quasar | 37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
Size

3.1MB
MD5

7bb322724d054ab41dbd6cdd7c1cee0d
SHA1

0ecc58c184035f0edb3e0a931b0d58b45b33efa7
SHA256

b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2
SHA512

ac49627d1f0334b0abc1187b3dd5e0eb55617d13b3f82aff9fb9dac22f1b90a80458831d444de5415653faae762488d8b9f5cb797ad4434eaf2e23e3ac65e8d0
SSDEEP

49152:PvHI22SsaNYfdPBldt698dBcjHqxPEak0k/LCqoGdqpTHHB72eh2NT:Pvo22SsaNYfdPBldt6+dBcjHqxsHa

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

1.523.6342.54:4782

Mutex

4ea1f729-8980-4f1b-adc9-9454a6c89510

Attributes

encryption_key
6F5616F7DE99189DA1F7FA4AB4982DF3EAD0C9AC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral32/memory/4368-1-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar
behavioral32/files/0x000400000001dab1-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3204	Client.exe
4652	Client.exe
1228	Client.exe
4296	Client.exe
4280	Client.exe
4524	Client.exe
64	Client.exe
3880	Client.exe
4496	Client.exe
2128	Client.exe
2832	Client.exe
1932	Client.exe
3264	Client.exe
3508	Client.exe
2532	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
452	PING.EXE
2588	PING.EXE
5020	PING.EXE
4532	PING.EXE
3580	PING.EXE
3164	PING.EXE
3980	PING.EXE
3360	PING.EXE
3136	PING.EXE
2536	PING.EXE
3720	PING.EXE
3964	PING.EXE
4548	PING.EXE
4548	PING.EXE
1328	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2536	PING.EXE
5020	PING.EXE
452	PING.EXE
4548	PING.EXE
3136	PING.EXE
3164	PING.EXE
2588	PING.EXE
3964	PING.EXE
3980	PING.EXE
3360	PING.EXE
4532	PING.EXE
3580	PING.EXE
3720	PING.EXE
1328	PING.EXE
4548	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3096	schtasks.exe
2700	schtasks.exe
3408	schtasks.exe
1932	schtasks.exe
4388	schtasks.exe
2448	schtasks.exe
628	schtasks.exe
384	schtasks.exe
2436	schtasks.exe
4724	schtasks.exe
2656	schtasks.exe
3980	schtasks.exe
3096	schtasks.exe
3764	schtasks.exe
3720	schtasks.exe
5052	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
Token: SeDebugPrivilege	3204	Client.exe
Token: SeDebugPrivilege	4652	Client.exe
Token: SeDebugPrivilege	1228	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	4280	Client.exe
Token: SeDebugPrivilege	4524	Client.exe
Token: SeDebugPrivilege	64	Client.exe
Token: SeDebugPrivilege	3880	Client.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeDebugPrivilege	2128	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	1932	Client.exe
Token: SeDebugPrivilege	3264	Client.exe
Token: SeDebugPrivilege	3508	Client.exe
Token: SeDebugPrivilege	2532	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4724	4368	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	88
PID 4368 wrote to memory of 4724	4368	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	88
PID 4368 wrote to memory of 3204	4368	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	90
PID 4368 wrote to memory of 3204	4368	b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe	90
PID 3204 wrote to memory of 1932	3204	Client.exe	91
PID 3204 wrote to memory of 1932	3204	Client.exe	91
PID 3204 wrote to memory of 3968	3204	Client.exe	95
PID 3204 wrote to memory of 3968	3204	Client.exe	95
PID 3968 wrote to memory of 2032	3968	cmd.exe	97
PID 3968 wrote to memory of 2032	3968	cmd.exe	97
PID 3968 wrote to memory of 4532	3968	cmd.exe	98
PID 3968 wrote to memory of 4532	3968	cmd.exe	98
PID 3968 wrote to memory of 4652	3968	cmd.exe	103
PID 3968 wrote to memory of 4652	3968	cmd.exe	103
PID 4652 wrote to memory of 3980	4652	Client.exe	104
PID 4652 wrote to memory of 3980	4652	Client.exe	104
PID 4652 wrote to memory of 5040	4652	Client.exe	107
PID 4652 wrote to memory of 5040	4652	Client.exe	107
PID 5040 wrote to memory of 5048	5040	cmd.exe	109
PID 5040 wrote to memory of 5048	5040	cmd.exe	109
PID 5040 wrote to memory of 452	5040	cmd.exe	110
PID 5040 wrote to memory of 452	5040	cmd.exe	110
PID 5040 wrote to memory of 1228	5040	cmd.exe	111
PID 5040 wrote to memory of 1228	5040	cmd.exe	111
PID 1228 wrote to memory of 3096	1228	Client.exe	112
PID 1228 wrote to memory of 3096	1228	Client.exe	112
PID 1228 wrote to memory of 3952	1228	Client.exe	114
PID 1228 wrote to memory of 3952	1228	Client.exe	114
PID 3952 wrote to memory of 2456	3952	cmd.exe	116
PID 3952 wrote to memory of 2456	3952	cmd.exe	116
PID 3952 wrote to memory of 4548	3952	cmd.exe	117
PID 3952 wrote to memory of 4548	3952	cmd.exe	117
PID 3952 wrote to memory of 4296	3952	cmd.exe	146
PID 3952 wrote to memory of 4296	3952	cmd.exe	146
PID 4296 wrote to memory of 4388	4296	Client.exe	121
PID 4296 wrote to memory of 4388	4296	Client.exe	121
PID 4296 wrote to memory of 2168	4296	Client.exe	123
PID 4296 wrote to memory of 2168	4296	Client.exe	123
PID 2168 wrote to memory of 3136	2168	cmd.exe	147
PID 2168 wrote to memory of 3136	2168	cmd.exe	147
PID 2168 wrote to memory of 3580	2168	cmd.exe	126
PID 2168 wrote to memory of 3580	2168	cmd.exe	126
PID 2168 wrote to memory of 4280	2168	cmd.exe	168
PID 2168 wrote to memory of 4280	2168	cmd.exe	168
PID 4280 wrote to memory of 5052	4280	Client.exe	135
PID 4280 wrote to memory of 5052	4280	Client.exe	135
PID 4280 wrote to memory of 3260	4280	Client.exe	137
PID 4280 wrote to memory of 3260	4280	Client.exe	137
PID 3260 wrote to memory of 3720	3260	cmd.exe	169
PID 3260 wrote to memory of 3720	3260	cmd.exe	169
PID 3260 wrote to memory of 2588	3260	cmd.exe	140
PID 3260 wrote to memory of 2588	3260	cmd.exe	140
PID 3260 wrote to memory of 4524	3260	cmd.exe	141
PID 3260 wrote to memory of 4524	3260	cmd.exe	141
PID 4524 wrote to memory of 3764	4524	Client.exe	142
PID 4524 wrote to memory of 3764	4524	Client.exe	142
PID 4524 wrote to memory of 3804	4524	Client.exe	144
PID 4524 wrote to memory of 3804	4524	Client.exe	144
PID 3804 wrote to memory of 4296	3804	cmd.exe	146
PID 3804 wrote to memory of 4296	3804	cmd.exe	146
PID 3804 wrote to memory of 3136	3804	cmd.exe	147
PID 3804 wrote to memory of 3136	3804	cmd.exe	147
PID 3804 wrote to memory of 64	3804	cmd.exe	148
PID 3804 wrote to memory of 64	3804	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe
"C:\Users\Admin\AppData\Local\Temp\b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4724
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGarOErSMonp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2032
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4532
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xF57sBTE1Mm7.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5048
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:452
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cZOgsLhQCRKN.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmvKvgZAYL68.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYpnh94AbLbx.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQqUXZTPiMJu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H6DcJrTmJ8ZG.bat" "
        15⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WDVcqPfF54Eg.bat" "
        17⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z3UdIn9NpVuO.bat" "
        19⤵
        
        PID:4412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yencvh2wxtuu.bat" "
        21⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\btpy3sftqjnW.bat" "
        23⤵
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsLV17g5we94.bat" "
        25⤵
        
        PID:4324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UfE9lHxUYp7e.bat" "
        27⤵
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s697ktjgJRaY.bat" "
        29⤵
        
        PID:4700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YtqpMbmWKDD3.bat" "
        31⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\H6DcJrTmJ8ZG.bat

Filesize
207B

MD5
be086ea597bfbbebead5115ec7b5bf60

SHA1
fba746385cb9816d4d29a98814dd0be455669d5e

SHA256
d2d033e2c7e6fd6047e4d1bfa408532d6e67aea970082ed01923fdd0a2493220

SHA512
7e1bef5fb1b4153a029dd80a0c6af4a2e4ad70e62328496c5d6ece7105093c6978f8df3efafbe5e81cb7601f6ab23c6d1b64db91467ca1bbde60419086562c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmvKvgZAYL68.bat

Filesize
207B

MD5
cb8292cdaf0e1a0ca5d232f2e18ed053

SHA1
26419e8ff852a7cfafcf0a5f25e0cd14b9358572

SHA256
993defd4845a2e3d87425b1d433554ee32446c5fd4d45d99eaa80375bcf66e7b

SHA512
48c937dea0f548d71737d5fe5c625cfe44880b116b2cd18d25171ff994ae4c07c4c75b3f90cc13fe6e4a5b3e17d65e5f8a212e8f021388dccc6c1673a2fad0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsLV17g5we94.bat

Filesize
207B

MD5
0286ef02550bfe3cdc55a2230d7c800e

SHA1
6183f05e14c042729bf4ab1f30751c4ecf1a2212

SHA256
b37e92968a404dc294489532def5a45bf98aa7399031425cf79ac35fe431fb62

SHA512
820e540060ba40dbfaa2252d33b2ea5cd532da136df6651364b7e042b364a6c407f9ee156bf2c65d498f9df1f512aac6012def3a6783db816a78a55f7bec0372

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfE9lHxUYp7e.bat

Filesize
207B

MD5
7e0ac10096a06acccb78b63888e72d91

SHA1
7f448a36468746a6d9920dc094803e23d5d6ca78

SHA256
016f5a2e96774564e5d40fd6b30e13aad04d311306ace6ef3acd5baaa7f6deb8

SHA512
98d18221f439fc4ead4639cf5fc74901845c7226849f8f59eae94486bb951fecef6b69def989d643150cb818810882cfbfb0d127231ccb4f29b861d2505142d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDVcqPfF54Eg.bat

Filesize
207B

MD5
c7e92f8d2014e5f50a7009641fecc8a0

SHA1
7136850668cd37e355e04b65f85739b733737641

SHA256
b57445809a0552cec96b32dadb88eefdfbd49fa759a55a9ab834a3f6ca5af1c7

SHA512
679fc678a8939356010ece54dc389a90ab9a36ba11411cbe9af754e9f617712b6e61cfa147663714e0146442c8aff965311cb4e20f500c30a703688aa65ec834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yencvh2wxtuu.bat

Filesize
207B

MD5
2d4aaba32a068191495eab270fc92b95

SHA1
aab9b16798353744edf14cef4b60bb4d7280d6c1

SHA256
b0005aacdf78f392f7ed64008c563eddfc1eaf1094f6396b775efd94b0790c4a

SHA512
0e0b26858cf04e7f31a2448abe143c92b8c9d73fbc097b7770317df8a74f106638a4a144745b7c8ed9a23c145c86251074b08420070d7f0c6dbe1ceb038068b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YtqpMbmWKDD3.bat

Filesize
207B

MD5
710a9e649ed5ebecf4c65ad0915ad963

SHA1
102ae4f989c0039cc72888d9bc8cdce4e276bfd0

SHA256
7a72004d9a4878972d1c01447a996aa58fe8fdf64047879ba8170d12a9798dbb

SHA512
f4f43e1d5d1c7ab19631c59fac8b2ba7eb1da36b435357134584d5c321a0cb1fb71ee1f203ddeaede30ebfd40086e9ee6f0c45deb205262f15f39199fcc28684

Download Submit
C:\Users\Admin\AppData\Local\Temp\btpy3sftqjnW.bat

Filesize
207B

MD5
1e6f2d6f0f3f7178ff3f6011f90239ac

SHA1
dafc4a3be35231abf3e24893dfc00b094d8790d2

SHA256
6b88069a023a4fe31480a899baf35867f2fb861c4a625fe13f3dc7f52204b974

SHA512
1e57ebd0744b578b8f414175dc185506fa4d32ac79781d3eeb893557596b508de6fef83845f42f0b9219fc83c72769e5378bb2ff3c0129ca20fde331137b2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\cZOgsLhQCRKN.bat

Filesize
207B

MD5
3707f8887377ed77f281d62d2b6c26d4

SHA1
fce09070350d25bc569c1a561ae66dfe0866101c

SHA256
6e713438df852946523caba6a92e09c9bdd160ab699504abb369fda72891d2fd

SHA512
633e9cf04436dd93b54b181595bc6276f4b3d2324b3ba4eff12303d93d27a8c18a49f09c419367e6b59b564f4f93a94b12776a136f5f46b517b9afb1963825ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGarOErSMonp.bat

Filesize
207B

MD5
c0f46829866bd1c9a95cd9c537f172a3

SHA1
67326c8da92e4f4ad1a972f8b6806f42555b0376

SHA256
e43c8b35fbed82c531be10b7a7e5edae61303df2e869a9448e305a486f0a0120

SHA512
4a71b4a84c0cc33f8374b9d2cc0c5eff142091a4d50d07353d35894ee2db3188065fa7cad413a167476722a049907a00d04ddac6d340264619ceec8844c9321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYpnh94AbLbx.bat

Filesize
207B

MD5
d8fe9aaa14ab75b53c67e9f45d1a8b06

SHA1
84b81f5464b9b05d60d1c0bfe15683452d533b0a

SHA256
cdd2593eda6a6b0bdee22a3f35dbb7cff0d6e5e7d379ed44f8dbbb265365a78a

SHA512
b38d213bacc8038e4c0a8ffcb9138fe9e63ad271323ee1bdf4da171056909c1a2b393007cf30d93873609945acf21353b78e4dd779711749c7d689eb338450b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQqUXZTPiMJu.bat

Filesize
207B

MD5
6fede5ab05a52775064b1c142b7510b1

SHA1
83dbbb7fd6675aeedc32091639bfb5b3c821118e

SHA256
ee6bad57364113d38c181620c8fe126216d160d77f399831577e566a61c9c810

SHA512
df0cfb55bfa1508d1709da689b960ef4076012474624d683936e29f3ee07e762dc070789e806bb9ad0e9b2bf8565f281ffe602a7075e003d4929a0202827f282

Download Submit
C:\Users\Admin\AppData\Local\Temp\s697ktjgJRaY.bat

Filesize
207B

MD5
01f3019447db549212aa464822e5419e

SHA1
304a1693e56de40b291b516de51b2c9a6a660ad6

SHA256
e823e22afcb51775a55ed07206e87f526c8157bb75f622b75fe5670883dc91cd

SHA512
90cbc0d42aa44a3667290dbaefdb345b7d71a7ccd756d7489e4b564e14856e5fc1c7cf13100d25ae4655407b75a31b082ac10dc180244adfceefaac9377968e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xF57sBTE1Mm7.bat

Filesize
207B

MD5
c0f121e91530cc98c29d54371b82eb4c

SHA1
9ba7f625e3585f6e94ed1ca21332daa649a711ec

SHA256
9c04a716798c4467a25f82d5952d46f7c2b2dd9dfd3d03ff46602173476e42d5

SHA512
3bff85690f597492d0743dc98dace220bd570064d9e5e5d5ffa8999f81fff57bdc3c117b6e0e9c3a7c1b27283cbd780a05b406ffa7a461ceda7612ff1ec09e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3UdIn9NpVuO.bat

Filesize
207B

MD5
c0ef28a3b664e41c1c69a5957d98e64b

SHA1
6639a6607bee72c2e5641d88d06bd82548ed54be

SHA256
35c3b990e1ce0d5c6463dff4f5e90af7bf3c8bb085113b890d37a59857b44636

SHA512
f1d1669be399eb416199037052babb45ed7bcd8575af7faa8d5f668af88af1fb2e0545c85113c98e20ebbd6edea8e3d2c163a15128369b35fb6c77ff89f621a8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7bb322724d054ab41dbd6cdd7c1cee0d

SHA1
0ecc58c184035f0edb3e0a931b0d58b45b33efa7

SHA256
b6cd4cbecbd20d06768408f952a13721fb22fdbeca097913deeebe41a41b3ae2

SHA512
ac49627d1f0334b0abc1187b3dd5e0eb55617d13b3f82aff9fb9dac22f1b90a80458831d444de5415653faae762488d8b9f5cb797ad4434eaf2e23e3ac65e8d0

Download Submit
memory/3204-18-0x00007FFBB5370000-0x00007FFBB5E31000-memory.dmp

Filesize
10.8MB

Download
memory/3204-13-0x000000001BEF0000-0x000000001BFA2000-memory.dmp

Filesize
712KB

Download
memory/3204-12-0x000000001BDE0000-0x000000001BE30000-memory.dmp

Filesize
320KB

Download
memory/3204-11-0x00007FFBB5370000-0x00007FFBB5E31000-memory.dmp

Filesize
10.8MB

Download
memory/3204-9-0x00007FFBB5370000-0x00007FFBB5E31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-1-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download
memory/4368-10-0x00007FFBB5370000-0x00007FFBB5E31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-2-0x00007FFBB5370000-0x00007FFBB5E31000-memory.dmp

Filesize
10.8MB

Download
memory/4368-0-0x00007FFBB5373000-0x00007FFBB5375000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads