quasar | 77153049f33480d1b665c68aa0732e531f963f9acb04b9e016baafeca3b54dd8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BPLogger.exe
Size

3.1MB
MD5

14b871855a9046ef9aedeec80f9c2d86
SHA1

32c0ad34f524748b76c090fc881b75b928341e7e
SHA256

b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA512

7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
SSDEEP

49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral5/memory/1804-1-0x00000000013E0000-0x0000000001704000-memory.dmp	family_quasar
behavioral5/files/0x0007000000016c89-5.dat	family_quasar
behavioral5/memory/2392-9-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar
behavioral5/memory/2288-23-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral5/memory/2368-34-0x0000000001060000-0x0000000001384000-memory.dmp	family_quasar
behavioral5/memory/2308-46-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral5/memory/1788-58-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral5/memory/2528-80-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral5/memory/2632-91-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral5/memory/1052-104-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral5/memory/2964-115-0x0000000001230000-0x0000000001554000-memory.dmp	family_quasar
behavioral5/memory/1936-126-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral5/memory/760-138-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral5/memory/2060-161-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar

Executes dropped EXE 14 IoCs

pid	Process
2392	Bootstrapper.exe
2288	Bootstrapper.exe
2368	Bootstrapper.exe
2308	Bootstrapper.exe
1788	Bootstrapper.exe
2204	Bootstrapper.exe
2528	Bootstrapper.exe
2632	Bootstrapper.exe
1052	Bootstrapper.exe
2964	Bootstrapper.exe
1936	Bootstrapper.exe
760	Bootstrapper.exe
536	Bootstrapper.exe
2060	Bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
696	PING.EXE
656	PING.EXE
3016	PING.EXE
1144	PING.EXE
2492	PING.EXE
2636	PING.EXE
2948	PING.EXE
2872	PING.EXE
1628	PING.EXE
1300	PING.EXE
2068	PING.EXE
2744	PING.EXE
2864	PING.EXE
2228	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2228	PING.EXE
2068	PING.EXE
1144	PING.EXE
2948	PING.EXE
2864	PING.EXE
656	PING.EXE
1628	PING.EXE
2492	PING.EXE
2744	PING.EXE
2872	PING.EXE
3016	PING.EXE
1300	PING.EXE
696	PING.EXE
2636	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe
1548	schtasks.exe
2540	schtasks.exe
1740	schtasks.exe
2716	schtasks.exe
2336	schtasks.exe
2380	schtasks.exe
2620	schtasks.exe
2864	schtasks.exe
2576	schtasks.exe
1940	schtasks.exe
356	schtasks.exe
2552	schtasks.exe
2988	schtasks.exe
2144	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	BPLogger.exe
Token: SeDebugPrivilege	2392	Bootstrapper.exe
Token: SeDebugPrivilege	2288	Bootstrapper.exe
Token: SeDebugPrivilege	2368	Bootstrapper.exe
Token: SeDebugPrivilege	2308	Bootstrapper.exe
Token: SeDebugPrivilege	1788	Bootstrapper.exe
Token: SeDebugPrivilege	2204	Bootstrapper.exe
Token: SeDebugPrivilege	2528	Bootstrapper.exe
Token: SeDebugPrivilege	2632	Bootstrapper.exe
Token: SeDebugPrivilege	1052	Bootstrapper.exe
Token: SeDebugPrivilege	2964	Bootstrapper.exe
Token: SeDebugPrivilege	1936	Bootstrapper.exe
Token: SeDebugPrivilege	760	Bootstrapper.exe
Token: SeDebugPrivilege	536	Bootstrapper.exe
Token: SeDebugPrivilege	2060	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2392	Bootstrapper.exe
2288	Bootstrapper.exe
2368	Bootstrapper.exe
2308	Bootstrapper.exe
1788	Bootstrapper.exe
2204	Bootstrapper.exe
2528	Bootstrapper.exe
2632	Bootstrapper.exe
1052	Bootstrapper.exe
2964	Bootstrapper.exe
1936	Bootstrapper.exe
760	Bootstrapper.exe
536	Bootstrapper.exe
2060	Bootstrapper.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2392	Bootstrapper.exe
2288	Bootstrapper.exe
2368	Bootstrapper.exe
2308	Bootstrapper.exe
1788	Bootstrapper.exe
2204	Bootstrapper.exe
2528	Bootstrapper.exe
2632	Bootstrapper.exe
1052	Bootstrapper.exe
2964	Bootstrapper.exe
1936	Bootstrapper.exe
760	Bootstrapper.exe
536	Bootstrapper.exe
2060	Bootstrapper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2392	Bootstrapper.exe
2528	Bootstrapper.exe
1936	Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2336	1804	BPLogger.exe	30
PID 1804 wrote to memory of 2336	1804	BPLogger.exe	30
PID 1804 wrote to memory of 2336	1804	BPLogger.exe	30
PID 1804 wrote to memory of 2392	1804	BPLogger.exe	32
PID 1804 wrote to memory of 2392	1804	BPLogger.exe	32
PID 1804 wrote to memory of 2392	1804	BPLogger.exe	32
PID 2392 wrote to memory of 1940	2392	Bootstrapper.exe	33
PID 2392 wrote to memory of 1940	2392	Bootstrapper.exe	33
PID 2392 wrote to memory of 1940	2392	Bootstrapper.exe	33
PID 2392 wrote to memory of 2808	2392	Bootstrapper.exe	36
PID 2392 wrote to memory of 2808	2392	Bootstrapper.exe	36
PID 2392 wrote to memory of 2808	2392	Bootstrapper.exe	36
PID 2808 wrote to memory of 2332	2808	cmd.exe	38
PID 2808 wrote to memory of 2332	2808	cmd.exe	38
PID 2808 wrote to memory of 2332	2808	cmd.exe	38
PID 2808 wrote to memory of 2744	2808	cmd.exe	39
PID 2808 wrote to memory of 2744	2808	cmd.exe	39
PID 2808 wrote to memory of 2744	2808	cmd.exe	39
PID 2808 wrote to memory of 2288	2808	cmd.exe	40
PID 2808 wrote to memory of 2288	2808	cmd.exe	40
PID 2808 wrote to memory of 2288	2808	cmd.exe	40
PID 2288 wrote to memory of 2144	2288	Bootstrapper.exe	41
PID 2288 wrote to memory of 2144	2288	Bootstrapper.exe	41
PID 2288 wrote to memory of 2144	2288	Bootstrapper.exe	41
PID 2288 wrote to memory of 1868	2288	Bootstrapper.exe	43
PID 2288 wrote to memory of 1868	2288	Bootstrapper.exe	43
PID 2288 wrote to memory of 1868	2288	Bootstrapper.exe	43
PID 1868 wrote to memory of 2956	1868	cmd.exe	45
PID 1868 wrote to memory of 2956	1868	cmd.exe	45
PID 1868 wrote to memory of 2956	1868	cmd.exe	45
PID 1868 wrote to memory of 2948	1868	cmd.exe	46
PID 1868 wrote to memory of 2948	1868	cmd.exe	46
PID 1868 wrote to memory of 2948	1868	cmd.exe	46
PID 1868 wrote to memory of 2368	1868	cmd.exe	47
PID 1868 wrote to memory of 2368	1868	cmd.exe	47
PID 1868 wrote to memory of 2368	1868	cmd.exe	47
PID 2368 wrote to memory of 356	2368	Bootstrapper.exe	48
PID 2368 wrote to memory of 356	2368	Bootstrapper.exe	48
PID 2368 wrote to memory of 356	2368	Bootstrapper.exe	48
PID 2368 wrote to memory of 1960	2368	Bootstrapper.exe	50
PID 2368 wrote to memory of 1960	2368	Bootstrapper.exe	50
PID 2368 wrote to memory of 1960	2368	Bootstrapper.exe	50
PID 1960 wrote to memory of 1044	1960	cmd.exe	52
PID 1960 wrote to memory of 1044	1960	cmd.exe	52
PID 1960 wrote to memory of 1044	1960	cmd.exe	52
PID 1960 wrote to memory of 2872	1960	cmd.exe	53
PID 1960 wrote to memory of 2872	1960	cmd.exe	53
PID 1960 wrote to memory of 2872	1960	cmd.exe	53
PID 1960 wrote to memory of 2308	1960	cmd.exe	54
PID 1960 wrote to memory of 2308	1960	cmd.exe	54
PID 1960 wrote to memory of 2308	1960	cmd.exe	54
PID 2308 wrote to memory of 2380	2308	Bootstrapper.exe	55
PID 2308 wrote to memory of 2380	2308	Bootstrapper.exe	55
PID 2308 wrote to memory of 2380	2308	Bootstrapper.exe	55
PID 2308 wrote to memory of 448	2308	Bootstrapper.exe	57
PID 2308 wrote to memory of 448	2308	Bootstrapper.exe	57
PID 2308 wrote to memory of 448	2308	Bootstrapper.exe	57
PID 448 wrote to memory of 3044	448	cmd.exe	59
PID 448 wrote to memory of 3044	448	cmd.exe	59
PID 448 wrote to memory of 3044	448	cmd.exe	59
PID 448 wrote to memory of 2864	448	cmd.exe	60
PID 448 wrote to memory of 2864	448	cmd.exe	60
PID 448 wrote to memory of 2864	448	cmd.exe	60
PID 448 wrote to memory of 1788	448	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BPLogger.exe
"C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2336
- C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1940
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tLTa5q1R1g7l.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2332
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2744
  - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r6plJG3zGiCg.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2956
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
      - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Fna8VDGHxSM.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ISSmPohydeA.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5cqPFHnjwqgi.bat" "
        11⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5sJauybDgD6E.bat" "
        13⤵
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7SKrpI1JdCFw.bat" "
        15⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2632
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGxotTbUE42L.bat" "
        17⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hrpkH2L6uid7.bat" "
        19⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xmNYx3AQrjdI.bat" "
        21⤵
        
        PID:1524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\O7h0qsp0VMPk.bat" "
        23⤵
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:760
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2YPYr58TUX8I.bat" "
        25⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1uEkY4UqE89R.bat" "
        27⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2060
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsqQqI6jU72g.bat" "
        29⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1uEkY4UqE89R.bat

Filesize
215B

MD5
753f47a3113c835dac3e2acf7692d013

SHA1
5e2f4c881554031192335c3fae12eadce60617c0

SHA256
8a7926963d92f32fa3623470baf96e7a12b2905170e77684b524284c3f200f6b

SHA512
bae82f4414c7b7e0361594ba0035625e6a1bcfbda5e41d60726747891bd49349d4f3e1f995b687383beffde03c6aa6207cf7a0596f98ee491b3e788d952ea486

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YPYr58TUX8I.bat

Filesize
215B

MD5
fafac6a72b5d4d5d0fa01eb56a884575

SHA1
10557c2940e4cd7fe9ff7b74991ed4bcb018c391

SHA256
973e5292cbc2e1bd1db393a0e365c7a783d99a5c9f5be84ec95f8f43ddd3726d

SHA512
12054f8f0e4e8d681a347ee59a2210b27b0451ad0f0981ce2d9d106da56c73356335ce65a6e13bd31dd49d27c24b437de086c4e447298a011f945b2466e3a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ISSmPohydeA.bat

Filesize
215B

MD5
f1cb6fd340d239af75601da7ece3308b

SHA1
5cfda40faa4a31410fd68ba3c5472bf948621e59

SHA256
fc347fabf153c703d99fc0b9cbd2d4b574adc19b54822a1e72131815a716c62e

SHA512
b1efb907de8253cf891f188fb226cc15c433087c9634abae50155a8401106e2423059f5e79c3fa6630ca1c47daca1bfbadfc726de4a96c7cf82c216cd1ca3677

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Fna8VDGHxSM.bat

Filesize
215B

MD5
5b7a0411e16da39211ae07b856099162

SHA1
cf4cf17145a4d5118ec41d3a57b6eed22354842f

SHA256
97346094d6bc0a0dd11a40d363c70cb79de0b8e10d84a65419856f5b2216650f

SHA512
97b94df3f8c62ceeb7206fc0c0fe62d21b6c2a2ddf4d7901d36193dbe41912eb836351a1d8d8b56c7b7365865f5c02b39935c18bf32e0ae7dffc6ff74a45adfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cqPFHnjwqgi.bat

Filesize
215B

MD5
f5098c2a3405cb0ff7f0a17d2985cbea

SHA1
926ff5a73364e96b49238a9c84f403c2732326df

SHA256
4d24f4a5f11dc0a878207895c4679e57e84d50c2018ae84badffc0d2a759b6be

SHA512
0e5bc4e76b4a77efa3ec660b9218408795b303f9c6161147ecc24bc0bc1c8c1055a6ee8a82683245b3ea3effca13ff25f87b9212557c4a79cbcd5b2fa365830f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sJauybDgD6E.bat

Filesize
215B

MD5
1fddbd4dec559ed643196d3d9baec24b

SHA1
63a42786aac048729eb6d953a3a4f81ee4256e59

SHA256
9c86fa2c116da5faaf022a0506b66b9c6642f5df76266b3699668c9c557138c8

SHA512
7099de64b4bc6e78557db0876bde966acc99702f2c8d717297a19acdd1389f50fd334eefe9186d5bde2ac742f4e8ce2154d61e32db82e7d920f1629999eaf495

Download Submit
C:\Users\Admin\AppData\Local\Temp\7SKrpI1JdCFw.bat

Filesize
215B

MD5
5e63c3fbd1459cbbfc6d457c03c984d0

SHA1
42521031e9e2f0edf1dfd363fe0cab4426aac072

SHA256
11b2a9aa4d48fdb98f0c66e6b010fa961d04d6cffb3c46f4498087e36c677af9

SHA512
ac8fd11c9c8bb77f57428d169267515f415ffff593d9209130ae0894a633867d2cd9bf7a11bf564b61dd68f042afb0e5b68116ac5570ab6bfc5785a2cf2ee001

Download Submit
C:\Users\Admin\AppData\Local\Temp\O7h0qsp0VMPk.bat

Filesize
215B

MD5
72a195ecd8b7dde6d20e96a390c8fc83

SHA1
460731f04e5e800876f969eed98d2fb9a5ac9423

SHA256
d0b1712f8949d9de5fe92274c3f0fd8c7a17b0f8d8c1d975e60e5d0949f591c5

SHA512
fa1d71a7ac47f344acbecba4ea19f5e9cdc0f2608e0f0f806e13dee1290dac2977f4c971c1cea28955b9fcf9fa8d5e20dfdb39e1a672550bd3693ec9c09b659b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsqQqI6jU72g.bat

Filesize
215B

MD5
70f2eea4b03edc195e620a57878d4f4c

SHA1
70bbdb40a1a77e1942146b341e014ab44bcee8a8

SHA256
f9cab9f087587d0f6fa3e158816de9b9f8281fee179a7e7ffb74abe6760892cd

SHA512
f51f25511422bc7aef7d116c1cecc018ed2932499d394a4e54696779f8c1b5165192a4fbb9733d35797aa2ca530810af5429626d012c65553876c4871485b1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrpkH2L6uid7.bat

Filesize
215B

MD5
7a74db6cf12f932e511935383b1c4d53

SHA1
2a4c65bad90a12917a4de6ad3eacc6e55db93abe

SHA256
1f357b3eacb2cc42ae60297897fb653b3549180a0b3b720148ed0717f9cd5d41

SHA512
079fed96798ffd74d3ab4abb1ceefb1d8b66d92185e9c4a663802f38834e9fc100fa0bca1c58083c1a8efefc2f5b7368055f3de03c020e567e7d0e8da6c54025

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGxotTbUE42L.bat

Filesize
215B

MD5
c0e6ceab38a499dc795231f8e2348da2

SHA1
1fb51bfc61210e75c0fd37f08ab624826a2b3481

SHA256
9600305a9f5ab9811123d1a616e3bd363731eda5b95d09dcc9a6e7d110b9cac9

SHA512
36d877baab43a66ee8431885ca52e5432fd13a150436acbf0d77b178b8f2333b53db762c64ab4eeb73218f40094011b2e498f6707e0343bda1f12110e1e4d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6plJG3zGiCg.bat

Filesize
215B

MD5
1335a9275087f2730c0ae18f3943d83b

SHA1
43d97ad6ceed5f0ddda2f2e4e34e143ec779c94b

SHA256
df4db0273aa5da0abde3beaffc04cf3b0200081b80f507012992cf4d14fb7215

SHA512
aea83e01e5f7aff8c9e6515de99b0d56bcdb66b1dd68283083dd3cc9d6f5d09d771dd17e560d28e9bcf9b3da2d2c6e644d306cba2837426fc918d8f4b81ba2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tLTa5q1R1g7l.bat

Filesize
215B

MD5
cab89bae7a099b5b951cee9597f4be1f

SHA1
f857323209b8742d58f7a0f82761ed66b406323f

SHA256
dc82559c1064768cfdd5a92e8ae98495d290de541bf113f19dfe7b513d4350ec

SHA512
1a3b266a64bce48a496bcbf1d4b2777285e8a9c4f92aa809ad7ceb6679039b134e70b07c82f89be8e6472e0c3ceece4fd410a5abae1362c0c9ffa9e875fbd688

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmNYx3AQrjdI.bat

Filesize
215B

MD5
7167740902e7e58ba49d6ab1fc64e3f2

SHA1
c2d397b8195c3f8440c2684bff20bf78d4bb378e

SHA256
5ebe85098901bb4c501d92d01ef146ac8c9d35cf4808145c4b744e1b19a30d3b

SHA512
5f28bf7fff67a93498ef2e8aae389ecd9b0f47fe8ab0cc8d57767cba3bacff7fa4727f9e9d84b34195b562bb95d0caa7302343c64bd7a7ce6bb2a758125795a9

Download Submit
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
memory/760-138-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/1052-104-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/1788-58-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/1804-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1804-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/1804-7-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/1804-1-0x00000000013E0000-0x0000000001704000-memory.dmp

Filesize
3.1MB

Download
memory/1936-126-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/2060-161-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/2288-23-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/2308-46-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2368-34-0x0000000001060000-0x0000000001384000-memory.dmp

Filesize
3.1MB

Download
memory/2392-20-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-10-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-9-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/2392-11-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-8-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-80-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/2632-91-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2964-115-0x0000000001230000-0x0000000001554000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads