quasar | 97787cbf8314dfd67bbb56e12489e8900022b3c31565b275f479bcaa9b9e7557

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
Size

4.0MB
MD5

c8015ef5fd4928a90e064f2ef5aebc97
SHA1

e7258d245f886af77154fcb2838a1adadba34e94
SHA256

97787cbf8314dfd67bbb56e12489e8900022b3c31565b275f479bcaa9b9e7557
SHA512

9450336f760f3b1749f21203d992f3ef095164d3f1cf91ede05d157830a59e1a054b9c682fb5c6dee794604c944d34b7e03367bba03dbdcfbf51c1073d33010c
SSDEEP

98304:Qh81Y4zw2GFvr22SsaNYfdPBldt6+dBcjHtKRJ6Bf:by2KM7jGIf

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes

encryption_key
F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	family_quasar
behavioral2/memory/1628-5-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1628-5-0x0000000000290000-0x00000000005B4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1628-5-0x0000000000290000-0x00000000005B4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral2/memory/1628-5-0x0000000000290000-0x00000000005B4000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 1 IoCs

Processes:

2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe 2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
Executes dropped EXE 11 IoCs

Processes:

sign.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1628 sign.exe
2924 Client.exe
3892 Client.exe
3612 Client.exe
212 Client.exe
2816 Client.exe
1692 Client.exe
5044 Client.exe
3712 Client.exe
560 Client.exe
976 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2632 PING.EXE
2984 PING.EXE
1304 PING.EXE
4564 PING.EXE
4384 PING.EXE
1012 PING.EXE
4388 PING.EXE
2340 PING.EXE
1920 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4564 schtasks.exe
4384 schtasks.exe
1820 schtasks.exe
4920 schtasks.exe
2696 schtasks.exe
4016 schtasks.exe
1628 schtasks.exe
3900 schtasks.exe
3972 schtasks.exe
3928 schtasks.exe
2472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

pid process

2796 2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
2796 2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

pid	process
1628	sign.exe
2924	Client.exe
3892	Client.exe
3612	Client.exe
212	Client.exe
2816	Client.exe
1692	Client.exe
5044	Client.exe
3712	Client.exe
560	Client.exe
976	Client.exe

pid	process
2632	PING.EXE
2984	PING.EXE
1304	PING.EXE
4564	PING.EXE
4384	PING.EXE
1012	PING.EXE
4388	PING.EXE
2340	PING.EXE
1920	PING.EXE

pid	process
4564	schtasks.exe
4384	schtasks.exe
1820	schtasks.exe
4920	schtasks.exe
2696	schtasks.exe
4016	schtasks.exe
1628	schtasks.exe
3900	schtasks.exe
3972	schtasks.exe
3928	schtasks.exe
2472	schtasks.exe

pid	process
2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

sign.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1628	sign.exe
Token: SeDebugPrivilege	2924	Client.exe
Token: SeDebugPrivilege	3892	Client.exe
Token: SeDebugPrivilege	3612	Client.exe
Token: SeDebugPrivilege	212	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	1692	Client.exe
Token: SeDebugPrivilege	5044	Client.exe
Token: SeDebugPrivilege	3712	Client.exe
Token: SeDebugPrivilege	560	Client.exe
Token: SeDebugPrivilege	976	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

pid process

2796 2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
2796 2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

pid	process
2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exesign.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2796 wrote to memory of 1628	2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe	sign.exe
PID 2796 wrote to memory of 1628	2796	2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe	sign.exe
PID 1628 wrote to memory of 4016	1628	sign.exe	schtasks.exe
PID 1628 wrote to memory of 4016	1628	sign.exe	schtasks.exe
PID 1628 wrote to memory of 2924	1628	sign.exe	Client.exe
PID 1628 wrote to memory of 2924	1628	sign.exe	Client.exe
PID 2924 wrote to memory of 2472	2924	Client.exe	schtasks.exe
PID 2924 wrote to memory of 2472	2924	Client.exe	schtasks.exe
PID 2924 wrote to memory of 2792	2924	Client.exe	cmd.exe
PID 2924 wrote to memory of 2792	2924	Client.exe	cmd.exe
PID 2792 wrote to memory of 1712	2792	cmd.exe	chcp.com
PID 2792 wrote to memory of 1712	2792	cmd.exe	chcp.com
PID 2792 wrote to memory of 1012	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 1012	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 3892	2792	cmd.exe	Client.exe
PID 2792 wrote to memory of 3892	2792	cmd.exe	Client.exe
PID 3892 wrote to memory of 4564	3892	Client.exe	schtasks.exe
PID 3892 wrote to memory of 4564	3892	Client.exe	schtasks.exe
PID 3892 wrote to memory of 636	3892	Client.exe	cmd.exe
PID 3892 wrote to memory of 636	3892	Client.exe	cmd.exe
PID 636 wrote to memory of 2240	636	cmd.exe	chcp.com
PID 636 wrote to memory of 2240	636	cmd.exe	chcp.com
PID 636 wrote to memory of 2632	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 2632	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 3612	636	cmd.exe	Client.exe
PID 636 wrote to memory of 3612	636	cmd.exe	Client.exe
PID 3612 wrote to memory of 4384	3612	Client.exe	schtasks.exe
PID 3612 wrote to memory of 4384	3612	Client.exe	schtasks.exe
PID 3612 wrote to memory of 3572	3612	Client.exe	cmd.exe
PID 3612 wrote to memory of 3572	3612	Client.exe	cmd.exe
PID 3572 wrote to memory of 2188	3572	cmd.exe	chcp.com
PID 3572 wrote to memory of 2188	3572	cmd.exe	chcp.com
PID 3572 wrote to memory of 2984	3572	cmd.exe	PING.EXE
PID 3572 wrote to memory of 2984	3572	cmd.exe	PING.EXE
PID 3572 wrote to memory of 212	3572	cmd.exe	Client.exe
PID 3572 wrote to memory of 212	3572	cmd.exe	Client.exe
PID 212 wrote to memory of 1820	212	Client.exe	schtasks.exe
PID 212 wrote to memory of 1820	212	Client.exe	schtasks.exe
PID 212 wrote to memory of 2980	212	Client.exe	cmd.exe
PID 212 wrote to memory of 2980	212	Client.exe	cmd.exe
PID 2980 wrote to memory of 3976	2980	cmd.exe	chcp.com
PID 2980 wrote to memory of 3976	2980	cmd.exe	chcp.com
PID 2980 wrote to memory of 1304	2980	cmd.exe	PING.EXE
PID 2980 wrote to memory of 1304	2980	cmd.exe	PING.EXE
PID 2980 wrote to memory of 2816	2980	cmd.exe	Client.exe
PID 2980 wrote to memory of 2816	2980	cmd.exe	Client.exe
PID 2816 wrote to memory of 4920	2816	Client.exe	schtasks.exe
PID 2816 wrote to memory of 4920	2816	Client.exe	schtasks.exe
PID 2816 wrote to memory of 116	2816	Client.exe	cmd.exe
PID 2816 wrote to memory of 116	2816	Client.exe	cmd.exe
PID 116 wrote to memory of 724	116	cmd.exe	chcp.com
PID 116 wrote to memory of 724	116	cmd.exe	chcp.com
PID 116 wrote to memory of 4388	116	cmd.exe	PING.EXE
PID 116 wrote to memory of 4388	116	cmd.exe	PING.EXE
PID 116 wrote to memory of 1692	116	cmd.exe	Client.exe
PID 116 wrote to memory of 1692	116	cmd.exe	Client.exe
PID 1692 wrote to memory of 1628	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 1628	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 4952	1692	Client.exe	cmd.exe
PID 1692 wrote to memory of 4952	1692	Client.exe	cmd.exe
PID 4952 wrote to memory of 3436	4952	cmd.exe	chcp.com
PID 4952 wrote to memory of 3436	4952	cmd.exe	chcp.com
PID 4952 wrote to memory of 2340	4952	cmd.exe	PING.EXE
PID 4952 wrote to memory of 2340	4952	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\givVpe45dCJt.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1712

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1012

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j6qqabu8K6hR.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2632

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
8⤵
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1A25Isp0SFn.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:2188

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:2984

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
10⤵
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4xS8Xc8ushtF.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3976

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:1304

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
12⤵
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m3bBq0ukWJPd.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:724

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
14⤵
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jE09yCiiCIt8.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:3436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:2340

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
16⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOLpoTJPBEio.bat" "
16⤵
PID:3056

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:4900

C:\Windows\system32\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:4564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
18⤵
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qv9NfyBmYdj6.bat" "
18⤵
PID:1384

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:1592

C:\Windows\system32\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:4384

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
20⤵
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fvXr7gDj46Ce.bat" "
20⤵
PID:5016

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:4208

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:1920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
22⤵
- Scheduled Task/Job: Scheduled Task
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xS8Xc8ushtF.bat
Filesize
207B

MD5
e2f83e0d30b01826c0c37a9f55769349

SHA1
ce97bbdeeab1c32fddb5c441196d77c6ff4447bf

SHA256
6433bcadd9e37ce70661fa9ce7f1151b54b7315bd984a9ed53805dbdc00a96ab

SHA512
c82747c2a4542bf852aa1cc7093d8bd8c28b25af0bff8ea0becdc2d3cc5fac7d2e2f0ab67f97bd9e8d9b01d8cbd471cb2c7f904e5cea1c359294c8728b8de3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOLpoTJPBEio.bat
Filesize
207B

MD5
f35b33495e1fc93b75694e21d23adf61

SHA1
de6eb001ea90f9405f9b37f7831ac618c22d171d

SHA256
6a01f0ea99823455898fb652504a5bfa0be5b11383afbec4332cd360b30d7664

SHA512
01c74fe6166def460924275074e80d999c9f4cd92ce43bde47ab1183e26892c46e9aa6c979c89756707fb1800ea1dfaf803954be81b4f447ec5779c5eb509b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qv9NfyBmYdj6.bat
Filesize
207B

MD5
cad4879decd7201cadb1c855c3e5e7c1

SHA1
e620897f4809d5b30f4f4d5b8a58bd59ccc8abc2

SHA256
db23e7b680703bc8d08e6d5d083c91d0a36dba38adfd94ab7ac3021786f2bad9

SHA512
f330f08f583d2b545c5810186571bae5dffce047db4fbeb144b078fb9266379ab3c385820c4cc9bd286c60777d74da388630a858254a9e1f897ca63dfbf140a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1A25Isp0SFn.bat
Filesize
207B

MD5
6752ad55b784be361033343f5d1a1232

SHA1
175208a6e3d666e7acaee4aa0e32490d025037a7

SHA256
f64cf989d3efce4fe0cfdfe9756887f6626feacfac5a1b9eb8af8fe08dd52945

SHA512
d8c0968e5edceb950a252b4d68eb542ac0601dab0e704339071b06fb6d929774593bee35c6b4be9fc2449a728aa1f17c9aab1ffca87c738d4586b1cd68d34699

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvXr7gDj46Ce.bat
Filesize
207B

MD5
8b6d0cd35753fc51ab3e36c9b30016ad

SHA1
cdf0fb0073b38c637521c6a4e61140fd6eb52e6c

SHA256
e3b20c0e92ef20e219f40d2642b67a4a8e34339c0eba036e9a5a14c2ed8200b3

SHA512
e7156da954b4786f620c3c2bd9b534366b14073a01b4d15c039df0b9b32ed728505be68fec0080bb40b7f36d4933c9e888995ed680de28af870fcfe63714cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\givVpe45dCJt.bat
Filesize
207B

MD5
162d8ca1b6c73fb7e53dd9eddddb16be

SHA1
6a1330a349391d50c31e71f546d2bd042a2fddae

SHA256
7040d1e57b09e4d2d688ef1d1660ce201ef20ed3e5dff9441ae118ab701db742

SHA512
0f3c50d3141ebde37375fadcd5abd7861619971554607660977307edf0ca945e1699ffce115520e69f3d1009e8215de3986ebc0d7c001c26c03f4bbedc57bf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6qqabu8K6hR.bat
Filesize
207B

MD5
27e2b88e093cd6e24321586ca4ad77e5

SHA1
a7f2c5278af8f36ab3d367a1d9631a5dd4b9e02e

SHA256
fa28667f9fb68a2bc0b3e4fc9be5adb01051c29293024cfb612dcf3addd0599c

SHA512
7c4d020a2073bab66f833d787bbbbb43228b7d8950217f84e5728e3c9f4a824c7d39f8505f7252e589a9053169761be11022223941872edfe0c1097776b4f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jE09yCiiCIt8.bat
Filesize
207B

MD5
534ebd88f179e98a546c9896561334c3

SHA1
f0c668bed7f2b50476d276c743d7f46f4d1803df

SHA256
e12a19755e46bf43be70cd5246689c85befeed90e15faa0227253012682d270b

SHA512
b1b58606bdc118b880b752b4e30f0e299bf81d320b68c7a4c4b07fd9aebf0b8c942991996d98b4bdb7c03b39965a6f9db597b6a2f2ffb99f00499487a693f797

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3bBq0ukWJPd.bat
Filesize
207B

MD5
ad40d12feddb6fa2ab6f2c61d42e7e78

SHA1
7f9d77bec20da2fd7c3e0f22b866cfabbc5d5b1e

SHA256
85520b1bd2b223d6f078c1a59e085a534a9a3a818be25d22b5fc8cc40c52fc0c

SHA512
2013bdaa118d8eb51c19b025c069717c4ac2228a4b193da3516b3389cfd5fbcfbd6d07669e8841d990f73ab7aaa7174d38700f1139eb24e0688167b8661066d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
Filesize
3.1MB

MD5
7498d554976744dfbd271ba755c6c192

SHA1
ec733d01e776518e387d2f51d1a6559b81f03b1e

SHA256
44089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7

SHA512
d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030

Download Submit
memory/1628-13-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/1628-6-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/1628-5-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/1628-4-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/2924-15-0x000000001D160000-0x000000001D212000-memory.dmp

Filesize
712KB

Download
memory/2924-14-0x000000001D050000-0x000000001D0A0000-memory.dmp

Filesize
320KB

Download