quasar | 8f2f7929d4d3d04be498567f02d567521ce4c5e7a1d400c4f64f4c2bd78ddcb9

Analysis

max time kernel
140s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fd43a2fbf40610f559b11414d1a71e.exe
Size

3.1MB
MD5

04fd43a2fbf40610f559b11414d1a71e
SHA1

dc7608bd69368ac5a62a9d8e287cc89c31fa750f
SHA256

8f2f7929d4d3d04be498567f02d567521ce4c5e7a1d400c4f64f4c2bd78ddcb9
SHA512

dff106b855eb7ee3c9278d9d60ef4b303c670fc976781f9b6318615e60fb513e95aa09e258c36d140d93968951299b963bca3957e7037a0f0ea95e945f631e55
SSDEEP

49152:mvDI22SsaNYfdPBldt698dBcjHrQV37ar77oGd+VXTHHB72eh2NT:mv822SsaNYfdPBldt6+dBcjHK3w

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-41920.portmap.host:41920

Mutex

63621aac-ae17-49da-9413-459827e68061

Attributes

encryption_key
4F2985A1DF21C9CA0E34D9186E1BC62AF4B58C14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Opera GX
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/4076-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar
C:\Windows\System32\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral2/memory/4076-1-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1028 Client.exe
536 Client.exe
1108 Client.exe
2004 Client.exe
3320 Client.exe
452 Client.exe
4084 Client.exe
5104 Client.exe
3048 Client.exe
3832 Client.exe

pid	process
1028	Client.exe
536	Client.exe
1108	Client.exe
2004	Client.exe
3320	Client.exe
452	Client.exe
4084	Client.exe
5104	Client.exe
3048	Client.exe
3832	Client.exe

Drops file in System32 directory 21 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe04fd43a2fbf40610f559b11414d1a71e.exeClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	04fd43a2fbf40610f559b11414d1a71e.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	04fd43a2fbf40610f559b11414d1a71e.exe
File opened for modification	C:\Windows\system32\SubDir	04fd43a2fbf40610f559b11414d1a71e.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3092 PING.EXE
2516 PING.EXE
940 PING.EXE
3912 PING.EXE
208 PING.EXE
1744 PING.EXE
4460 PING.EXE
1576 PING.EXE
1180 PING.EXE
3092 PING.EXE
3504 PING.EXE

pid	process
3092	PING.EXE
2516	PING.EXE
940	PING.EXE
3912	PING.EXE
208	PING.EXE
1744	PING.EXE
4460	PING.EXE
1576	PING.EXE
1180	PING.EXE
3092	PING.EXE
3504	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
376	schtasks.exe
2992	schtasks.exe
1112	schtasks.exe
4184	schtasks.exe
732	schtasks.exe
3192	schtasks.exe
5084	schtasks.exe
3996	schtasks.exe
3912	schtasks.exe
3544	schtasks.exe
1900	schtasks.exe
5016	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

04fd43a2fbf40610f559b11414d1a71e.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4076	04fd43a2fbf40610f559b11414d1a71e.exe
Token: SeDebugPrivilege	1028	Client.exe
Token: SeDebugPrivilege	536	Client.exe
Token: SeDebugPrivilege	1108	Client.exe
Token: SeDebugPrivilege	2004	Client.exe
Token: SeDebugPrivilege	3320	Client.exe
Token: SeDebugPrivilege	452	Client.exe
Token: SeDebugPrivilege	4084	Client.exe
Token: SeDebugPrivilege	5104	Client.exe
Token: SeDebugPrivilege	3048	Client.exe
Token: SeDebugPrivilege	3832	Client.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1028 Client.exe
536 Client.exe
1108 Client.exe
2004 Client.exe
3320 Client.exe
452 Client.exe
4084 Client.exe
5104 Client.exe
3048 Client.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1028 Client.exe
536 Client.exe
1108 Client.exe
2004 Client.exe
3320 Client.exe
452 Client.exe
4084 Client.exe
5104 Client.exe
3048 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1028 Client.exe

pid	process
1028	Client.exe
536	Client.exe
1108	Client.exe
2004	Client.exe
3320	Client.exe
452	Client.exe
4084	Client.exe
5104	Client.exe
3048	Client.exe

pid	process
1028	Client.exe
536	Client.exe
1108	Client.exe
2004	Client.exe
3320	Client.exe
452	Client.exe
4084	Client.exe
5104	Client.exe
3048	Client.exe

pid	process
1028	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04fd43a2fbf40610f559b11414d1a71e.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4076 wrote to memory of 3996	4076	04fd43a2fbf40610f559b11414d1a71e.exe	schtasks.exe
PID 4076 wrote to memory of 3996	4076	04fd43a2fbf40610f559b11414d1a71e.exe	schtasks.exe
PID 4076 wrote to memory of 1028	4076	04fd43a2fbf40610f559b11414d1a71e.exe	Client.exe
PID 4076 wrote to memory of 1028	4076	04fd43a2fbf40610f559b11414d1a71e.exe	Client.exe
PID 1028 wrote to memory of 3912	1028	Client.exe	schtasks.exe
PID 1028 wrote to memory of 3912	1028	Client.exe	schtasks.exe
PID 1028 wrote to memory of 4144	1028	Client.exe	cmd.exe
PID 1028 wrote to memory of 4144	1028	Client.exe	cmd.exe
PID 4144 wrote to memory of 2908	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 2908	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 2516	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 2516	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 536	4144	cmd.exe	Client.exe
PID 4144 wrote to memory of 536	4144	cmd.exe	Client.exe
PID 536 wrote to memory of 376	536	Client.exe	schtasks.exe
PID 536 wrote to memory of 376	536	Client.exe	schtasks.exe
PID 536 wrote to memory of 2768	536	Client.exe	cmd.exe
PID 536 wrote to memory of 2768	536	Client.exe	cmd.exe
PID 2768 wrote to memory of 4440	2768	cmd.exe	chcp.com
PID 2768 wrote to memory of 4440	2768	cmd.exe	chcp.com
PID 2768 wrote to memory of 940	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 940	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 1108	2768	cmd.exe	Client.exe
PID 2768 wrote to memory of 1108	2768	cmd.exe	Client.exe
PID 1108 wrote to memory of 3544	1108	Client.exe	schtasks.exe
PID 1108 wrote to memory of 3544	1108	Client.exe	schtasks.exe
PID 1108 wrote to memory of 1128	1108	Client.exe	cmd.exe
PID 1108 wrote to memory of 1128	1108	Client.exe	cmd.exe
PID 1128 wrote to memory of 1192	1128	cmd.exe	chcp.com
PID 1128 wrote to memory of 1192	1128	cmd.exe	chcp.com
PID 1128 wrote to memory of 1180	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 1180	1128	cmd.exe	PING.EXE
PID 1128 wrote to memory of 2004	1128	cmd.exe	Client.exe
PID 1128 wrote to memory of 2004	1128	cmd.exe	Client.exe
PID 2004 wrote to memory of 1900	2004	Client.exe	schtasks.exe
PID 2004 wrote to memory of 1900	2004	Client.exe	schtasks.exe
PID 2004 wrote to memory of 5044	2004	Client.exe	cmd.exe
PID 2004 wrote to memory of 5044	2004	Client.exe	cmd.exe
PID 5044 wrote to memory of 3828	5044	cmd.exe	chcp.com
PID 5044 wrote to memory of 3828	5044	cmd.exe	chcp.com
PID 5044 wrote to memory of 3092	5044	cmd.exe	PING.EXE
PID 5044 wrote to memory of 3092	5044	cmd.exe	PING.EXE
PID 5044 wrote to memory of 3320	5044	cmd.exe	Client.exe
PID 5044 wrote to memory of 3320	5044	cmd.exe	Client.exe
PID 3320 wrote to memory of 2992	3320	Client.exe	schtasks.exe
PID 3320 wrote to memory of 2992	3320	Client.exe	schtasks.exe
PID 3320 wrote to memory of 1420	3320	Client.exe	cmd.exe
PID 3320 wrote to memory of 1420	3320	Client.exe	cmd.exe
PID 1420 wrote to memory of 4376	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 4376	1420	cmd.exe	chcp.com
PID 1420 wrote to memory of 3504	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 3504	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 452	1420	cmd.exe	Client.exe
PID 1420 wrote to memory of 452	1420	cmd.exe	Client.exe
PID 452 wrote to memory of 5016	452	Client.exe	schtasks.exe
PID 452 wrote to memory of 5016	452	Client.exe	schtasks.exe
PID 452 wrote to memory of 4356	452	Client.exe	cmd.exe
PID 452 wrote to memory of 4356	452	Client.exe	cmd.exe
PID 4356 wrote to memory of 3372	4356	cmd.exe	chcp.com
PID 4356 wrote to memory of 3372	4356	cmd.exe	chcp.com
PID 4356 wrote to memory of 208	4356	cmd.exe	PING.EXE
PID 4356 wrote to memory of 208	4356	cmd.exe	PING.EXE
PID 4356 wrote to memory of 4084	4356	cmd.exe	Client.exe
PID 4356 wrote to memory of 4084	4356	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04fd43a2fbf40610f559b11414d1a71e.exe
"C:\Users\Admin\AppData\Local\Temp\04fd43a2fbf40610f559b11414d1a71e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pzKKEkHCzrBM.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2516

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMQm14DM7Mxd.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:940

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mg5GdbLDA3rG.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1192

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1180

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7uGElpLiKIIq.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3828

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3092

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMva5WEMDqQQ.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4376

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3504

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcPKJchbrnUi.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:3372

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:208

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IrtnYruOf9bg.bat" "
15⤵
PID:4724

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1744

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5104

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCUXSqRWZgRt.bat" "
17⤵
PID:2900

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4172

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4460

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7dObnY4ATtpX.bat" "
19⤵
PID:3628

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:4948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3912

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwvS1wCl1CCy.bat" "
21⤵
PID:1616

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:4336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1576

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
22⤵
PID:632

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dimkvIw4cUhZ.bat" "
23⤵
PID:380

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:3584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dObnY4ATtpX.bat
Filesize
196B

MD5
26133ea99d742e310b61b49ed535d6fd

SHA1
bcb6e86c0190c7abe857aeb01f59428c722b9a48

SHA256
4fe12ca7d811596c355d473af4d4438cab25e22693849ff61dc18a7a866c686e

SHA512
fd40b962196d3c4238241e77f12208f23feea0e1523780a8007b821310cce3835e7268c79c1744314eb5cfb4af18fd1eb8488e1765ef6d761e2d594bfd5afdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7uGElpLiKIIq.bat
Filesize
196B

MD5
dd8bbd178613c8871bc9e4a5afbbc176

SHA1
be346de49ce0c1a61b05d61938d956e28eeb44cb

SHA256
0b16653b4d4fa95ce5d341500a6947d51864dff54d1c617549260b1dab174709

SHA512
f06c7514b470f3308098489d56fd170d1a606ffae6f560e1bf9f99b665555496a140c8d0a1717a1ac50665c4fdfbb19eb2f400b7988306491e9332dd030de1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrtnYruOf9bg.bat
Filesize
196B

MD5
4b990eec2bc3bdcfcbc21f557d697b72

SHA1
2db20317aba43ece5991a98e9618e30541a389e5

SHA256
f6041211e4eacb029ec6a46a37070f953d431c54afba02cb37a960f4bcb6a529

SHA512
a66d85862a9faeaa26f4e7dd9767a0049f1d9fc5f5eed63cb0977b9fbf569f3a1d1be0fc82c01d29b57a08aa8b06d06ab98deab1ce63edb9d564acefa4a9bcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCUXSqRWZgRt.bat
Filesize
196B

MD5
76d99df0c594a180fc2791989349e801

SHA1
55b5ab9cd17e68e46320ca2aaedf2cd9aa7c8806

SHA256
9594ce1560bcd923fe1662b75e82bc04160ce617bb3ff62d5ca7a52b94e0780e

SHA512
b83647a739af4da3164d0ab403e2f7fa4911b71c6c945a4e34a1786084757682f651a6885b37c8a3f7d21d7c8431584829b8b2da34e0691ec6befa720cc0cfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mg5GdbLDA3rG.bat
Filesize
196B

MD5
f1f63a7b5413f223d08f469406fbf664

SHA1
9c88d8c07a678cc8149199e5524d97bd35b0ace3

SHA256
70f2e9de4da439edec540a5978d0904847aba199589e4e8e9d4776e6ea8c713f

SHA512
5d9e3e9fb14c95492fb3c917cefc1c9f538db49af01d08c91a33097871014ce12284491d8cd9aef0598a67e70898d6fba247e1706f36e67da12dca5bda41287d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcPKJchbrnUi.bat
Filesize
196B

MD5
7b652b64057b2b28c59ec3ee0f3c2cce

SHA1
0649f95728aaa372e296698f771d122d33c26279

SHA256
dbceb18585be4f081c61ed7415789b8350c2e07d796326ca52d72548689b3548

SHA512
13c435c3812ee3893c6a92dc841520a3c97808fb386b8f97ae0e35e672783e9094cb8b55cc8430709618debadaf14ca2aba8b998b4b16c2a8c321e3d862aa773

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMva5WEMDqQQ.bat
Filesize
196B

MD5
7e0a0afa168aac254e07fce06e701149

SHA1
f10877d389caed7c001aacada028ddc863a0b47d

SHA256
68f4b941419260f9d62c09695503639428e504d47b353d1664f8c35937130716

SHA512
8cda928a92a04751f221f258b4c0d649bcd46b3ac94f746876d92b98b2d5e82f4323ca0b68912f4e0bc532ccb30624fe8d1b78f3ef7d439b759baaf3ad22382f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dimkvIw4cUhZ.bat
Filesize
196B

MD5
38a08cf79473e5a4269478a4cee3e277

SHA1
94e526d8da0f91677f62c4d39376da9956d4269b

SHA256
60d381e47a14bb4e4bd378b0161b81bedf2b691501f9903fb29ad21c09b12528

SHA512
26b4280f97adfc148f1f28256caa23956a6676bd97cb4f0c13fde7d1edd8d7dfcf3d15bfd29e1f6072b3903edd04856ce8c0a7ac8f1c1cdb6b495f93a5735db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzKKEkHCzrBM.bat
Filesize
196B

MD5
801836111b4f90ba4e76c1dfb8deee8b

SHA1
1ed1ac20606e4ccb9a60fc492e1de0065637555f

SHA256
b1c18cdc9c9ee1e9aec9be68a2a650587682a567e913fb366e6ac120e9f2a44b

SHA512
7ec843a054a4583eff2d148d727a82a360dd9a76c9d4fa56ad81c38244b245ff53de96921bc4f7bc07b9167d47c98ce09c552a4dec991405b3b0f6a15312e346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMQm14DM7Mxd.bat
Filesize
196B

MD5
e065d01c9d66147213c478f87be5d6e2

SHA1
6eabf2910a411c4ed688d5b4734a41017a925b19

SHA256
dcdb6d9b0d22c284bb84d54598986fec29a31bbe0277ec6e2e76db0b2e1892c1

SHA512
f7e30a2a3e553f146c8742890fb8d02f5c0faebda878fc1f4569ab842489f6fa9e79ee42bcdf3df45f23373a2a85b97579fa42247defc30f53cf6a969cd751b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwvS1wCl1CCy.bat
Filesize
196B

MD5
ed4555fd8fe4f75cdb5dd42cb80f09e7

SHA1
c6ac9fea538e5f0f7cf5c58b01fb099246dbef77

SHA256
585e927ed5d283ef16d8d338b64ddfabd12b034e21246cb23d0523ced403eac4

SHA512
7db33cad08e208fc7c037429ec22c681357853ff156810a998593b46c716a63aac072b6e4d0b8c4f59392c6c2c506aae09bebd358f8ef6e930daf1e07e98fd77

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
04fd43a2fbf40610f559b11414d1a71e

SHA1
dc7608bd69368ac5a62a9d8e287cc89c31fa750f

SHA256
8f2f7929d4d3d04be498567f02d567521ce4c5e7a1d400c4f64f4c2bd78ddcb9

SHA512
dff106b855eb7ee3c9278d9d60ef4b303c670fc976781f9b6318615e60fb513e95aa09e258c36d140d93968951299b963bca3957e7037a0f0ea95e945f631e55

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
2.3MB

MD5
ecfd3916a0c7b222102d704f4791cf5d

SHA1
caafefc6cae77efc44b096d4906ff8a53d8e1d10

SHA256
074d1f1280ab5dc978dcd908b6cbe865bdb7712ce789b419e73236168f7d8948

SHA512
285b1e6564cc7bbb2b1e7ebca10306f1c3bd628699b2e0ab1685c521381d1c89a404b2a10463bc6426a83f6a8b29cf70c711c73ced5caa26a50a701e0db78e0b

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
661KB

MD5
d54703cbc8a0573dfbebc57f1ea821c0

SHA1
3028178f7d0ce2911de59a0c29867286a8be3e95

SHA256
ba84cf0d5b9de5c74e2b3414c4b642691fbd489c66c3960f004a51a86027a408

SHA512
fba1a5bed8146832f6f66d3cc9cbe9bfa6046be4bd4b16b9858215c4a707824802e2c2d40b75c17d73fd023fc7a329caf0ce09031814f0df076883971574f56e

Download Submit
memory/1028-12-0x000000001CB60000-0x000000001CBB0000-memory.dmp

Filesize
320KB

Download
memory/1028-10-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-11-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-19-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-13-0x000000001CC70000-0x000000001CD22000-memory.dmp

Filesize
712KB

Download
memory/4076-9-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-2-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-0-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmp

Filesize
8KB

Download
memory/4076-1-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download