quasar | a75d7cddda0bf75b82bbd0f86361924b37e8d4e30b4d78233647c72f607a9417

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

retracbubblewrap.exe
Size

3.1MB
MD5

3158a87cc232a73f4df5b657536bd32b
SHA1

e531e74b2d67701058dc0d865d6a42fdba327cfd
SHA256

a75d7cddda0bf75b82bbd0f86361924b37e8d4e30b4d78233647c72f607a9417
SHA512

13ccd864f4005200e3d0e43c84bfb4d2d970f96e4e596626b4ceb706e24e4d577accb81b569e83436c1f634131de521bcb06c724bf5a054df543af1895618c94
SSDEEP

49152:rv2I22SsaNYfdPBldt698dBcjHFbRJ6XbR3LoGdRTHHB72eh2NT:rvb22SsaNYfdPBldt6+dBcjHFbRJ6p

Score

10^/10

quasar watafak.org discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

watafak.org

SlotMode-60377.portmap.host::60377

Mutex

4b033274-74df-4a33-9b1c-b511ea8adfd0

Attributes

encryption_key
15F7B7E72381E729EFE3F3EC04B9B82B2C52ECB9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
watafak.com
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/844-1-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023cb8-5.dat	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
51	516	Process not Found

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2780	Client.exe
3336	Client.exe
2584	Client.exe
2424	Client.exe
1132	Client.exe
3748	Client.exe
4172	Client.exe
1252	Client.exe
4912	Client.exe
2560	Client.exe
736	Client.exe
2304	Client.exe
3768	Client.exe
1448	Client.exe
4356	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2888	PING.EXE
1880	PING.EXE
1728	PING.EXE
2460	PING.EXE
1704	PING.EXE
3028	PING.EXE
4616	PING.EXE
4800	PING.EXE
4720	PING.EXE
2884	PING.EXE
3408	MicrosoftEdgeUpdate.exe
5008	PING.EXE
3908	PING.EXE
556	PING.EXE
5048	PING.EXE
1084	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE
2884	PING.EXE
1880	PING.EXE
5008	PING.EXE
4720	PING.EXE
3028	PING.EXE
1728	PING.EXE
5048	PING.EXE
3908	PING.EXE
556	PING.EXE
4616	PING.EXE
4800	PING.EXE
2460	PING.EXE
1704	PING.EXE
1084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
4820	schtasks.exe
3532	schtasks.exe
1736	schtasks.exe
2760	schtasks.exe
1368	schtasks.exe
2304	schtasks.exe
4472	schtasks.exe
2636	schtasks.exe
4812	schtasks.exe
4820	schtasks.exe
2056	schtasks.exe
4732	schtasks.exe
3932	schtasks.exe
2120	schtasks.exe
4460	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	retracbubblewrap.exe
Token: SeDebugPrivilege	2780	Client.exe
Token: SeDebugPrivilege	3336	Client.exe
Token: SeDebugPrivilege	2584	Client.exe
Token: SeDebugPrivilege	2424	Client.exe
Token: SeDebugPrivilege	1132	Client.exe
Token: SeDebugPrivilege	3748	Client.exe
Token: SeDebugPrivilege	4172	Client.exe
Token: SeDebugPrivilege	1252	Client.exe
Token: SeDebugPrivilege	4912	Client.exe
Token: SeDebugPrivilege	2560	Client.exe
Token: SeDebugPrivilege	736	Client.exe
Token: SeDebugPrivilege	2304	Client.exe
Token: SeDebugPrivilege	3768	Client.exe
Token: SeDebugPrivilege	1448	Client.exe
Token: SeDebugPrivilege	4356	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2780	Client.exe
3336	Client.exe
2584	Client.exe
2424	Client.exe
1132	Client.exe
3748	Client.exe
4172	Client.exe
1252	Client.exe
4912	Client.exe
2560	Client.exe
736	Client.exe
2304	Client.exe
3768	Client.exe
1448	Client.exe
4356	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2780	Client.exe
3336	Client.exe
2584	Client.exe
2424	Client.exe
1132	Client.exe
3748	Client.exe
4172	Client.exe
1252	Client.exe
4912	Client.exe
2560	Client.exe
736	Client.exe
2304	Client.exe
3768	Client.exe
1448	Client.exe
4356	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 4820	844	retracbubblewrap.exe	91
PID 844 wrote to memory of 4820	844	retracbubblewrap.exe	91
PID 844 wrote to memory of 2780	844	retracbubblewrap.exe	93
PID 844 wrote to memory of 2780	844	retracbubblewrap.exe	93
PID 2780 wrote to memory of 436	2780	Client.exe	94
PID 2780 wrote to memory of 436	2780	Client.exe	94
PID 2780 wrote to memory of 5080	2780	Client.exe	96
PID 2780 wrote to memory of 5080	2780	Client.exe	96
PID 5080 wrote to memory of 2024	5080	cmd.exe	98
PID 5080 wrote to memory of 2024	5080	cmd.exe	98
PID 5080 wrote to memory of 3028	5080	cmd.exe	99
PID 5080 wrote to memory of 3028	5080	cmd.exe	99
PID 5080 wrote to memory of 3336	5080	cmd.exe	100
PID 5080 wrote to memory of 3336	5080	cmd.exe	100
PID 3336 wrote to memory of 4460	3336	Client.exe	101
PID 3336 wrote to memory of 4460	3336	Client.exe	101
PID 3336 wrote to memory of 4920	3336	Client.exe	103
PID 3336 wrote to memory of 4920	3336	Client.exe	103
PID 4920 wrote to memory of 2756	4920	cmd.exe	105
PID 4920 wrote to memory of 2756	4920	cmd.exe	105
PID 4920 wrote to memory of 556	4920	cmd.exe	106
PID 4920 wrote to memory of 556	4920	cmd.exe	106
PID 4920 wrote to memory of 2584	4920	cmd.exe	107
PID 4920 wrote to memory of 2584	4920	cmd.exe	107
PID 2584 wrote to memory of 2760	2584	Client.exe	108
PID 2584 wrote to memory of 2760	2584	Client.exe	108
PID 2584 wrote to memory of 984	2584	Client.exe	110
PID 2584 wrote to memory of 984	2584	Client.exe	110
PID 984 wrote to memory of 4448	984	cmd.exe	112
PID 984 wrote to memory of 4448	984	cmd.exe	112
PID 984 wrote to memory of 2888	984	cmd.exe	113
PID 984 wrote to memory of 2888	984	cmd.exe	113
PID 984 wrote to memory of 2424	984	cmd.exe	118
PID 984 wrote to memory of 2424	984	cmd.exe	118
PID 2424 wrote to memory of 1368	2424	Client.exe	119
PID 2424 wrote to memory of 1368	2424	Client.exe	119
PID 2424 wrote to memory of 4052	2424	Client.exe	121
PID 2424 wrote to memory of 4052	2424	Client.exe	121
PID 4052 wrote to memory of 456	4052	cmd.exe	123
PID 4052 wrote to memory of 456	4052	cmd.exe	123
PID 4052 wrote to memory of 4616	4052	cmd.exe	124
PID 4052 wrote to memory of 4616	4052	cmd.exe	124
PID 4052 wrote to memory of 1132	4052	cmd.exe	125
PID 4052 wrote to memory of 1132	4052	cmd.exe	125
PID 1132 wrote to memory of 4820	1132	Client.exe	126
PID 1132 wrote to memory of 4820	1132	Client.exe	126
PID 1132 wrote to memory of 5048	1132	Client.exe	128
PID 1132 wrote to memory of 5048	1132	Client.exe	128
PID 5048 wrote to memory of 2556	5048	cmd.exe	130
PID 5048 wrote to memory of 2556	5048	cmd.exe	130
PID 5048 wrote to memory of 2884	5048	cmd.exe	131
PID 5048 wrote to memory of 2884	5048	cmd.exe	131
PID 5048 wrote to memory of 3748	5048	cmd.exe	132
PID 5048 wrote to memory of 3748	5048	cmd.exe	132
PID 3748 wrote to memory of 2304	3748	Client.exe	133
PID 3748 wrote to memory of 2304	3748	Client.exe	133
PID 3748 wrote to memory of 544	3748	Client.exe	135
PID 3748 wrote to memory of 544	3748	Client.exe	135
PID 544 wrote to memory of 724	544	cmd.exe	137
PID 544 wrote to memory of 724	544	cmd.exe	137
PID 544 wrote to memory of 4800	544	cmd.exe	138
PID 544 wrote to memory of 4800	544	cmd.exe	138
PID 544 wrote to memory of 4172	544	cmd.exe	141
PID 544 wrote to memory of 4172	544	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\retracbubblewrap.exe
"C:\Users\Admin\AppData\Local\Temp\retracbubblewrap.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4820
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZfBhvgzOU9p3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2024
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3028
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGLQFboT04Ml.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2756
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaTmb9bJk69v.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tzddpjgb6U5U.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ws4EGq0G5PmI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zR8WqlGdJTPV.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DbN0IpDiSu6a.bat" "
        15⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nokDZh69BHVw.bat" "
        17⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGDWPk3HFr2h.bat" "
        19⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ue17U6YUbWwR.bat" "
        21⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3yldWGBGdsgr.bat" "
        23⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R72UG8agVtaO.bat" "
        25⤵
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsgdN2ZyR7sm.bat" "
        27⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOc7ujwaoLPC.bat" "
        29⤵
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "watafak.com" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CRvsgjrV4t1N.bat" "
        31⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3908

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjhERjdBNEItNzA4NS00NTUxLUEzNzktNkRBOTE3Nzc0NTVGfSIgdXNlcmlkPSJ7NUYxMUExQ0QtMzJEMS00RTlFLTlBQjYtMkY2MzlEQ0E5NTcyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjZGNDA3RDgtNTE3Ri00OEM1LUEwRkQtRjRGMjRENTA0RUVGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDA4MDMwOTI5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3yldWGBGdsgr.bat

Filesize
207B

MD5
8a4495990bc46d11971964cb41ef7b6d

SHA1
265624c2a349896714ecd8b6c54b2be4ff8397ea

SHA256
063fdb868be1edbfb595e53386bb18aa5da9eb54a434281e7a0de55467fc68ef

SHA512
9f6326c5f9faf2602628272ddabf3c7d292a316ba94f0f61b0cb3b3ad5d87d042b4831972135afa6b28da2303b1a0438bccf2d4275ad02bdada180cf9d7921a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRvsgjrV4t1N.bat

Filesize
207B

MD5
766f12fa117ce385484b8f0be3477258

SHA1
0236f7a26ca9f144e6b575f8570ab42dbbe88f2e

SHA256
c98ef614c1f602bd2797536d51dde9b6cd2ac0894374224302c66cc119ec695b

SHA512
9919614a5ec4677086948a4f51bac5e149b8fce43e1ed1b3ccd2304ae0c1fcd1cdd03dbf376667c714f4878bbbd285cdb3d1a21fc0e8586a30765663289bb327

Download Submit
C:\Users\Admin\AppData\Local\Temp\DbN0IpDiSu6a.bat

Filesize
207B

MD5
7da22f4ffc7a7597a609d3c7ea52b46d

SHA1
5c7fb59449498c0f14720719629b02c5d0b758ff

SHA256
acbd6e77adde52d8fd42e132c433c748607b62ceb6eafcd683e729fef7ec5deb

SHA512
befdbce840273ed9e0275a9cfc1c6cda6eaf3cda6e4805e9717538e35f8f3210d0a2ddbd4b7937b6ad4d92a1319d893b2a3b6dd89412ed1c082fb5245361bbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOc7ujwaoLPC.bat

Filesize
207B

MD5
e7d9146bd57cf00d55c074d89950a933

SHA1
7806be8a6ebaa5a34532ec4bfc08fde0dc76a815

SHA256
67f50ca7d70063567ddd5d5d3c45e9b3419b808a79def8e781bd71365fda8c0c

SHA512
a4632bb3976bc648e15632700a30a69e49ebb682272919da68e0c1800dd4856b6bcd9f9c0303eb2aadfc51a28336bd85dd1c895b7b4843272b6add073b29439d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaTmb9bJk69v.bat

Filesize
207B

MD5
4628fc69ed88c18dfa69da247a054f32

SHA1
e41cf1c147bd0c1157bfffb8ba98a78347e51021

SHA256
782713dce3a8a0073af64e669a404a52aa8e1ef81123c56a550d7801038ad1b0

SHA512
77a55895c3e91b78e8dc76abee2b219dd1ee9102135e4ff56c7ea586cfc56d982f19eaf6a684d9ae9e015cc4251330e071f15465027261aea1583c4e5c6b6661

Download Submit
C:\Users\Admin\AppData\Local\Temp\R72UG8agVtaO.bat

Filesize
207B

MD5
0fd80052fa626e44c3ff65185feca134

SHA1
69cfc0b5c7aa5ca2494b82ba667370dca1546944

SHA256
dbad08dd9a3446b7515567e40b8de4112788bb633b4dd3dd780d3b13c6fbac7b

SHA512
a2118be463823a8ccf5db5556ad27df424b393c01d8dc1811f269e73039b4d7cc4d956e2ab0d6f8ad159b7f633198711cd3058e6ed98f65eb1653acbbacdf03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tzddpjgb6U5U.bat

Filesize
207B

MD5
ea4bf758c77767f029ada765db3f9f57

SHA1
9e3bd167ed5f5e3b51c99280e7c59df2aac1e4dc

SHA256
a6cb7c06919fd611870d1a75a113ed2245ea4e22172a3ed0ceffa08f359a4b38

SHA512
b6d83c296618dca5390b671d7e512c7485286e78b6c78ed4d6b8b6d6e49e3b9e1f0afef9fa695c59264b518d98d4d657181ae2a2ed1454de6b6c1927e8f58802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ue17U6YUbWwR.bat

Filesize
207B

MD5
0768f92b9c0a8b01a1aa1b33a0f93d74

SHA1
462e228a319ec52e55328f01385a35fa4927418c

SHA256
ce67bac7db2df5f0f954300a577c04c5a36272610da405c8d48576d18afcf092

SHA512
62b799fa998d43af4c4d1837994966cf721b5ef46ccc14636f56d32006015555fcf334b79d53c99e281c679edca5c8c48c287ce0ee17f18f9c2770be1995a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsgdN2ZyR7sm.bat

Filesize
207B

MD5
8186f7fc16f6535b940bd69df5c81abf

SHA1
d60482d0a4099ee491e2571a7ab9c769e6a58df2

SHA256
d09d138fbeb8d73d28d3527636f56d76f38c73ba128faf30d434a030f06e1cee

SHA512
7c055d82421748e6ff833d42d81e7752db94e9e6bbe3e709a9cef7401ccf29784055dd3713634acad88ccd50b1d7f812722deca55403bd9f216aea9157297503

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ws4EGq0G5PmI.bat

Filesize
207B

MD5
147d98a248d74696d89a91e3a1dd4360

SHA1
4e0044d15e640a0d93de42dfdffacf1c90f9e511

SHA256
4fcaed2ca5568eb5c0dea2c5803dd34eec7766e2b247fe9609b045414bd93593

SHA512
ff51fd571e92325a947116f3070809046ba7077e6ab12be31099ec4d92c5eeabde81da68f0abd7dd9ff9baf1218807b3c29301927f2f5f3d99a5c8495edb7521

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfBhvgzOU9p3.bat

Filesize
207B

MD5
715b5542392b354d7380784687851126

SHA1
a39ce0a1cec0f5dbcfaed229641f8fa2083bb7ae

SHA256
a7f7cf4747cbcb1889c3739d39a6f330c7d870e7a15e168868cfb5fd9d47e8dd

SHA512
40caebd18463ed574326c3fd21e7f0e5e2b8c47b79a4889fe1e35b5c9949c89eb7789e3dd6e4cb09038ced7030d271a371fb3ea76bf95cda63ef49f3fd5a22a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokDZh69BHVw.bat

Filesize
207B

MD5
8c26b84218ec5a71400f51552854f752

SHA1
a4e93151bf3a76b88aee1bb89c8cc38234835a36

SHA256
fbdd57f792a92336f2b24b65c19a49d20de1aa29486e2865669fc78815081256

SHA512
c20f0a05d928d2739fc97ce442bbbc5c2c68f468b19e683f5eeeb1a6c251efe8f3e942a2c02862a0e5081c8f5f1cdd06a132a2b18a816b1a2d8cd831d25ef166

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGDWPk3HFr2h.bat

Filesize
207B

MD5
9db9bdebad799ad6d000158873ab6800

SHA1
a6f18738d9538c3b13acfaefe797894770e90ad0

SHA256
8196571548ee25f7be3ebc04bb8cf70b8f5422d20ae06706b302f58f36362dbb

SHA512
9821e4d6a546b7622357ee21f996db1769bbea160b1121517238927a00abb097c0ca70e62d38de6476d7729bb9b884b64314b84c56037a9b4ccde7b276c1f6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGLQFboT04Ml.bat

Filesize
207B

MD5
aba6a8dc757ce9016609a590411fc5c2

SHA1
13eae7f39edd81b8e20c76856e1cdd467e62bc72

SHA256
422281d9c92de125d7eae205512522c282c46126a27d123a66a8ed27c8d053ed

SHA512
4f18458b414c5f5055cae185c333cb918d75dc31dadf505b3b5d78fefc8f60760e9b36667328da7d362cae3451da6dcf5353537f236bb93403a53c6f7361646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zR8WqlGdJTPV.bat

Filesize
207B

MD5
5c7be39e69680845000884fc493d9184

SHA1
5514b01d7536b5a6802cc181481b5a4813a5653d

SHA256
51dc20637babeebe399340820f91cf3f91ae38522ae7cbd9ff63c315c4ef9c06

SHA512
ac17171311eaffdd65dec019d52646c9cef067c724eb97bf7a4e245b3fc58af844b9911b4639849643aa917c1fe39b7764298198bc1e19f89e9aee65acfa8fd3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3158a87cc232a73f4df5b657536bd32b

SHA1
e531e74b2d67701058dc0d865d6a42fdba327cfd

SHA256
a75d7cddda0bf75b82bbd0f86361924b37e8d4e30b4d78233647c72f607a9417

SHA512
13ccd864f4005200e3d0e43c84bfb4d2d970f96e4e596626b4ceb706e24e4d577accb81b569e83436c1f634131de521bcb06c724bf5a054df543af1895618c94

Download Submit
memory/844-0-0x00007FF8FEB53000-0x00007FF8FEB55000-memory.dmp

Filesize
8KB

Download
memory/844-8-0x00007FF8FEB50000-0x00007FF8FF611000-memory.dmp

Filesize
10.8MB

Download
memory/844-2-0x00007FF8FEB50000-0x00007FF8FF611000-memory.dmp

Filesize
10.8MB

Download
memory/844-1-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/2780-18-0x00007FF8FEB50000-0x00007FF8FF611000-memory.dmp

Filesize
10.8MB

Download
memory/2780-12-0x000000001BE80000-0x000000001BF32000-memory.dmp

Filesize
712KB

Download
memory/2780-11-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/2780-10-0x00007FF8FEB50000-0x00007FF8FF611000-memory.dmp

Filesize
10.8MB

Download
memory/2780-9-0x00007FF8FEB50000-0x00007FF8FF611000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads