quasar | f181b5a4e2f0dc0cdf70e16c18e3466e436aae0bb96ef9b7dc24c7f219167115

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1878733d5f2872169c33653a1ac9b623.exe
Size

4.8MB
MD5

1878733d5f2872169c33653a1ac9b623
SHA1

738a018c2c738e93ffa6dce3932ee994aa7b11e3
SHA256

f181b5a4e2f0dc0cdf70e16c18e3466e436aae0bb96ef9b7dc24c7f219167115
SHA512

bc0d3a8a84efcc80b7768efc0b4071722bdfdbb63c9ea9b5e45089257ee527772dfb9f2a259d10abf8ecc54c1816917d5a527bbd87adca333543cb0f1610a4b9
SSDEEP

98304:EQfNOLY2uXHEvr22SsaNYfdPBldt6+dBcjHtKRJ6BJIbzZ3IbzZY:eQHSM7jGImWK

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes

encryption_key
F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	family_quasar
behavioral2/memory/1204-5-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 1 IoCs

Processes:

1878733d5f2872169c33653a1ac9b623.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe 1878733d5f2872169c33653a1ac9b623.exe
Executes dropped EXE 12 IoCs

Processes:

sign.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1204 sign.exe
4524 Client.exe
4272 Client.exe
3220 Client.exe
2280 Client.exe
3392 Client.exe
2604 Client.exe
4992 Client.exe
312 Client.exe
2952 Client.exe
3932 Client.exe
2748 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3324 PING.EXE
2804 PING.EXE
4356 PING.EXE
3544 PING.EXE
4208 PING.EXE
3620 PING.EXE
4876 PING.EXE
1200 PING.EXE
4128 PING.EXE
1348 PING.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe	1878733d5f2872169c33653a1ac9b623.exe

pid	process
1204	sign.exe
4524	Client.exe
4272	Client.exe
3220	Client.exe
2280	Client.exe
3392	Client.exe
2604	Client.exe
4992	Client.exe
312	Client.exe
2952	Client.exe
3932	Client.exe
2748	Client.exe

pid	process
3324	PING.EXE
2804	PING.EXE
4356	PING.EXE
3544	PING.EXE
4208	PING.EXE
3620	PING.EXE
4876	PING.EXE
1200	PING.EXE
4128	PING.EXE
1348	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
412	schtasks.exe
1464	schtasks.exe
2800	schtasks.exe
4972	schtasks.exe
1432	schtasks.exe
1492	schtasks.exe
2924	schtasks.exe
1060	schtasks.exe
4252	schtasks.exe
3792	schtasks.exe
4732	schtasks.exe
4532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1878733d5f2872169c33653a1ac9b623.exe

pid process

1828 1878733d5f2872169c33653a1ac9b623.exe
1828 1878733d5f2872169c33653a1ac9b623.exe

pid	process
1828	1878733d5f2872169c33653a1ac9b623.exe
1828	1878733d5f2872169c33653a1ac9b623.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

sign.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1204	sign.exe
Token: SeDebugPrivilege	4524	Client.exe
Token: SeDebugPrivilege	4272	Client.exe
Token: SeDebugPrivilege	3220	Client.exe
Token: SeDebugPrivilege	2280	Client.exe
Token: SeDebugPrivilege	3392	Client.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	4992	Client.exe
Token: SeDebugPrivilege	312	Client.exe
Token: SeDebugPrivilege	2952	Client.exe
Token: SeDebugPrivilege	3932	Client.exe
Token: SeDebugPrivilege	2748	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1878733d5f2872169c33653a1ac9b623.exe

pid process

1828 1878733d5f2872169c33653a1ac9b623.exe
1828 1878733d5f2872169c33653a1ac9b623.exe

pid	process
1828	1878733d5f2872169c33653a1ac9b623.exe
1828	1878733d5f2872169c33653a1ac9b623.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1878733d5f2872169c33653a1ac9b623.exesign.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1828 wrote to memory of 1204	1828	1878733d5f2872169c33653a1ac9b623.exe	sign.exe
PID 1828 wrote to memory of 1204	1828	1878733d5f2872169c33653a1ac9b623.exe	sign.exe
PID 1204 wrote to memory of 4532	1204	sign.exe	schtasks.exe
PID 1204 wrote to memory of 4532	1204	sign.exe	schtasks.exe
PID 1204 wrote to memory of 4524	1204	sign.exe	Client.exe
PID 1204 wrote to memory of 4524	1204	sign.exe	Client.exe
PID 4524 wrote to memory of 2924	4524	Client.exe	schtasks.exe
PID 4524 wrote to memory of 2924	4524	Client.exe	schtasks.exe
PID 4524 wrote to memory of 4776	4524	Client.exe	cmd.exe
PID 4524 wrote to memory of 4776	4524	Client.exe	cmd.exe
PID 4776 wrote to memory of 2700	4776	cmd.exe	chcp.com
PID 4776 wrote to memory of 2700	4776	cmd.exe	chcp.com
PID 4776 wrote to memory of 3620	4776	cmd.exe	PING.EXE
PID 4776 wrote to memory of 3620	4776	cmd.exe	PING.EXE
PID 4776 wrote to memory of 4272	4776	cmd.exe	Client.exe
PID 4776 wrote to memory of 4272	4776	cmd.exe	Client.exe
PID 4272 wrote to memory of 1060	4272	Client.exe	schtasks.exe
PID 4272 wrote to memory of 1060	4272	Client.exe	schtasks.exe
PID 4272 wrote to memory of 1524	4272	Client.exe	cmd.exe
PID 4272 wrote to memory of 1524	4272	Client.exe	cmd.exe
PID 1524 wrote to memory of 4288	1524	cmd.exe	chcp.com
PID 1524 wrote to memory of 4288	1524	cmd.exe	chcp.com
PID 1524 wrote to memory of 3324	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 3324	1524	cmd.exe	PING.EXE
PID 1524 wrote to memory of 3220	1524	cmd.exe	Client.exe
PID 1524 wrote to memory of 3220	1524	cmd.exe	Client.exe
PID 3220 wrote to memory of 412	3220	Client.exe	schtasks.exe
PID 3220 wrote to memory of 412	3220	Client.exe	schtasks.exe
PID 3220 wrote to memory of 4320	3220	Client.exe	cmd.exe
PID 3220 wrote to memory of 4320	3220	Client.exe	cmd.exe
PID 4320 wrote to memory of 3208	4320	cmd.exe	chcp.com
PID 4320 wrote to memory of 3208	4320	cmd.exe	chcp.com
PID 4320 wrote to memory of 1348	4320	cmd.exe	PING.EXE
PID 4320 wrote to memory of 1348	4320	cmd.exe	PING.EXE
PID 4320 wrote to memory of 2280	4320	cmd.exe	Client.exe
PID 4320 wrote to memory of 2280	4320	cmd.exe	Client.exe
PID 2280 wrote to memory of 4252	2280	Client.exe	schtasks.exe
PID 2280 wrote to memory of 4252	2280	Client.exe	schtasks.exe
PID 2280 wrote to memory of 1544	2280	Client.exe	cmd.exe
PID 2280 wrote to memory of 1544	2280	Client.exe	cmd.exe
PID 1544 wrote to memory of 3116	1544	cmd.exe	chcp.com
PID 1544 wrote to memory of 3116	1544	cmd.exe	chcp.com
PID 1544 wrote to memory of 2804	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 2804	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 3392	1544	cmd.exe	Client.exe
PID 1544 wrote to memory of 3392	1544	cmd.exe	Client.exe
PID 3392 wrote to memory of 1464	3392	Client.exe	schtasks.exe
PID 3392 wrote to memory of 1464	3392	Client.exe	schtasks.exe
PID 3392 wrote to memory of 1128	3392	Client.exe	cmd.exe
PID 3392 wrote to memory of 1128	3392	Client.exe	cmd.exe
PID 1128 wrote to memory of 2240	1128	cmd.exe	chcp.com
PID 1128 wrote to memory of 2240	1128	cmd.exe	chcp.com
PID 1128 wrote to memory of 4356	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 4356	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 2604	1128	cmd.exe	Client.exe
PID 1128 wrote to memory of 2604	1128	cmd.exe	Client.exe
PID 2604 wrote to memory of 2800	2604	Client.exe	schtasks.exe
PID 2604 wrote to memory of 2800	2604	Client.exe	schtasks.exe
PID 2604 wrote to memory of 4956	2604	Client.exe	cmd.exe
PID 2604 wrote to memory of 4956	2604	Client.exe	cmd.exe
PID 4956 wrote to memory of 4508	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 4508	4956	cmd.exe	chcp.com
PID 4956 wrote to memory of 3544	4956	cmd.exe	PING.EXE
PID 4956 wrote to memory of 3544	4956	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1878733d5f2872169c33653a1ac9b623.exe
"C:\Users\Admin\AppData\Local\Temp\1878733d5f2872169c33653a1ac9b623.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hq5QP64LGL3n.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2700

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:3620

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WT5sU8wrlTmr.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4288

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:3324

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
8⤵
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puGHcM7tp1dk.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:3208

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:1348

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
10⤵
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x4GM5f1NwBLE.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3116

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:2804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
12⤵
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tp6OUZ9ArKnD.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:2240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
14⤵
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inoGpnBEwgz9.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:4508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:3544

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
16⤵
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xnDwxXGn6O3l.bat" "
16⤵
PID:3856

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:2836

C:\Windows\system32\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
18⤵
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6fpRm1qAR4t4.bat" "
18⤵
PID:4884

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:1572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:1200

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
20⤵
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p4nLPBkosqcE.bat" "
20⤵
PID:4764

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:1140

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:4128

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
22⤵
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nBoHn2WZmpht.bat" "
22⤵
PID:1544

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:2728

C:\Windows\system32\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:4208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
24⤵
- Scheduled Task/Job: Scheduled Task
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fpRm1qAR4t4.bat
Filesize
207B

MD5
72faf16448c488f5f0379e3d89809767

SHA1
3d68dcd4945d1b1605c04a858bb6aba6bf92be51

SHA256
7bde6193ab9cf6f410e2e838870e8df7ed00f811a250f5bb84842c723b7089a2

SHA512
fb4939bc6c7bf6b204303564d065993d0afdd47a4c758dff448bbb94abd2c07804b0bbc2e91c7c579b9f4f5011a80c939d0854772109ca5f55bea6fa0e47eaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hq5QP64LGL3n.bat
Filesize
207B

MD5
4ed44a74fbf0791f3087f8ce6cdf5299

SHA1
138f7d822f3ba7338c36bc2182ff602b1d9b03b9

SHA256
c12b46633e36b43385f7e2c568de181860d04f800ea7dd836f2b3dd7ae741317

SHA512
ac413bfabcdf1fc452f05df172b127dc670058a54492cf7e80cecbf846c46e7b360d94aa206ae4c7587cc1ddd2015ebe6eb46123038f5f79ccac927ddcd47399

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tp6OUZ9ArKnD.bat
Filesize
207B

MD5
badc4e383086e6d910d7002fa6cbe96c

SHA1
782aad951f540a85d0a6c64d885262ec22c5e04e

SHA256
00a2428d53daabd38ac1b4c3706952aa99dfaa0145f3186d406eaee60b053c4c

SHA512
60e4acf3788663b1fa960e8b3481721d271167d7a2e1ac8c4c6722bcd8c88abe8247613657f0200a9de1b4b14c5e17b15475ba24ec505b337ae0b5c0fa861182

Download Submit
C:\Users\Admin\AppData\Local\Temp\WT5sU8wrlTmr.bat
Filesize
207B

MD5
18dfe9ef093fce2afd11484c20e69564

SHA1
da6d4e766da7ff3bdf34988bfc8b5615ea2ec096

SHA256
da0bc9ec1559ac6e5e29c9bdda6f4879ab160e63de6651635d363f58e82e7c31

SHA512
eaa68fa8f8ca299dffbc9df07599104a5423eff7de8c528d1f1fb848ae7b395c25dab886f7d2b05dabb7f71604253af38ef135096acd1d6ae8483eb610a81ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\inoGpnBEwgz9.bat
Filesize
207B

MD5
882bebf863dd982bf27e64ef8aa250c8

SHA1
26fcc94946e34e6e6f9f027ade568aee74f348b9

SHA256
1ffb71a8231a0f1ee764951b86729f6d6c34f0e3a543113f0c2e9d07e1ca72d5

SHA512
cd74270b72cd53f9b6dab287b2683415367f4e4688de5c7350f1ed39c2105b303e9525b86bde9d1b2e36b1f200b5d5853ae7c9f2ac4b90f74456332de727a770

Download Submit
C:\Users\Admin\AppData\Local\Temp\nBoHn2WZmpht.bat
Filesize
207B

MD5
f6f972a55b70e61544e12f24f05ce251

SHA1
52c2d4f6b68f90c780d0d81fed16856c06752036

SHA256
901ea7cf65a2f958c5a61e8b9c594cc283f8676b411b46704704244b63f5f1e9

SHA512
5422fc607f781a2aebc4e55339c0894ede2c954e85f40c85cd63e5792cb9abc3229f2a17b474d55843a33cf0a260ec6c740f92d595eb3fdfea4e3ec9510bbebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4nLPBkosqcE.bat
Filesize
207B

MD5
b14018ac213d53f717a667f0a3faad93

SHA1
2902137d2921c41b7000cf39941f2ac448a12afc

SHA256
a2b695cb7a696cf79cbf035f1bbcac5b1bb120310a0f58738b6723c048c4457f

SHA512
097ce7a11954054d423db1393b7772117f7e3de62199017cc83010f5667d31cfb3ec8948b98163b44b68fa6361920dd833d92541b6a0dd14ae02fb265925a556

Download Submit
C:\Users\Admin\AppData\Local\Temp\puGHcM7tp1dk.bat
Filesize
207B

MD5
a7312e5ad7b031a5dceb2b726c8919fc

SHA1
5bb87f74ccbe118403d6b59d795da4e390dbb439

SHA256
38bdf21f8525c86217eb2ea85031e5ae338f1d6e13f9e553536294449f4d66f7

SHA512
ca89060640cbf3326d0b9b6216afa585ce403465783b64bbc5b771fe2d604edaac7f78c0f6508d1755191593492ec27579fac696c25a54c58330931aac713408

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4GM5f1NwBLE.bat
Filesize
207B

MD5
c219d5404004ecc7336a572c9599dbdb

SHA1
c489b605fda9e5ed6c412b9a1b77c7be41c53057

SHA256
07c212b2e59a6b17bef137fd12d9393162051f218327dc05c7847e6616494e8a

SHA512
7427a7e36851fd8fbef0db6ff803ffa30933fa1e69bbe7e912360d8424a172ad00d4340e4088c3355a849b6548d23937c9827175a13e5a0836a78907cee336f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnDwxXGn6O3l.bat
Filesize
207B

MD5
2ea8df237ce78d9e92efe399fb1fd9cf

SHA1
77e3921d1b68b13f46de8245f9321ab63493bea4

SHA256
6dd262cf3755d0d85563647973b7ab6353e7f0804fb768ba99d882eeb3e6938a

SHA512
a0a6b5dbc1427e34c2a42e6995ee0b074362414c57f2d8455482b7048b9f5003447c56f20ffa1f00536d5d84c8a85b3daebe153146f4dec7933339a5c7c37004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
Filesize
3.1MB

MD5
7498d554976744dfbd271ba755c6c192

SHA1
ec733d01e776518e387d2f51d1a6559b81f03b1e

SHA256
44089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7

SHA512
d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030

Download Submit
memory/1204-6-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/1204-5-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/1204-13-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/1204-4-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

Filesize
8KB

Download
memory/4524-14-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/4524-15-0x000000001B0A0000-0x000000001B0F0000-memory.dmp

Filesize
320KB

Download
memory/4524-21-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/4524-16-0x000000001D070000-0x000000001D122000-memory.dmp

Filesize
712KB

Download