quasar | 4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Size

3.1MB
MD5

35dea5908c411c55232760a766992b4d
SHA1

803e87e294445707b2480e0f6eeb21990be7522e
SHA256

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c
SHA512

37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631
SSDEEP

49152:DvrI22SsaNYfdPBldt698dBcjHCdHLoGdgTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHCdr

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hvhkcutuoujbobu672-22209.portmap.host:22209

Mutex

979a24d1-1ef3-4416-baf8-bf96d2280aed

Attributes

encryption_key
E634ECEC5FEC379E441CB9B04C771BAC550131B0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service 32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2096-1-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2140-9-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/2392-22-0x0000000001080000-0x00000000013A4000-memory.dmp	family_quasar
behavioral1/memory/1348-64-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral1/memory/852-75-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar
behavioral1/memory/2620-87-0x00000000011B0000-0x00000000014D4000-memory.dmp	family_quasar
behavioral1/memory/1560-139-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2140 Client.exe
2392 Client.exe
2808 Client.exe
1528 Client.exe
2832 Client.exe
1348 Client.exe
852 Client.exe
2620 Client.exe
2592 Client.exe
2372 Client.exe
2856 Client.exe
2840 Client.exe
1560 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2140	Client.exe
2392	Client.exe
2808	Client.exe
1528	Client.exe
2832	Client.exe
1348	Client.exe
852	Client.exe
2620	Client.exe
2592	Client.exe
2372	Client.exe
2856	Client.exe
2840	Client.exe
1560	Client.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2996	schtasks.exe
2348	schtasks.exe
2224	schtasks.exe
3028	schtasks.exe
1552	schtasks.exe
2724	schtasks.exe
2864	schtasks.exe
1788	schtasks.exe
2080	schtasks.exe
1864	schtasks.exe
2572	schtasks.exe
1200	schtasks.exe
2536	schtasks.exe
1924	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2588 PING.EXE
2744 PING.EXE
1440 PING.EXE
1008 PING.EXE
2652 PING.EXE
2508 PING.EXE
2832 PING.EXE
996 PING.EXE
1652 PING.EXE
2596 PING.EXE
2560 PING.EXE
2376 PING.EXE
2192 PING.EXE

pid	process
2588	PING.EXE
2744	PING.EXE
1440	PING.EXE
1008	PING.EXE
2652	PING.EXE
2508	PING.EXE
2832	PING.EXE
996	PING.EXE
1652	PING.EXE
2596	PING.EXE
2560	PING.EXE
2376	PING.EXE
2192	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Token: SeDebugPrivilege	2140	Client.exe
Token: SeDebugPrivilege	2392	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	1348	Client.exe
Token: SeDebugPrivilege	852	Client.exe
Token: SeDebugPrivilege	2620	Client.exe
Token: SeDebugPrivilege	2592	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	2856	Client.exe
Token: SeDebugPrivilege	2840	Client.exe
Token: SeDebugPrivilege	1560	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2096 wrote to memory of 2864	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 2096 wrote to memory of 2864	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 2096 wrote to memory of 2864	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 2096 wrote to memory of 2140	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 2096 wrote to memory of 2140	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 2096 wrote to memory of 2140	2096	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 2140 wrote to memory of 2572	2140	Client.exe	schtasks.exe
PID 2140 wrote to memory of 2572	2140	Client.exe	schtasks.exe
PID 2140 wrote to memory of 2572	2140	Client.exe	schtasks.exe
PID 2140 wrote to memory of 2952	2140	Client.exe	cmd.exe
PID 2140 wrote to memory of 2952	2140	Client.exe	cmd.exe
PID 2140 wrote to memory of 2952	2140	Client.exe	cmd.exe
PID 2952 wrote to memory of 2460	2952	cmd.exe	chcp.com
PID 2952 wrote to memory of 2460	2952	cmd.exe	chcp.com
PID 2952 wrote to memory of 2460	2952	cmd.exe	chcp.com
PID 2952 wrote to memory of 2588	2952	cmd.exe	PING.EXE
PID 2952 wrote to memory of 2588	2952	cmd.exe	PING.EXE
PID 2952 wrote to memory of 2588	2952	cmd.exe	PING.EXE
PID 2952 wrote to memory of 2392	2952	cmd.exe	Client.exe
PID 2952 wrote to memory of 2392	2952	cmd.exe	Client.exe
PID 2952 wrote to memory of 2392	2952	cmd.exe	Client.exe
PID 2392 wrote to memory of 2996	2392	Client.exe	schtasks.exe
PID 2392 wrote to memory of 2996	2392	Client.exe	schtasks.exe
PID 2392 wrote to memory of 2996	2392	Client.exe	schtasks.exe
PID 2392 wrote to memory of 2152	2392	Client.exe	cmd.exe
PID 2392 wrote to memory of 2152	2392	Client.exe	cmd.exe
PID 2392 wrote to memory of 2152	2392	Client.exe	cmd.exe
PID 2152 wrote to memory of 788	2152	cmd.exe	chcp.com
PID 2152 wrote to memory of 788	2152	cmd.exe	chcp.com
PID 2152 wrote to memory of 788	2152	cmd.exe	chcp.com
PID 2152 wrote to memory of 1652	2152	cmd.exe	PING.EXE
PID 2152 wrote to memory of 1652	2152	cmd.exe	PING.EXE
PID 2152 wrote to memory of 1652	2152	cmd.exe	PING.EXE
PID 2152 wrote to memory of 2808	2152	cmd.exe	Client.exe
PID 2152 wrote to memory of 2808	2152	cmd.exe	Client.exe
PID 2152 wrote to memory of 2808	2152	cmd.exe	Client.exe
PID 2808 wrote to memory of 1924	2808	Client.exe	schtasks.exe
PID 2808 wrote to memory of 1924	2808	Client.exe	schtasks.exe
PID 2808 wrote to memory of 1924	2808	Client.exe	schtasks.exe
PID 2808 wrote to memory of 2672	2808	Client.exe	cmd.exe
PID 2808 wrote to memory of 2672	2808	Client.exe	cmd.exe
PID 2808 wrote to memory of 2672	2808	Client.exe	cmd.exe
PID 2672 wrote to memory of 2748	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2748	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2748	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2744	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 2744	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 2744	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 1528	2672	cmd.exe	Client.exe
PID 2672 wrote to memory of 1528	2672	cmd.exe	Client.exe
PID 2672 wrote to memory of 1528	2672	cmd.exe	Client.exe
PID 1528 wrote to memory of 1200	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 1200	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 1200	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 2080	1528	Client.exe	cmd.exe
PID 1528 wrote to memory of 2080	1528	Client.exe	cmd.exe
PID 1528 wrote to memory of 2080	1528	Client.exe	cmd.exe
PID 2080 wrote to memory of 1584	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 1584	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 1584	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 2596	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 2596	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 2596	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 2832	2080	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
"C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ivBiWjDbG4U.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2460

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\p0TJwy5OESHJ.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:788

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ctvxDp9nwdoB.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2748

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2744

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ns0hDGvhP699.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2596

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YXIr2OiBXXk2.bat" "
11⤵
PID:928

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1668

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FtJbbwS134Xf.bat" "
13⤵
PID:1252

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1020

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1440

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\X0y8nEAT6iYj.bat" "
15⤵
PID:3048

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2500

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2560

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKmeeJTwbSW7.bat" "
17⤵
PID:2664

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2420

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9HUnmYLeCQJA.bat" "
19⤵
PID:1948

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1520

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2508

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z93dMNdqrMzy.bat" "
21⤵
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2748

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\V0SocbVsEUqh.bat" "
23⤵
PID:2324

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2376

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\L9IJHN8qSaFZ.bat" "
25⤵
PID:1372

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2832

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0yjHYYHU6F7.bat" "
27⤵
PID:1860

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:1348

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ivBiWjDbG4U.bat
Filesize
207B

MD5
8d1220e5ac7c4f0a5650b128ab28c675

SHA1
1c3b5355e797afe2aa42dd35fa02346a2d96ac48

SHA256
0e9e2bd0bc76693264ec1339219a9139e461e4f5c377f575b44bc2745f40599d

SHA512
4cd306b54ad9c136dba6ed1300cca2243182b971f517904e21c1e0a5d6a7932e9ae28cef7a88fe8a8fb28add5d2a67db45a254529b5712fcaab1ad3845908387

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HUnmYLeCQJA.bat
Filesize
207B

MD5
3e4477cfef706813f281ad7ca2fb0250

SHA1
9b8068b8159436115f1496a311beb57a5707f6b2

SHA256
e42bc2ffded7a5a78b74c399dcc05b616a54639780ee6ab2f8efd68ed4549577

SHA512
a3ae06d40c19820c893b3f0347bf389460dadf973f5304a077f9b6357ed999ea7a589cfe4904ba591649e14f09c3d10fdff4cefb47cc9fd409a7248d6dd1c7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FtJbbwS134Xf.bat
Filesize
207B

MD5
9f1280a79f9bc37805b947f1fee27b90

SHA1
788cad109fda5e5da80b313a126910124ad11ad8

SHA256
f75afc6d63676485346ae4e78bee7b5258eaf75a012a2a7c0005bed71d1a365c

SHA512
af5824d56a8f69933f6c8964dcc35fa357d213483b56a385b4c8d7c1a4b88cbe803eb6b301618f87d9f08c48613dce76a9feaefaa2a96782ac55e765c46ad72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9IJHN8qSaFZ.bat
Filesize
207B

MD5
516195606bda9ceb2e2fc642965c76cc

SHA1
1cfed20ff8d59696313e71021eebecfeeb0ce3a2

SHA256
d0bb9b13ef722e034407d5903336197db3bb73bcef135652dd396659434daf45

SHA512
0ac60e3e4b180b398074bdbfd8c3ec0a25a528309e67439d0289228fb5d5d2db99f278b5dcab4ad568ec540d70a7a24d031e30af308a93f2747dfbd479e94bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\V0SocbVsEUqh.bat
Filesize
207B

MD5
e65bbc198546776970f3e4349c39376f

SHA1
4cb64cb6287af3cc22dfba135a747f8d27dcd2f1

SHA256
e5ee7a52ba4d80d0024a6390dfaefc949ba6cc6cc4fda974c01f6636c8080dc6

SHA512
47abaadc7bfc2ff9b6ec3c3e955ed1a4937cdc1fa449bcb567e52c53dd64bd46d90269515b4ea8ee047f06a508b22e1ba971c04273597c57a12e2cb5fa32b6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0y8nEAT6iYj.bat
Filesize
207B

MD5
f29ba8d762e90b9fe6911384ff1d2a83

SHA1
d3b89b3d9b4a0584fe78109a63f593dc172e69f0

SHA256
27ca323a7e6d233d666b62354415ac89ed0f671c0af38a8c7a905ad36e0d595a

SHA512
5dd2aed0abbed14f3dcec1b65d35d4b5a93df2d9c9981af1be5ab42a6f6f133eb7b493fe30194c32f53910a561e2f31ac30685c804f826a0b72dc9f924ee5fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXIr2OiBXXk2.bat
Filesize
207B

MD5
64176acc58a7cb0fa7298a0f7e0e2abe

SHA1
29dad560b90ed6cdc985313eee87c3b303291ae8

SHA256
5236463a4fc0e5a9f11152fd4af9e98558ce8c5d4631d27c74d6cfc549a8565f

SHA512
dbaa69706e28c0a1adab1dd6dacf935b34651d1b393950bdb9813ed408fee0a4778fae221cdaff69dc817f8ac3ff9ea42d7e2cf77da2f58d189daff1eff78a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z93dMNdqrMzy.bat
Filesize
207B

MD5
3e4b6a5890aca0665824ccb2b4f796ed

SHA1
cc6c896a5b249616ecb75c3eff8696080470bff2

SHA256
9a4fb945003b55c3fce7ef1b98f27420696d5f7fee76343b8271fc55a8c6bdd8

SHA512
ee54107d1d78f1926be79a8d66f6e46a31667317f688679b3ac65dd639e59e8659c11c6daaa87a4b8648e2946b5098ffe0c9770e91b24e96964bcd15afcea2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctvxDp9nwdoB.bat
Filesize
207B

MD5
f4c1e5f3934a625bd738da726c0baae2

SHA1
a49e93826e2975a299e9110b1cbe249542653e08

SHA256
2043c87b8a6b85ec1e3df1db2df97c943377c1af0b4218045c14847e1c4a1327

SHA512
0810e66708e04ca256927593982d0a1460221cdcc89ce925a44f7b49625ae30eb4f39ab5ed6fd7f06ef14d2acb0269f101f569c4af9e38a2595da3c651aab8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKmeeJTwbSW7.bat
Filesize
207B

MD5
6827de32e0f101871f4f7fe52224a9eb

SHA1
1c73306f428a4b112141ca018fb04ce763b4a290

SHA256
f62071d8e873c54e377be209d28efa4edc2c78a7fb8ae3de112d11c020a706c8

SHA512
ea48002b6a082ec7e7fec63555d2427cae30e052e60802cf3c786e760e7801918e1bf7c73e2d6e69daa21531da2ac6e0a3fa7af7680446913888b063a386c312

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0yjHYYHU6F7.bat
Filesize
207B

MD5
9e087aedea2b8067dd3b365d0280733a

SHA1
b49def15a1df8bbadc7c2a9abb98f68847bcd45c

SHA256
379504e9f5623788c856a72d75cf53673dffc22ea4cf5034d44cd05857bb4ba7

SHA512
ae2766caed35abeef5739de91f7ec560f69f092dd680cc0367ba2c29d66d5cc4f9ff9698ce12f87b3899ff14df508fe40845fdfead363ea221fc40166b58c831

Download Submit
C:\Users\Admin\AppData\Local\Temp\ns0hDGvhP699.bat
Filesize
207B

MD5
42c353d91f01a1b16ff10341084a0694

SHA1
d909d5daea403715da7dbb13634b641bb7ea172a

SHA256
26de8e1f1f5692803e929a80e740cc81ec2c646a3d0eabf5481289c031a9c237

SHA512
aa0dafb9ffb4c281bcdd729c2e805fe776574c2843d3b9b8b3fe13ac849bc5d458f631df16c7e4632f8e790ef2de0c436e5f67ba1c10dc43ba297f6231db6f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0TJwy5OESHJ.bat
Filesize
207B

MD5
c1de84878ea35317daab0db9a8b1b484

SHA1
056090c027350e202efd63a28e2809a4d2113473

SHA256
483cf1064e4770916d1675e5b63640854707a9d2b1ddb79963ea3feed63d4b0f

SHA512
5a803bdbff800e9ba1349d8f091d736e678de9f895ef7c5484d07306e706672f5803278b88604db20ad94855b088611aa2ce5c7c00cf8e9b7945e8fdb78158e3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
35dea5908c411c55232760a766992b4d

SHA1
803e87e294445707b2480e0f6eeb21990be7522e

SHA256
4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

SHA512
37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/852-75-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/1348-64-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/1560-139-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/2096-32-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2096-0-0x000007FEF5FE3000-0x000007FEF5FE4000-memory.dmp

Filesize
4KB

Download
memory/2096-2-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2096-1-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/2140-9-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/2140-8-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-20-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-10-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-22-0x0000000001080000-0x00000000013A4000-memory.dmp

Filesize
3.1MB

Download
memory/2620-87-0x00000000011B0000-0x00000000014D4000-memory.dmp

Filesize
3.1MB

Download