705fa6d915a745e0

SHA512
93113d64fe74bf09f2b52b2f59c77aa916fd44ad73767ef9c8e343689f0fbd9d648f2b3bd5f9ba6a058293b3acb2a62a30358412ea87307ce321355ba07f87b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bH0KLHErsuHF.bat

Filesize
207B

MD5
71d120c4767435d903adc87c05b76b4c

SHA1
5b88d95a3c7c2437f2abd4516aca838e2662f390

SHA256
594d7c6baf9f6ac4d9fe8f86a9a5f6eca5dee2b3d156360153616bec8086ab5c

SHA512
863176b773a9cf85d592858feb76cfda2abaa7971caee7634dd5a7cca39c7750e724d758f5fdcdad55f2ba9c1ecb225cc1a96d329f8a0d9e89d1f5754beba731

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAY48madBkpe.bat

Filesize
207B

MD5
69444d9462ac5071d796b3f858522a36

SHA1
0a489c1ce38954368123997844d8634800616c42

SHA256
5a2a3f587696d9a30bf5ecead77719f74a479075d586a7c7c8d6188a5a035ae9

SHA512
32ec96ff5442068534245e23ccc2ace7d1b27b13fab0d07a8c36b3ba766f99f864c98e57246117825bf9f859a921e7735b9ec68be00b085e1951d46477e19067

Download Submit
C:\Users\Admin\AppData\Local\Temp\hRwsXV0gqIbz.bat

Filesize
207B

MD5
c2936c4b3f069c1b5a00ebf65c61a7be

SHA1
84fcf541f701262582fe466041caf298617f0841

SHA256
aa037bb7707ec822815b02d96850b384fd32882724b02f104966853946ba48be

SHA512
a86913b73b42068bc2964a26fd230e9f15f5e1fec15ad6d7c9f8c99c73fe199f452cb1332aa688c0b9221a588d7808bc45a503b4a8d523d4270e26106a658036

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7YLHXJNKhAP.bat

Filesize
207B

MD5
fd5670d0fde3ec184eae52ebd0ec7274

SHA1
3f5e9be5809e953664b4801dca8ae8acb82b1e3a

SHA256
6123c62a9a35c18aee589348521b32004466169de0060246e7410e6c1d325cbf

SHA512
5def396ee104520ee2cbbf0577db40d7f084a2aa75e2a2d57060d8567490f9ae2c149f1e8f1a9da0143b883e9e2772d5676d65f0e936cb3439977fc55668acf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xFAxFKMIun0V.bat

Filesize
207B

MD5
93deab843294138d7b285019988a8e2b

SHA1
8b6c22cc6ddea18c6eefdfea427a07ef09639375

SHA256
cdf8b61615ba12c7d4de0655919510a37390462859b033e36ded1767f64fbd1e

SHA512
b016bd9ef9be5cb59ad773f39ffa01be1e215d754fc2186ff474eca7f3bd9a30630af41b9f637965c5fcc7283f57556e7b5ed8c086e7a4ffd83706a6f4793116

Download Submit
C:\Users\Admin\AppData\Local\Temp\yHxhw0a8FlWh.bat

Filesize
207B

MD5
c3795b3e9edf22a19332c46e0a34e337

SHA1
4ad53ad86d3b19cb752380aefce524addeb67d42

SHA256
3a18b4d78588633bbafe0ab93a6d4073d3eb89ebd3e392f9e0742da44f2c8912

SHA512
47fa3828d6038a822adc6122542239269770fe3b63f5656d89068b4d6bb2eca0528447debb254988b73df2f6790bbd653ab4fe078726ea822d947e20e64e8890

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQNjTWnkpJaS.bat

Filesize
207B

MD5
4b8ede4f636848b06f1dd4d983cd36f8

SHA1
e7eeaee5045adc6203e3b6e0a65dc308f64ca2e9

SHA256
3e30da67db840bea43dd3d6a0649ae1283e5abb049cf5bd7eccad4350188bdb4

SHA512
704a7f08898966a7bb1290084b02f8801749e41f7c66274a6da55751f29e512e4f54bf1a1c8694ef69bed4be1e644bcabfccebd559e240754430a09f99ce0683

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7dbac71bcc7920b66e8c4fc04fbc30dd

SHA1
c746b4358c2a15765a010c1890979239f152d6f7

SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24

Download Submit
memory/584-114-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/1512-147-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/1632-158-0x0000000001380000-0x00000000016A4000-memory.dmp

Filesize
3.1MB

Download
memory/1912-135-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/2328-19-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-10-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-9-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-8-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2384-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/2384-7-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-2-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2384-1-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/2564-79-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2632-170-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2716-22-0x0000000001010000-0x0000000001334000-memory.dmp

Filesize
3.1MB

Download
memory/2764-91-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/2892-103-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/2916-45-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/3040-56-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads