quasar | cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLogger3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2736-1-0x0000000000390000-0x00000000006F6000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d07-6.dat	family_quasar
behavioral1/memory/2840-9-0x0000000000100000-0x0000000000466000-memory.dmp	family_quasar
behavioral1/memory/1416-23-0x00000000011A0000-0x0000000001506000-memory.dmp	family_quasar
behavioral1/memory/1636-35-0x0000000001260000-0x00000000015C6000-memory.dmp	family_quasar
behavioral1/memory/2452-66-0x0000000001360000-0x00000000016C6000-memory.dmp	family_quasar
behavioral1/memory/1872-88-0x00000000003B0000-0x0000000000716000-memory.dmp	family_quasar
behavioral1/memory/2520-99-0x0000000000E40000-0x00000000011A6000-memory.dmp	family_quasar
behavioral1/memory/2172-110-0x00000000003F0000-0x0000000000756000-memory.dmp	family_quasar
behavioral1/memory/688-121-0x0000000000C20000-0x0000000000F86000-memory.dmp	family_quasar
behavioral1/memory/284-132-0x0000000001190000-0x00000000014F6000-memory.dmp	family_quasar
behavioral1/memory/792-143-0x00000000013A0000-0x0000000001706000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2840	Client.exe
1416	Client.exe
1636	Client.exe
1892	Client.exe
1840	Client.exe
2452	Client.exe
1524	Client.exe
1872	Client.exe
2520	Client.exe
2172	Client.exe
688	Client.exe
284	Client.exe
792	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2636	PING.EXE
328	PING.EXE
2924	PING.EXE
1064	PING.EXE
956	PING.EXE
1376	PING.EXE
2264	PING.EXE
408	PING.EXE
1008	PING.EXE
640	PING.EXE
628	PING.EXE
1664	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
956	PING.EXE
2264	PING.EXE
1008	PING.EXE
1064	PING.EXE
628	PING.EXE
1664	PING.EXE
1376	PING.EXE
2636	PING.EXE
328	PING.EXE
408	PING.EXE
2924	PING.EXE
640	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
2764	schtasks.exe
780	schtasks.exe
1184	schtasks.exe
272	schtasks.exe
268	schtasks.exe
2912	schtasks.exe
2668	schtasks.exe
1716	schtasks.exe
864	schtasks.exe
2580	schtasks.exe
3004	schtasks.exe
2396	schtasks.exe
2428	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	ImageLogger3.5.exe
Token: SeDebugPrivilege	2840	Client.exe
Token: SeDebugPrivilege	1416	Client.exe
Token: SeDebugPrivilege	1636	Client.exe
Token: SeDebugPrivilege	1892	Client.exe
Token: SeDebugPrivilege	1840	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	1524	Client.exe
Token: SeDebugPrivilege	1872	Client.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	2172	Client.exe
Token: SeDebugPrivilege	688	Client.exe
Token: SeDebugPrivilege	284	Client.exe
Token: SeDebugPrivilege	792	Client.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2840	Client.exe
1416	Client.exe
1636	Client.exe
1892	Client.exe
1840	Client.exe
2452	Client.exe
1524	Client.exe
1872	Client.exe
2520	Client.exe
2172	Client.exe
688	Client.exe
284	Client.exe
792	Client.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2840	Client.exe
1416	Client.exe
1636	Client.exe
1892	Client.exe
1840	Client.exe
2452	Client.exe
1524	Client.exe
1872	Client.exe
2520	Client.exe
2172	Client.exe
688	Client.exe
284	Client.exe
792	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2840	Client.exe
1416	Client.exe
1636	Client.exe
1892	Client.exe
1840	Client.exe
2452	Client.exe
1524	Client.exe
1872	Client.exe
2520	Client.exe
2172	Client.exe
688	Client.exe
284	Client.exe
792	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2660	2736	ImageLogger3.5.exe	31
PID 2736 wrote to memory of 2660	2736	ImageLogger3.5.exe	31
PID 2736 wrote to memory of 2660	2736	ImageLogger3.5.exe	31
PID 2736 wrote to memory of 2840	2736	ImageLogger3.5.exe	33
PID 2736 wrote to memory of 2840	2736	ImageLogger3.5.exe	33
PID 2736 wrote to memory of 2840	2736	ImageLogger3.5.exe	33
PID 2840 wrote to memory of 2580	2840	Client.exe	34
PID 2840 wrote to memory of 2580	2840	Client.exe	34
PID 2840 wrote to memory of 2580	2840	Client.exe	34
PID 2840 wrote to memory of 3012	2840	Client.exe	36
PID 2840 wrote to memory of 3012	2840	Client.exe	36
PID 2840 wrote to memory of 3012	2840	Client.exe	36
PID 3012 wrote to memory of 3028	3012	cmd.exe	38
PID 3012 wrote to memory of 3028	3012	cmd.exe	38
PID 3012 wrote to memory of 3028	3012	cmd.exe	38
PID 3012 wrote to memory of 640	3012	cmd.exe	39
PID 3012 wrote to memory of 640	3012	cmd.exe	39
PID 3012 wrote to memory of 640	3012	cmd.exe	39
PID 3012 wrote to memory of 1416	3012	cmd.exe	40
PID 3012 wrote to memory of 1416	3012	cmd.exe	40
PID 3012 wrote to memory of 1416	3012	cmd.exe	40
PID 1416 wrote to memory of 3004	1416	Client.exe	41
PID 1416 wrote to memory of 3004	1416	Client.exe	41
PID 1416 wrote to memory of 3004	1416	Client.exe	41
PID 1416 wrote to memory of 1792	1416	Client.exe	43
PID 1416 wrote to memory of 1792	1416	Client.exe	43
PID 1416 wrote to memory of 1792	1416	Client.exe	43
PID 1792 wrote to memory of 1000	1792	cmd.exe	45
PID 1792 wrote to memory of 1000	1792	cmd.exe	45
PID 1792 wrote to memory of 1000	1792	cmd.exe	45
PID 1792 wrote to memory of 1064	1792	cmd.exe	46
PID 1792 wrote to memory of 1064	1792	cmd.exe	46
PID 1792 wrote to memory of 1064	1792	cmd.exe	46
PID 1792 wrote to memory of 1636	1792	cmd.exe	47
PID 1792 wrote to memory of 1636	1792	cmd.exe	47
PID 1792 wrote to memory of 1636	1792	cmd.exe	47
PID 1636 wrote to memory of 2764	1636	Client.exe	48
PID 1636 wrote to memory of 2764	1636	Client.exe	48
PID 1636 wrote to memory of 2764	1636	Client.exe	48
PID 1636 wrote to memory of 320	1636	Client.exe	50
PID 1636 wrote to memory of 320	1636	Client.exe	50
PID 1636 wrote to memory of 320	1636	Client.exe	50
PID 320 wrote to memory of 2160	320	cmd.exe	52
PID 320 wrote to memory of 2160	320	cmd.exe	52
PID 320 wrote to memory of 2160	320	cmd.exe	52
PID 320 wrote to memory of 628	320	cmd.exe	53
PID 320 wrote to memory of 628	320	cmd.exe	53
PID 320 wrote to memory of 628	320	cmd.exe	53
PID 320 wrote to memory of 1892	320	cmd.exe	54
PID 320 wrote to memory of 1892	320	cmd.exe	54
PID 320 wrote to memory of 1892	320	cmd.exe	54
PID 1892 wrote to memory of 2396	1892	Client.exe	55
PID 1892 wrote to memory of 2396	1892	Client.exe	55
PID 1892 wrote to memory of 2396	1892	Client.exe	55
PID 1892 wrote to memory of 2628	1892	Client.exe	57
PID 1892 wrote to memory of 2628	1892	Client.exe	57
PID 1892 wrote to memory of 2628	1892	Client.exe	57
PID 2628 wrote to memory of 1952	2628	cmd.exe	59
PID 2628 wrote to memory of 1952	2628	cmd.exe	59
PID 2628 wrote to memory of 1952	2628	cmd.exe	59
PID 2628 wrote to memory of 956	2628	cmd.exe	60
PID 2628 wrote to memory of 956	2628	cmd.exe	60
PID 2628 wrote to memory of 956	2628	cmd.exe	60
PID 2628 wrote to memory of 1840	2628	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2660
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2580
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQcgZR7JHK2P.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3028
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:640
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3004
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HBu0UgV8XveF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1000
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqouzzcqtgfL.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3VcSm2d5T4jE.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgKdds1vxpBF.bat" "
        11⤵
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UPqYz5L2WdqH.bat" "
        13⤵
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mzNmxeI0ym79.bat" "
        15⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jJ4Y4zBJKv9R.bat" "
        17⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2KWljf1n5N04.bat" "
        19⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\25fKt5QewUmg.bat" "
        21⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Cm83VbRT8Tfl.bat" "
        23⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9AsdlqR3tMxW.bat" "
        25⤵
        
        PID:1856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25fKt5QewUmg.bat

Filesize
207B

MD5
e7f4115ae3cea5ce399c0547960fc66e

SHA1
b52c988cef104c7c2da4ffd671b11ea360bd0072

SHA256
6e7a579c1645832c08c792588809d64832c919ffac7c7476a3919019c1b7869a

SHA512
f4889294adc1f2fcc60ae233628fdee830027844ec8c17cc9506420510928abbc59be3e2644e3c25dddba5ac1c06e55943b94a96213de69cbbfb8b7d4259e19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KWljf1n5N04.bat

Filesize
207B

MD5
cd95799f221e5ee63e84515746b2412b

SHA1
828cf34b9c353538b56495bc777d3477b06e4cd6

SHA256
1da3ec0582a0ce69d618340b2b2456643cbc72e37304ff4f8c39c86f415b1c5c

SHA512
773f56ddb19212c2f7c5099790689ec09d417ffd2955b8f9639c24920c4345431bcb95921bdee5596980dcfc0c28f940081889bc24687751b6c980fc92e5c099

Download Submit
C:\Users\Admin\AppData\Local\Temp\3VcSm2d5T4jE.bat

Filesize
207B

MD5
7bea7194967ba65f1a4a81ac433255da

SHA1
17dfb63e51d5698919c6703318fbc6c1d63c561d

SHA256
1068355cafa56604146bf16703b1d5ffe08beaac05bf4dc594119e511fc703ee

SHA512
db4637aac41f2968021ecc83b64358c5cc3626fa66c139dcce39ad0e29f4cd9f8d4b0dc60a43283128df04cbac3233884b54b1af5583f9b9782671675bf8b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AsdlqR3tMxW.bat

Filesize
207B

MD5
3201c6b37ca8daa32ccda63421f18356

SHA1
ffe3cd9369614d35521b2c19ff33fff3514edecb

SHA256
76cbdb2afa8724680349f40472fa71df510273c367b29a734a80a0a6e40042b1

SHA512
c73643836669743d2f408e8a10d209e744657491f349b19a71c16690bfb7e8cdce1ad3aa51a51c8afb2b2c07eebfb07fd3374ca0c2aaba8974c39702fa42ad8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cm83VbRT8Tfl.bat

Filesize
207B

MD5
55c932b87a3ff6255e97ef1ae1aeed87

SHA1
572f6ebfe280c815468f4f3b77840f28098b5add

SHA256
40c7348abf794eb8012fe41d10376259d5c61d8d7813d1e8d929357a64375ff3

SHA512
7f88346398e0065cf9b903480098d90b08fdce630198059f478b0933fb11e8fd37076096b50534c698c0b21836d21a633fb264587eef55237d7e351898480d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HBu0UgV8XveF.bat

Filesize
207B

MD5
b0555e8d87392de4010e2fa2cdd18ecd

SHA1
df59caa43f7542a20345b4dcdc2d2b98544d236d

SHA256
fcf71e3e9f14e822947029fb55a8d8a56b05e0a960d4d1172533ddebe56efddc

SHA512
10078b7a721342d4a27a3d15874a2130c6249b4bbb9772ddd14b25482d04dbb8556fe491c3b5e12cfa115c761aa4070823207abbaa0c7dd96dc1ef81ddb467da

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgKdds1vxpBF.bat

Filesize
207B

MD5
db0f285011e94d3058ac4715e6201e6b

SHA1
7e976842fed73901a61f72bbe89092bbfbe2c981

SHA256
189a4d406585b9a2cd4e36f02587d9825453dea436f0c12fe4a614cec0756b53

SHA512
6772ff215c232f35eedc1c611cc428be7603fa9872d3f2f36d0dd89c3b9c3c54516616ba0294f65c7541fd6322b17b6d085a442937167e1bda1a53841eaf2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPqYz5L2WdqH.bat

Filesize
207B

MD5
cc52ac5c084d903b778f0d00031b574b

SHA1
f84ae35fdaea43e75c953f5f9bd1c4db22bfa008

SHA256
275db0a44aba651c69321b55756524b1009b953bb7f3614701d892021fb8fee4

SHA512
1df2afcea8c13c241100618d427dedd69767b064a576810334cf6fdf82523d971aafd6ec209429123b53a61d061f7a8cc03008d07d0c3a29cf3694f57ef8f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQcgZR7JHK2P.bat

Filesize
207B

MD5
38c79b6ef2403a8c0e66670200e37a67

SHA1
a5ff84a3d3e8e0d2eee60ed13890debc1f2a3aa7

SHA256
0f510d0b7fe5fa4addb2fceedb09d9d84e0ad34b27d8e9bfe495185fad167aaa

SHA512
f560340a678ecfd53947b3773b357e43037f284d1662fcee07e726a47dddbcc9607800e87e75b23349bf28df43e069624374026ed3c1a5d42851c6d31436093b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jJ4Y4zBJKv9R.bat

Filesize
207B

MD5
147c66b1f5d24978f32be4aa4f53d964

SHA1
77952b2a7bbe6335a5e7403f72ce3a354d59480d

SHA256
015484f1a9de38e06094cf0d296b500fc3959a65d9be89af24a21ae1423baf7b

SHA512
609d1b0f86f05e1f898bf4048fc444cf818d8dc43bb3c7a5191fcaab99727beb6c857180acacf0c3729d91685bc47654f1bc4e5e10b1530d81137d177e91c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzNmxeI0ym79.bat

Filesize
207B

MD5
f28be58d988f71e5a71e862e5d70b559

SHA1
a77f2b3c8a7b2b89a8532eef1aa0cfa98097e35d

SHA256
9f245f99e233c13e6c36da7c2f04593ebf41fac90eb90bccfbfe52a26af0db30

SHA512
f28c6373c576bf4cf96e74db9e95e4d7a33883b13dc43d3f31a99237000a9c3cb28c8705858757e9237654865c3b9913e868115ef44a0a450135abf545a7d89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqouzzcqtgfL.bat

Filesize
207B

MD5
526460371964a55e7d2759f2840fa49c

SHA1
02f0afc4af65abaaaba5c0baf9429025cc06102f

SHA256
33cb36b57ff20bf1a56806989987c6a3d3e3f2879d79567105edc28564f1624d

SHA512
c6c2899e46990091ce6e903664501308ecd3b41b144040da07c3fb91e1b9cf959eeac659f9be424baf723584fd0ee95c5208b71418650acc94ad7149a74bc5ff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/284-132-0x0000000001190000-0x00000000014F6000-memory.dmp

Filesize
3.4MB

Download
memory/688-121-0x0000000000C20000-0x0000000000F86000-memory.dmp

Filesize
3.4MB

Download
memory/792-143-0x00000000013A0000-0x0000000001706000-memory.dmp

Filesize
3.4MB

Download
memory/1416-23-0x00000000011A0000-0x0000000001506000-memory.dmp

Filesize
3.4MB

Download
memory/1636-35-0x0000000001260000-0x00000000015C6000-memory.dmp

Filesize
3.4MB

Download
memory/1872-88-0x00000000003B0000-0x0000000000716000-memory.dmp

Filesize
3.4MB

Download
memory/2172-110-0x00000000003F0000-0x0000000000756000-memory.dmp

Filesize
3.4MB

Download
memory/2452-66-0x0000000001360000-0x00000000016C6000-memory.dmp

Filesize
3.4MB

Download
memory/2520-99-0x0000000000E40000-0x00000000011A6000-memory.dmp

Filesize
3.4MB

Download
memory/2736-8-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-1-0x0000000000390000-0x00000000006F6000-memory.dmp

Filesize
3.4MB

Download
memory/2736-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2840-10-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-9-0x0000000000100000-0x0000000000466000-memory.dmp

Filesize
3.4MB

Download
memory/2840-11-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-20-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads