quasar | 37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
Size

3.1MB
MD5

7bb322724d054ab41dbd6cdd7c1cee0d
SHA1

0ecc58c184035f0edb3e0a931b0d58b45b33efa7
SHA256

b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2
SHA512

ac49627d1f0334b0abc1187b3dd5e0eb55617d13b3f82aff9fb9dac22f1b90a80458831d444de5415653faae762488d8b9f5cb797ad4434eaf2e23e3ac65e8d0
SSDEEP

49152:PvHI22SsaNYfdPBldt698dBcjHqxPEak0k/LCqoGdqpTHHB72eh2NT:Pvo22SsaNYfdPBldt6+dBcjHqxsHa

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

1.523.6342.54:4782

Mutex

4ea1f729-8980-4f1b-adc9-9454a6c89510

Attributes

encryption_key
6F5616F7DE99189DA1F7FA4AB4982DF3EAD0C9AC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral31/memory/2704-1-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral31/files/0x0034000000018683-6.dat	family_quasar
behavioral31/memory/2100-10-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral31/memory/1768-43-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral31/memory/668-54-0x0000000001200000-0x0000000001524000-memory.dmp	family_quasar
behavioral31/memory/1520-75-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral31/memory/2648-107-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
behavioral31/memory/1736-118-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral31/memory/1828-129-0x0000000000320000-0x0000000000644000-memory.dmp	family_quasar
behavioral31/memory/1128-140-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2100	Client.exe
2864	Client.exe
1900	Client.exe
1768	Client.exe
668	Client.exe
2296	Client.exe
1520	Client.exe
2912	Client.exe
2868	Client.exe
2648	Client.exe
1736	Client.exe
1828	Client.exe
1128	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1596	PING.EXE
3028	PING.EXE
2956	PING.EXE
1584	PING.EXE
1184	PING.EXE
1836	PING.EXE
2224	PING.EXE
1928	PING.EXE
1692	PING.EXE
2068	PING.EXE
2432	PING.EXE
2252	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3028	PING.EXE
2432	PING.EXE
2224	PING.EXE
1928	PING.EXE
1596	PING.EXE
2068	PING.EXE
2956	PING.EXE
1584	PING.EXE
1184	PING.EXE
1836	PING.EXE
2252	PING.EXE
1692	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
300	schtasks.exe
2644	schtasks.exe
2512	schtasks.exe
684	schtasks.exe
2572	schtasks.exe
2896	schtasks.exe
1408	schtasks.exe
2492	schtasks.exe
1708	schtasks.exe
2556	schtasks.exe
2944	schtasks.exe
1732	schtasks.exe
2936	schtasks.exe
2140	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
Token: SeDebugPrivilege	2100	Client.exe
Token: SeDebugPrivilege	2864	Client.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	1768	Client.exe
Token: SeDebugPrivilege	668	Client.exe
Token: SeDebugPrivilege	2296	Client.exe
Token: SeDebugPrivilege	1520	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	2868	Client.exe
Token: SeDebugPrivilege	2648	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	1828	Client.exe
Token: SeDebugPrivilege	1128	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2936	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	30
PID 2704 wrote to memory of 2936	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	30
PID 2704 wrote to memory of 2936	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	30
PID 2704 wrote to memory of 2100	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	32
PID 2704 wrote to memory of 2100	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	32
PID 2704 wrote to memory of 2100	2704	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	32
PID 2100 wrote to memory of 2572	2100	Client.exe	33
PID 2100 wrote to memory of 2572	2100	Client.exe	33
PID 2100 wrote to memory of 2572	2100	Client.exe	33
PID 2100 wrote to memory of 1952	2100	Client.exe	35
PID 2100 wrote to memory of 1952	2100	Client.exe	35
PID 2100 wrote to memory of 1952	2100	Client.exe	35
PID 1952 wrote to memory of 2336	1952	cmd.exe	37
PID 1952 wrote to memory of 2336	1952	cmd.exe	37
PID 1952 wrote to memory of 2336	1952	cmd.exe	37
PID 1952 wrote to memory of 3028	1952	cmd.exe	38
PID 1952 wrote to memory of 3028	1952	cmd.exe	38
PID 1952 wrote to memory of 3028	1952	cmd.exe	38
PID 1952 wrote to memory of 2864	1952	cmd.exe	39
PID 1952 wrote to memory of 2864	1952	cmd.exe	39
PID 1952 wrote to memory of 2864	1952	cmd.exe	39
PID 2864 wrote to memory of 2896	2864	Client.exe	40
PID 2864 wrote to memory of 2896	2864	Client.exe	40
PID 2864 wrote to memory of 2896	2864	Client.exe	40
PID 2864 wrote to memory of 2384	2864	Client.exe	42
PID 2864 wrote to memory of 2384	2864	Client.exe	42
PID 2864 wrote to memory of 2384	2864	Client.exe	42
PID 2384 wrote to memory of 1416	2384	cmd.exe	44
PID 2384 wrote to memory of 1416	2384	cmd.exe	44
PID 2384 wrote to memory of 1416	2384	cmd.exe	44
PID 2384 wrote to memory of 2068	2384	cmd.exe	45
PID 2384 wrote to memory of 2068	2384	cmd.exe	45
PID 2384 wrote to memory of 2068	2384	cmd.exe	45
PID 2384 wrote to memory of 1900	2384	cmd.exe	46
PID 2384 wrote to memory of 1900	2384	cmd.exe	46
PID 2384 wrote to memory of 1900	2384	cmd.exe	46
PID 1900 wrote to memory of 1408	1900	Client.exe	47
PID 1900 wrote to memory of 1408	1900	Client.exe	47
PID 1900 wrote to memory of 1408	1900	Client.exe	47
PID 1900 wrote to memory of 1924	1900	Client.exe	49
PID 1900 wrote to memory of 1924	1900	Client.exe	49
PID 1900 wrote to memory of 1924	1900	Client.exe	49
PID 1924 wrote to memory of 1680	1924	cmd.exe	51
PID 1924 wrote to memory of 1680	1924	cmd.exe	51
PID 1924 wrote to memory of 1680	1924	cmd.exe	51
PID 1924 wrote to memory of 2956	1924	cmd.exe	52
PID 1924 wrote to memory of 2956	1924	cmd.exe	52
PID 1924 wrote to memory of 2956	1924	cmd.exe	52
PID 1924 wrote to memory of 1768	1924	cmd.exe	53
PID 1924 wrote to memory of 1768	1924	cmd.exe	53
PID 1924 wrote to memory of 1768	1924	cmd.exe	53
PID 1768 wrote to memory of 2140	1768	Client.exe	54
PID 1768 wrote to memory of 2140	1768	Client.exe	54
PID 1768 wrote to memory of 2140	1768	Client.exe	54
PID 1768 wrote to memory of 448	1768	Client.exe	56
PID 1768 wrote to memory of 448	1768	Client.exe	56
PID 1768 wrote to memory of 448	1768	Client.exe	56
PID 448 wrote to memory of 2036	448	cmd.exe	58
PID 448 wrote to memory of 2036	448	cmd.exe	58
PID 448 wrote to memory of 2036	448	cmd.exe	58
PID 448 wrote to memory of 1584	448	cmd.exe	59
PID 448 wrote to memory of 1584	448	cmd.exe	59
PID 448 wrote to memory of 1584	448	cmd.exe	59
PID 448 wrote to memory of 668	448	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
"C:\Users\Admin\AppData\Local\Temp\b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2936
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2572
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QleAbJZ2Q4lG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2336
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3028
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lPAw8DDRbR1s.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1416
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcY0C1S4aEKF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z4LXqE0RpGm2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SJix1TDEyi4C.bat" "
        11⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGSV8jffYDHG.bat" "
        13⤵
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EbEgIB3ghKfZ.bat" "
        15⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ln89Ix3zsLlE.bat" "
        17⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9WRDLVKdU7AY.bat" "
        19⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PR1rOPAnI1eo.bat" "
        21⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xTw50kcXTEmV.bat" "
        23⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kR1PQDhr1exS.bat" "
        25⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9WRDLVKdU7AY.bat

Filesize
207B

MD5
b97c4ed738548dd0791a095cacf30118

SHA1
6a1f72a02c444a87e358c695eb6b34cb659010ed

SHA256
9c26317f8b6b0b2d6579c9a000273345ed713d96969815394e008e0b6fc1ccad

SHA512
85bf912db48a2b9be6af97c8ab5581698676698e69e9aba3f903b88eca775e80b2f0b9921b0a1cda70e98f6d993225b8dac49dda2556c7e38ddfdd3b29cbe5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EbEgIB3ghKfZ.bat

Filesize
207B

MD5
63e0e5ca4da165cb73ef0f8e05064c39

SHA1
59469060f746cf880eb44f9083d181a89b27f9c3

SHA256
af2dc866af9499b2821c04723a10edf3b0bb931750d667ba84cad7491eaa56ea

SHA512
4d2cf2312acf88bedf9e204f90f7c672aa74e5a50cc7decec7b1ef5e7030c96567e3b4fac874550b90df173812a45b27141f1ddeef273d375d4fbad9ee62ce6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PR1rOPAnI1eo.bat

Filesize
207B

MD5
1c73b8790f1dff176d1f3ae42ef48a4e

SHA1
acd1d2502505020beac17e5d946b50fa8434ed3c

SHA256
28bbee64403577dc746e3362def2361957c1e5d20e225789618e41f6a0736a24

SHA512
d2d80b3ea4e82a01978337fe58d748f9bf8ac6c0c89e19a96cbe4f1df62eea5e2f76f34a8a7e69792728ae81284cda4eac005828539b8c07b5a3bde2c5567873

Download Submit
C:\Users\Admin\AppData\Local\Temp\QleAbJZ2Q4lG.bat

Filesize
207B

MD5
7be9afc7b76db7167b6bf96a1bdc4f69

SHA1
52cd34141ae1a0ab21da5e158a673005116544ae

SHA256
cef129cdb16e078c15b4c2d2b921f7f5d59386d48dbea1c5bd76173b1dfb2cba

SHA512
6b1370677d20026bbe2a5a9822ea58386b0234a45a447eafd571f7fd2c7dd217a2bbb4e36342918bfe1c1572c8bcdf53bb3bd73aff9222baaffe6a8cc19e4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJix1TDEyi4C.bat

Filesize
207B

MD5
29eaff8418b1b5ab2d1d0f47ae4f86e1

SHA1
00c82df9ea0973d203bb9c612a93cb64a4627b6a

SHA256
bf836aca1011f48b81728ddca7edd0aa16e25c38e2b390098fb9267ba9170959

SHA512
87d1f2346ccb09fa4d011c817c7fa935b51f0dba5aaf70f50cb93f9c06b6e3aef38b294208f655d506c63c041f96687fbee5cff645df3e626cca98c7859d09c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcY0C1S4aEKF.bat

Filesize
207B

MD5
98850bb8dc96c961de27e5bd86daf506

SHA1
c45c2801b9902d4612f4f7de7d91e6d5b91b8e0b

SHA256
8639d530a6a85b01b13e4c659c490f6aa8ceae2ed214a119be450aaa799ccdc3

SHA512
cd62134631282946468fb4f01855d6aa7b4b47ee73e39ee1b978d4d1c768571d9cd16d0c79fe834af5fb68b3a40b2422725c7f1abd039be7603fa72d707bbf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGSV8jffYDHG.bat

Filesize
207B

MD5
1d8e63e461406317f34ba124de294a47

SHA1
649875511ec88188457d8183b2109594debc7559

SHA256
bdd6997759c40d7c308a67b8ecebb1a8ae30c33a27d603fe66eac2e6f00ab00f

SHA512
002cb045a3827c44abc8b9e7e1f005bc07fe2440c86a88d6fb76e00225ac1b97dfde7a6fb9771d4bcd92d518d20326b66dbd595b5c305b088f2e1905192a1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\kR1PQDhr1exS.bat

Filesize
207B

MD5
715ea56bd4f1c92d0d45336399dff121

SHA1
d883357443f5e92be339f5b4c86c3886e2ac1f94

SHA256
4f83a81e7a0319cc3a15b6779b6f1005851f11aaa81e14465baf17c69c2e5ee9

SHA512
897fe5ea9f2752ace3926c9ece2eea49f0682afc7cf9b3daeaec5c7a2f188be418caedc1054a830ac4fc0236e75872709def6c6311848a3087c2202d76c59ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lPAw8DDRbR1s.bat

Filesize
207B

MD5
df84e15b210913c113ce56f2b652783c

SHA1
76c12e85217c3a020bc0dc1c7175363b4d03df96

SHA256
3fa66022bd50b013538be51fedf4aea66bc34e61bc20aaa270d0e622069349e8

SHA512
9f5ed2065e0a28f7d5e9e86e49148b729f1a8fd11a84a6e8a1bcf41e7474ce707e979aef248eb18303e90e35398a00fce626126335b2a271e6a1a2d62b3e5e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ln89Ix3zsLlE.bat

Filesize
207B

MD5
e9f01bfde210ebf06d3a5c7ab098baf6

SHA1
e05610e0540cfb8df156c67ac291b33ac8b88145

SHA256
fb1ef9dd82423811510da35ec7410e85524697698a4518cc7e4ff92556784b3d

SHA512
2d1f2e7cc5e15b469be8353e26b82e6d30b6f12293c80a8278d7106de89d42bf6d9ca583f8a2a0c2766c49f8489df61c4ce7aabf714aad271be5090bedff3043

Download Submit
C:\Users\Admin\AppData\Local\Temp\xTw50kcXTEmV.bat

Filesize
207B

MD5
8d92d9661f30d24d6059d4d7a7c106e2

SHA1
c4683a0e4cbb54db58c51a97d080f2305648087d

SHA256
2c4b6991330b7183d740b6f75bdc1c1c00210b5cdc5e2b8a6fac302e4817e5d3

SHA512
db9ed5637da3eff8dae4c33bf991127eed8795d5020b2043eada0d6ad33871b717637c26de904e3fc94bd8fc9d233ff1cf241eb991dcf8f16797116e242eab7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4LXqE0RpGm2.bat

Filesize
207B

MD5
b947a9f1da5bddcc90385503a065da5b

SHA1
5dfcd1d8af240aa56ac087ed0df55a34f5c770bf

SHA256
438a708bd64029dad4ec22df7f958836dc29fa09271c7860def61415500d96bf

SHA512
163b1a9b4bf27b521d7e36abba03da101b4fe9790e8eac9cc16ffebf67cab8ce6f2117b920b52c326ef834f6a7c15ef74ee1c8c53ee854a51b64f8f49dd7e437

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7bb322724d054ab41dbd6cdd7c1cee0d

SHA1
0ecc58c184035f0edb3e0a931b0d58b45b33efa7

SHA256
b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2

SHA512
ac49627d1f0334b0abc1187b3dd5e0eb55617d13b3f82aff9fb9dac22f1b90a80458831d444de5415653faae762488d8b9f5cb797ad4434eaf2e23e3ac65e8d0

Download Submit
memory/668-54-0x0000000001200000-0x0000000001524000-memory.dmp

Filesize
3.1MB

Download
memory/1128-140-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/1520-75-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/1736-118-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/1768-43-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1828-129-0x0000000000320000-0x0000000000644000-memory.dmp

Filesize
3.1MB

Download
memory/2100-20-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-9-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-10-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2100-11-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2648-107-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2704-8-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2704-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads