quasar | 4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Size

3.1MB
MD5

35dea5908c411c55232760a766992b4d
SHA1

803e87e294445707b2480e0f6eeb21990be7522e
SHA256

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c
SHA512

37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631
SSDEEP

49152:DvrI22SsaNYfdPBldt698dBcjHCdHLoGdgTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHCdr

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hvhkcutuoujbobu672-22209.portmap.host:22209

Mutex

979a24d1-1ef3-4416-baf8-bf96d2280aed

Attributes

encryption_key
E634ECEC5FEC379E441CB9B04C771BAC550131B0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service 32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral2/memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2300 Client.exe
4456 Client.exe
860 Client.exe
3916 Client.exe
2188 Client.exe
4540 Client.exe
5032 Client.exe
1812 Client.exe
2652 Client.exe
2596 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1984 schtasks.exe
4552 schtasks.exe
3988 schtasks.exe
2800 schtasks.exe
1240 schtasks.exe
1596 schtasks.exe
2368 schtasks.exe
3316 schtasks.exe
4928 schtasks.exe
3884 schtasks.exe
4480 schtasks.exe
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4652 PING.EXE
2068 PING.EXE
2052 PING.EXE
4840 PING.EXE
1528 PING.EXE
1120 PING.EXE
4924 PING.EXE
4932 PING.EXE
4936 PING.EXE

pid	process
2300	Client.exe
4456	Client.exe
860	Client.exe
3916	Client.exe
2188	Client.exe
4540	Client.exe
5032	Client.exe
1812	Client.exe
2652	Client.exe
2596	Client.exe

pid	process
1984	schtasks.exe
4552	schtasks.exe
3988	schtasks.exe
2800	schtasks.exe
1240	schtasks.exe
1596	schtasks.exe
2368	schtasks.exe
3316	schtasks.exe
4928	schtasks.exe
3884	schtasks.exe
4480	schtasks.exe

pid	process
4652	PING.EXE
2068	PING.EXE
2052	PING.EXE
4840	PING.EXE
1528	PING.EXE
1120	PING.EXE
4924	PING.EXE
4932	PING.EXE
4936	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3664	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	4456	Client.exe
Token: SeDebugPrivilege	860	Client.exe
Token: SeDebugPrivilege	3916	Client.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	4540	Client.exe
Token: SeDebugPrivilege	5032	Client.exe
Token: SeDebugPrivilege	1812	Client.exe
Token: SeDebugPrivilege	2652	Client.exe
Token: SeDebugPrivilege	2596	Client.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2300 Client.exe
4540 Client.exe
5032 Client.exe
1812 Client.exe
2652 Client.exe
2596 Client.exe

pid	process
2300	Client.exe
4540	Client.exe
5032	Client.exe
1812	Client.exe
2652	Client.exe
2596	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3664 wrote to memory of 1240	3664	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 3664 wrote to memory of 1240	3664	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 3664 wrote to memory of 2300	3664	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 3664 wrote to memory of 2300	3664	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 2300 wrote to memory of 4928	2300	Client.exe	schtasks.exe
PID 2300 wrote to memory of 4928	2300	Client.exe	schtasks.exe
PID 2300 wrote to memory of 3192	2300	Client.exe	cmd.exe
PID 2300 wrote to memory of 3192	2300	Client.exe	cmd.exe
PID 3192 wrote to memory of 3460	3192	cmd.exe	chcp.com
PID 3192 wrote to memory of 3460	3192	cmd.exe	chcp.com
PID 3192 wrote to memory of 2052	3192	cmd.exe	PING.EXE
PID 3192 wrote to memory of 2052	3192	cmd.exe	PING.EXE
PID 3192 wrote to memory of 4456	3192	cmd.exe	Client.exe
PID 3192 wrote to memory of 4456	3192	cmd.exe	Client.exe
PID 4456 wrote to memory of 3884	4456	Client.exe	schtasks.exe
PID 4456 wrote to memory of 3884	4456	Client.exe	schtasks.exe
PID 4456 wrote to memory of 1120	4456	Client.exe	cmd.exe
PID 4456 wrote to memory of 1120	4456	Client.exe	cmd.exe
PID 1120 wrote to memory of 3896	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 3896	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 4924	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 4924	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 860	1120	cmd.exe	Client.exe
PID 1120 wrote to memory of 860	1120	cmd.exe	Client.exe
PID 860 wrote to memory of 1596	860	Client.exe	schtasks.exe
PID 860 wrote to memory of 1596	860	Client.exe	schtasks.exe
PID 860 wrote to memory of 4516	860	Client.exe	cmd.exe
PID 860 wrote to memory of 4516	860	Client.exe	cmd.exe
PID 4516 wrote to memory of 3328	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 3328	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 4840	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 4840	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3916	4516	cmd.exe	Client.exe
PID 4516 wrote to memory of 3916	4516	cmd.exe	Client.exe
PID 3916 wrote to memory of 4480	3916	Client.exe	schtasks.exe
PID 3916 wrote to memory of 4480	3916	Client.exe	schtasks.exe
PID 3916 wrote to memory of 3664	3916	Client.exe	cmd.exe
PID 3916 wrote to memory of 3664	3916	Client.exe	cmd.exe
PID 3664 wrote to memory of 2196	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 2196	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 1528	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 1528	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 2188	3664	cmd.exe	Client.exe
PID 3664 wrote to memory of 2188	3664	cmd.exe	Client.exe
PID 2188 wrote to memory of 2368	2188	Client.exe	schtasks.exe
PID 2188 wrote to memory of 2368	2188	Client.exe	schtasks.exe
PID 2188 wrote to memory of 4660	2188	Client.exe	cmd.exe
PID 2188 wrote to memory of 4660	2188	Client.exe	cmd.exe
PID 4660 wrote to memory of 3996	4660	cmd.exe	chcp.com
PID 4660 wrote to memory of 3996	4660	cmd.exe	chcp.com
PID 4660 wrote to memory of 4932	4660	cmd.exe	PING.EXE
PID 4660 wrote to memory of 4932	4660	cmd.exe	PING.EXE
PID 4660 wrote to memory of 4540	4660	cmd.exe	Client.exe
PID 4660 wrote to memory of 4540	4660	cmd.exe	Client.exe
PID 4540 wrote to memory of 3316	4540	Client.exe	schtasks.exe
PID 4540 wrote to memory of 3316	4540	Client.exe	schtasks.exe
PID 4540 wrote to memory of 4600	4540	Client.exe	cmd.exe
PID 4540 wrote to memory of 4600	4540	Client.exe	cmd.exe
PID 4600 wrote to memory of 4428	4600	cmd.exe	chcp.com
PID 4600 wrote to memory of 4428	4600	cmd.exe	chcp.com
PID 4600 wrote to memory of 4936	4600	cmd.exe	PING.EXE
PID 4600 wrote to memory of 4936	4600	cmd.exe	PING.EXE
PID 4600 wrote to memory of 5032	4600	cmd.exe	Client.exe
PID 4600 wrote to memory of 5032	4600	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
"C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1240

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SNn5SMkdlH9w.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3460

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2052

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zdfGshAn9P1s.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3896

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHUm4ydEC7JY.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4840

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1uHM7LjJG9lT.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2196

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1528

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\czrVSkdJatM7.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W5KZWBQcSivq.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4428

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4936

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VroQJwjUYpDj.bat" "
15⤵
PID:1532

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1944

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1120

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZOxykDmOd1c.bat" "
17⤵
PID:1248

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:5036

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgEQoVWHMZUo.bat" "
19⤵
PID:4432

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:764

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1uHM7LjJG9lT.bat
Filesize
207B

MD5
1e834663919a44405191e877067ab47f

SHA1
46fb114862034e135ed062d9fd74de000be93bb0

SHA256
985b9b9cb205bc84e2826f0b9db54382498d3f7ddbf3ff3191ff42947395c86b

SHA512
a5b4a5204f5590a3f5590266b34eba3da2f0be74ffaf673e92a1a560fdaf0c57fb7bed97ec9c6b169c4f97678bd30c1b6d2f27060bb90794e4d39a0349012381

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgEQoVWHMZUo.bat
Filesize
207B

MD5
e9379c5658dc712172454d95811999b2

SHA1
22473220de7fe4b4e75d0d364271f428852f0914

SHA256
d78eee438be3dc6ac0c060ea8fd2ec07a14b056fa4f7637a777e7a61ac48339e

SHA512
e09f8a17702886680aa318019407aa7918804edbccb10d68ad3d280013eeac8b2811ebe166919efcb9d6fdc7fbf1bfdf0f2c2cc6c3c87980dc5fdff8d2487367

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNn5SMkdlH9w.bat
Filesize
207B

MD5
f0f004f2a08229d9a845ecfbc9b1e3de

SHA1
daa7458740732cdf7d0743784d36fb82fa474007

SHA256
dfda889cf7f89242554d2cf69fea552093388334a5e136e9c8d20265f4be897f

SHA512
4a94778b1fc4ad441364249b8fd1f672d700c6450c9acb2c5d1f6fb3c8be151f375df119b98e58e17b85d7754cf2762b7e0776e80da0a4bcefe02f2e2720800b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VroQJwjUYpDj.bat
Filesize
207B

MD5
4353698d630a24a71e8f6201bdf79ff7

SHA1
d542646ef97886c19ae075832a375c603d339dfa

SHA256
108c0bd3387448fb176b2a8442575f029dd8675bd1a1e2629fc71639ae478c86

SHA512
01219fe0f32ce087f0a2d047e6f453367ecf4c27cd2172c63c13a254a7d73a7b1262d67b9cec68718b62c7eb036e54aa127958919ccc464abd12d2005eabf5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\W5KZWBQcSivq.bat
Filesize
207B

MD5
f67d84f93cf806e79359f048d0a291a0

SHA1
f85ba9afa7da795f6bea269cdedc6f892360034f

SHA256
89a0300ddc88938bb82205d6f3f75044d0ac73d153fcb6ef1e7aea7fec3e752c

SHA512
33d04566e14e0b0fe00ec33ef53a8280697679913590f54f59bda7f58e9ad224d8a10036cf69e5674d3d1a7feedee1bd57b6baf45054f7d6b4d1b3e801fb3024

Download Submit
C:\Users\Admin\AppData\Local\Temp\czrVSkdJatM7.bat
Filesize
207B

MD5
3307f9b13ad30dececc96706f0820e8c

SHA1
bec5590e2c018b5457082e5a71e435bb7c8fb29a

SHA256
d563b5cb5b26adf77b8a69626e0fa62d91aab5e5e84ada2832f867c5908c0607

SHA512
75206085957c3195a69e22c5e127a33924c48e178c8e70f6b161f665d351cff0fde65944684d174c1251f31b92aac73028611bbce7e6525e5a0042ec9ae30025

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHUm4ydEC7JY.bat
Filesize
207B

MD5
cdea09458a18f69a335c91c710e74228

SHA1
e0ea52800fae83c5a736e379549d9bf05a41d6e9

SHA256
409838a301def0d842f4031c872fceef97060acac48b4938e74a46a0b35e5dd1

SHA512
d0135ed7436ea25ea0ad0791ecc40145518a9f1e016e39d7ae31f05cfd7bdb4fd6cc57afe9564e837e7bac1b97aee90af66757be6daf281d95735f4597a90441

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZOxykDmOd1c.bat
Filesize
207B

MD5
59f6c7e3da0106990fa08e5de0b87adc

SHA1
fdbf6bc2eff9ef51db4e138d9177e616c12fd583

SHA256
cd766dd02b05aa0876fabca0fc6146d8fa40f268c6a57882ee9a7b0293b14f57

SHA512
62e41893e1a8dff66e6fadbf9de971a476fe705ed603dd4986a23e3c613a777c8aedd8c576fab21dec68ac9e446360a220b5a6bf36960073ce3fb7e9d5d82381

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdfGshAn9P1s.bat
Filesize
207B

MD5
a50cc365b3f74d19008c7cd438ed4fd3

SHA1
0e928a919ef96a2cd4025bba38396c297d1248b3

SHA256
6b9aef0f329352a53aa52239eecf52d533bd35874a4179ad67b6aee8f5efb710

SHA512
14fed63ac43491467f7d28a9838e409975938b69aff261717e47783ed02a38d963dcc2dd5acd872ad437539da5d6176aac780e006a59cf4c8c29a92ea4cc8a4b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
35dea5908c411c55232760a766992b4d

SHA1
803e87e294445707b2480e0f6eeb21990be7522e

SHA256
4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

SHA512
37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631

Download Submit
memory/2300-11-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2300-18-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2300-9-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2300-12-0x0000000002880000-0x00000000028D0000-memory.dmp

Filesize
320KB

Download
memory/2300-13-0x000000001BC60000-0x000000001BD12000-memory.dmp

Filesize
712KB

Download
memory/3664-10-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/3664-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

Filesize
8KB

Download
memory/3664-2-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/3664-1-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download