quasar | cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/02/2025, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger 3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/3052-1-0x0000000000130000-0x0000000000496000-memory.dmp	family_quasar
behavioral1/files/0x000800000001747b-6.dat	family_quasar
behavioral1/memory/2220-10-0x00000000008A0000-0x0000000000C06000-memory.dmp	family_quasar
behavioral1/memory/2924-23-0x0000000001040000-0x00000000013A6000-memory.dmp	family_quasar
behavioral1/memory/1140-34-0x0000000000230000-0x0000000000596000-memory.dmp	family_quasar
behavioral1/memory/1768-45-0x0000000000820000-0x0000000000B86000-memory.dmp	family_quasar
behavioral1/memory/1392-56-0x0000000000E10000-0x0000000001176000-memory.dmp	family_quasar
behavioral1/memory/1804-67-0x0000000001210000-0x0000000001576000-memory.dmp	family_quasar
behavioral1/memory/1616-89-0x00000000003A0000-0x0000000000706000-memory.dmp	family_quasar
behavioral1/memory/3012-100-0x0000000000180000-0x00000000004E6000-memory.dmp	family_quasar
behavioral1/memory/2912-111-0x0000000001220000-0x0000000001586000-memory.dmp	family_quasar
behavioral1/memory/2808-122-0x0000000000250000-0x00000000005B6000-memory.dmp	family_quasar
behavioral1/memory/2488-133-0x00000000003B0000-0x0000000000716000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2220	Client.exe
2924	Client.exe
1140	Client.exe
1768	Client.exe
1392	Client.exe
1804	Client.exe
2248	Client.exe
1616	Client.exe
3012	Client.exe
2912	Client.exe
2808	Client.exe
2488	Client.exe
1152	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1872	PING.EXE
2360	PING.EXE
1304	PING.EXE
2408	PING.EXE
2900	PING.EXE
800	PING.EXE
1832	PING.EXE
2092	PING.EXE
3016	PING.EXE
1760	PING.EXE
2024	PING.EXE
2228	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2360	PING.EXE
2024	PING.EXE
1304	PING.EXE
2408	PING.EXE
2092	PING.EXE
800	PING.EXE
1832	PING.EXE
3016	PING.EXE
1760	PING.EXE
2228	PING.EXE
2900	PING.EXE
1872	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
2676	schtasks.exe
2436	schtasks.exe
2216	schtasks.exe
316	schtasks.exe
996	schtasks.exe
792	schtasks.exe
780	schtasks.exe
2944	schtasks.exe
1048	schtasks.exe
1296	schtasks.exe
2644	schtasks.exe
1832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	Image Logger 3.5.exe
Token: SeDebugPrivilege	2220	Client.exe
Token: SeDebugPrivilege	2924	Client.exe
Token: SeDebugPrivilege	1140	Client.exe
Token: SeDebugPrivilege	1768	Client.exe
Token: SeDebugPrivilege	1392	Client.exe
Token: SeDebugPrivilege	1804	Client.exe
Token: SeDebugPrivilege	2248	Client.exe
Token: SeDebugPrivilege	1616	Client.exe
Token: SeDebugPrivilege	3012	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	2488	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2220	Client.exe
2924	Client.exe
1140	Client.exe
1768	Client.exe
1392	Client.exe
1804	Client.exe
2248	Client.exe
1616	Client.exe
3012	Client.exe
2912	Client.exe
2808	Client.exe
2488	Client.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2220	Client.exe
2924	Client.exe
1140	Client.exe
1768	Client.exe
1392	Client.exe
1804	Client.exe
2248	Client.exe
1616	Client.exe
3012	Client.exe
2912	Client.exe
2808	Client.exe
2488	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2220	Client.exe
2924	Client.exe
1140	Client.exe
1768	Client.exe
1392	Client.exe
1804	Client.exe
2248	Client.exe
1616	Client.exe
3012	Client.exe
2912	Client.exe
2808	Client.exe
2488	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2436	3052	Image Logger 3.5.exe	30
PID 3052 wrote to memory of 2436	3052	Image Logger 3.5.exe	30
PID 3052 wrote to memory of 2436	3052	Image Logger 3.5.exe	30
PID 3052 wrote to memory of 2220	3052	Image Logger 3.5.exe	32
PID 3052 wrote to memory of 2220	3052	Image Logger 3.5.exe	32
PID 3052 wrote to memory of 2220	3052	Image Logger 3.5.exe	32
PID 2220 wrote to memory of 1296	2220	Client.exe	33
PID 2220 wrote to memory of 1296	2220	Client.exe	33
PID 2220 wrote to memory of 1296	2220	Client.exe	33
PID 2220 wrote to memory of 2064	2220	Client.exe	35
PID 2220 wrote to memory of 2064	2220	Client.exe	35
PID 2220 wrote to memory of 2064	2220	Client.exe	35
PID 2064 wrote to memory of 2292	2064	cmd.exe	37
PID 2064 wrote to memory of 2292	2064	cmd.exe	37
PID 2064 wrote to memory of 2292	2064	cmd.exe	37
PID 2064 wrote to memory of 3016	2064	cmd.exe	38
PID 2064 wrote to memory of 3016	2064	cmd.exe	38
PID 2064 wrote to memory of 3016	2064	cmd.exe	38
PID 2064 wrote to memory of 2924	2064	cmd.exe	40
PID 2064 wrote to memory of 2924	2064	cmd.exe	40
PID 2064 wrote to memory of 2924	2064	cmd.exe	40
PID 2924 wrote to memory of 2644	2924	Client.exe	41
PID 2924 wrote to memory of 2644	2924	Client.exe	41
PID 2924 wrote to memory of 2644	2924	Client.exe	41
PID 2924 wrote to memory of 2060	2924	Client.exe	43
PID 2924 wrote to memory of 2060	2924	Client.exe	43
PID 2924 wrote to memory of 2060	2924	Client.exe	43
PID 2060 wrote to memory of 676	2060	cmd.exe	45
PID 2060 wrote to memory of 676	2060	cmd.exe	45
PID 2060 wrote to memory of 676	2060	cmd.exe	45
PID 2060 wrote to memory of 1760	2060	cmd.exe	46
PID 2060 wrote to memory of 1760	2060	cmd.exe	46
PID 2060 wrote to memory of 1760	2060	cmd.exe	46
PID 2060 wrote to memory of 1140	2060	cmd.exe	47
PID 2060 wrote to memory of 1140	2060	cmd.exe	47
PID 2060 wrote to memory of 1140	2060	cmd.exe	47
PID 1140 wrote to memory of 2216	1140	Client.exe	48
PID 1140 wrote to memory of 2216	1140	Client.exe	48
PID 1140 wrote to memory of 2216	1140	Client.exe	48
PID 1140 wrote to memory of 2864	1140	Client.exe	50
PID 1140 wrote to memory of 2864	1140	Client.exe	50
PID 1140 wrote to memory of 2864	1140	Client.exe	50
PID 2864 wrote to memory of 2180	2864	cmd.exe	52
PID 2864 wrote to memory of 2180	2864	cmd.exe	52
PID 2864 wrote to memory of 2180	2864	cmd.exe	52
PID 2864 wrote to memory of 2360	2864	cmd.exe	53
PID 2864 wrote to memory of 2360	2864	cmd.exe	53
PID 2864 wrote to memory of 2360	2864	cmd.exe	53
PID 2864 wrote to memory of 1768	2864	cmd.exe	54
PID 2864 wrote to memory of 1768	2864	cmd.exe	54
PID 2864 wrote to memory of 1768	2864	cmd.exe	54
PID 1768 wrote to memory of 1832	1768	Client.exe	55
PID 1768 wrote to memory of 1832	1768	Client.exe	55
PID 1768 wrote to memory of 1832	1768	Client.exe	55
PID 1768 wrote to memory of 2268	1768	Client.exe	57
PID 1768 wrote to memory of 2268	1768	Client.exe	57
PID 1768 wrote to memory of 2268	1768	Client.exe	57
PID 2268 wrote to memory of 572	2268	cmd.exe	59
PID 2268 wrote to memory of 572	2268	cmd.exe	59
PID 2268 wrote to memory of 572	2268	cmd.exe	59
PID 2268 wrote to memory of 2024	2268	cmd.exe	60
PID 2268 wrote to memory of 2024	2268	cmd.exe	60
PID 2268 wrote to memory of 2024	2268	cmd.exe	60
PID 2268 wrote to memory of 1392	2268	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2436
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1296
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VjwZT96JoY41.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2292
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3016
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p59Jbk7AQEh6.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:676
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\961IQNT8qAAD.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BpRWyyrGN3hU.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMPWZAnwSJnw.bat" "
        11⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAWWziFT0CYA.bat" "
        13⤵
        
        PID:912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rShobBIP22Nv.bat" "
        15⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:316
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\d1BVr3l7DRw1.bat" "
        17⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bC9wKqfBBEwr.bat" "
        19⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9eIdcxdOOxpy.bat" "
        21⤵
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X3DoEtk7aiMl.bat" "
        23⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X5cpD2F6e7gM.bat" "
        25⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\961IQNT8qAAD.bat

Filesize
207B

MD5
689a10b5da8519aa463d3d5211c01111

SHA1
c40bdc69641dfd88e618ac5ca9fa6a00f42986c2

SHA256
d0bd95aa3008ef3d41dcd2234017ff0c01927abf24f96d92d55ebc487fa1ae6d

SHA512
6bfa1eb97abb76e6e292c1090e7a285f225047ab7ac6769fb64253034d20b2fc7fc8130a22cb0405418e5c58be6450d36e63bb9e31afe8572267ee741a16f1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9eIdcxdOOxpy.bat

Filesize
207B

MD5
0dce8f6fc061ea0c84298fb1d971a4e1

SHA1
dc7aac363bf6b81e72b70e27375655b0947a8e54

SHA256
8b3db84b7e45b729d1e611bcd17c8af2093afc54847a3f63e88ea0c114276c5a

SHA512
0e9c5960f858aebfa0fe86b0067164319028cd24d18a2f7d53243507747b3cf3a5427b325cc0fc8cfcb2ec6965fe44128f47f194c65cd2b92544bb62cc597e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BpRWyyrGN3hU.bat

Filesize
207B

MD5
30fdf5f6a3cf045f92e832345294503a

SHA1
5d0694fdb5a3f55e0424671aae8b46912a841ff5

SHA256
3bd5367b846f7ff4def33ae49fe1798c7ad1829b65b515e5cdc11442e8ca45f4

SHA512
d77064f44dadbb640ac897f735e968d595919c75e7718122e72fa04c2ded3f4cebb4e399b4648118bc1bd9cadedc3d35a1bd37a0098bdc57c54647d94d4370bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAWWziFT0CYA.bat

Filesize
207B

MD5
b06d9b22c7fd2ebefa7e491f66915af6

SHA1
9e7802f0475711dfb45d99a6acd5354586fed14c

SHA256
c459eeb3290aa5a61b7d4a9b9b112fb8bca82e803770956922f05f4900d1a58e

SHA512
923b46ea68bbe66cbff8edf7d762e922dac933ec9e4bb9beb78793a2dc4e368a623dd9f3052db738cec2a2f8dd9b042a9e9a4fa00a616e1fad0947702f9e15b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjwZT96JoY41.bat

Filesize
207B

MD5
a2ffcf2c8619e59c603600e881ec3257

SHA1
bb68a16208a42956e7a10eb49dac2eedebb0b303

SHA256
7f1757b15d9c7cc27989995b048cb5fe32d539eb722e10c2565568c6011783d3

SHA512
40f2987cebc9eccd2cdbc46e7ef165691f489eff9312522cb2561ebf167e38df6440c5bfb87e5d3c286f4611f3f7c226f1ad0d9509905b76fc523392d66879aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\X3DoEtk7aiMl.bat

Filesize
207B

MD5
91352b98189be1336e756c7d2e64d5b8

SHA1
01b0df35190387eca7baa23177cbe8e7f2580ef2

SHA256
229f9e1c2fe1504daec8bdf80495b58c09791fcfdec4408d0790c8c6de830182

SHA512
5558bbd45f72dde0b9a02af5ea74851edc01067f897231506eb0d856090ed7b5a85722c91271eb7a0d773453c953b9a92aacf93b5bebc1e33df8c48aa940d3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5cpD2F6e7gM.bat

Filesize
207B

MD5
bfbf7440bb48f2566d61780f48d2a21f

SHA1
408e1618b1448bc10230a0ad8dec9dca70f91aa1

SHA256
cc60f762a9d75ebd78237c09d0fedd30803b550aabbe5270b3fb75b21d98f431

SHA512
df652a43fefa7a6ebcfb8d3bc519f20478ceff49b6587643d2cf11170c7e3b038cef6a95baf372402b5978716c4d51b4c59beb77a14ee0ab009cc30860666ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bC9wKqfBBEwr.bat

Filesize
207B

MD5
39f9c1f23f88f2dd0a62cf9fa9aba1cb

SHA1
559b6e0f6414c46b32ef337975394ab74d3eaeec

SHA256
26ab50083e49024543efad624c3ad6f0fcbe99c811228ee1a4c54cfebc6817d7

SHA512
8699a6abf3ae51263499f0a7d73d708b98322241921ec33bb6a18585c3a2d7372f249c8be416581c0d0496cab4c07240be9f5a4f98201f8e1459bc4c66a169f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1BVr3l7DRw1.bat

Filesize
207B

MD5
a13393e2927c3d90f39e74129ddb84c2

SHA1
a2d7a536d54590b6d1c683921946a9873c5375a1

SHA256
85a15f2928013b7335c2faf182ae469b37be5e2b1725a34052022585014c01dc

SHA512
155a8ef8b682ebebe9434778db757cdba57b0fb9179dcd992e4bd74347d0c0202c7367700012e8cff954d634c9f34b032e58dd5a45b6e9b9f081397b6883b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\p59Jbk7AQEh6.bat

Filesize
207B

MD5
d0cfa511fdb415f6749157bd10458206

SHA1
2669e8d127a2558985dad81812b44fb6293f7251

SHA256
26e70b6fcd541c5809c19f82810a46eadd4b69c765eed1ad02ca975755ee190a

SHA512
76a0b82ce40e5e310d16bf799b5edbbcb1adc5103852b41b53cc1611e38ffa3ffe99a949a4bd64344e679c2cf7d368c92a4f1edb8ee26a298fec047b485d76a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMPWZAnwSJnw.bat

Filesize
207B

MD5
a72338d04c808b8d739437b17eecbadf

SHA1
c5cc407c7ccb4c63a291fdeb4e7db4fa41ea1d0d

SHA256
9c85be6308bea825bd53cd4f892d7478a5dab87211ad60b59be9233d1cafa59c

SHA512
83e247d12b1688849951c81e62af309bd70a5dc8777faa881dd9a9de151e7a46c9d5964c67037ff7fc31e631cdd6b3cb3ccfe14eaedcdb49be7d16f45b33494d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rShobBIP22Nv.bat

Filesize
207B

MD5
061026fa1fc6caa80ae55dfd69f76819

SHA1
7fbda0e5766d9123173b82cf3bdde3df6923b59e

SHA256
f3f4a9e68c42bc58c751837e1e36566adee70d46ca5575a9d7440ce10dc5e076

SHA512
6096ef74c21df5b7228345c1dc417f5f9129a4dac9c3f4558bd6565292ccb3d23a3732e5e080d8b7ee9923ddfdcd2d99feb3a48fe74a976dd25799f52ab61316

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
303KB

MD5
3998831b9ca802627ec5e6262d56b116

SHA1
7d3f1eb6cc2c7b6c0f337681573e7c385eb8b89e

SHA256
d1f5ef409e35c25c9f0d3f7ce358ea78f2329b160597b37a332f60a7b36d6fda

SHA512
5c16048a1d2bca825e83b1ecac5f5eb635cf92cea5377c1731aa4d58087b914de2c7eaba2b6f88bee552356282948a18c8917a4b6b1f866e9778e87f99df5673

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/1140-34-0x0000000000230000-0x0000000000596000-memory.dmp

Filesize
3.4MB

Download
memory/1392-56-0x0000000000E10000-0x0000000001176000-memory.dmp

Filesize
3.4MB

Download
memory/1616-89-0x00000000003A0000-0x0000000000706000-memory.dmp

Filesize
3.4MB

Download
memory/1768-45-0x0000000000820000-0x0000000000B86000-memory.dmp

Filesize
3.4MB

Download
memory/1804-67-0x0000000001210000-0x0000000001576000-memory.dmp

Filesize
3.4MB

Download
memory/2220-10-0x00000000008A0000-0x0000000000C06000-memory.dmp

Filesize
3.4MB

Download
memory/2220-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-11-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-9-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-133-0x00000000003B0000-0x0000000000716000-memory.dmp

Filesize
3.4MB

Download
memory/2808-122-0x0000000000250000-0x00000000005B6000-memory.dmp

Filesize
3.4MB

Download
memory/2912-111-0x0000000001220000-0x0000000001586000-memory.dmp

Filesize
3.4MB

Download
memory/2924-23-0x0000000001040000-0x00000000013A6000-memory.dmp

Filesize
3.4MB

Download
memory/3012-100-0x0000000000180000-0x00000000004E6000-memory.dmp

Filesize
3.4MB

Download
memory/3052-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-1-0x0000000000130000-0x0000000000496000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads