Analysis
-
max time kernel
129s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:57
Behavioral task
behavioral1
Sample
a83e969ffc192231f2690fab578e9767.exe
Resource
win7-20240611-en
General
-
Target
a83e969ffc192231f2690fab578e9767.exe
-
Size
3.1MB
-
MD5
a83e969ffc192231f2690fab578e9767
-
SHA1
c18087b36c233437d9357cb5a9ff4317ac0060ec
-
SHA256
98434fe3c17f66fea234631199b6ba3c4b472b52fbcf66b2f0329866b08fd797
-
SHA512
eb004be33eae8ec01cf1a279c06a3288b0a5be568586d92a93bfecd2a81429398a2e7524e3a2400976a836bb40f45650e6f4bd49cececb8bf987467d22248770
-
SSDEEP
49152:HvOlL26AaNeWgPhlmVqvMQ7XSKxeRJ6qbR3LoGdtzrTHHB72eh2NT:Hv+L26AaNeWgPhlmVqkQ7XSKxeRJ6E9
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-36149.portmap.host:36149
63621aac-ae17-49da-9413-459827e68061
-
encryption_key
4F2985A1DF21C9CA0E34D9186E1BC62AF4B58C14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3008-1-0x0000000000150000-0x0000000000474000-memory.dmp family_quasar C:\Windows\System32\SubDir\Client.exe family_quasar behavioral1/memory/2596-8-0x0000000000DD0000-0x00000000010F4000-memory.dmp family_quasar behavioral1/memory/2420-22-0x00000000010A0000-0x00000000013C4000-memory.dmp family_quasar behavioral1/memory/1716-105-0x0000000001160000-0x0000000001484000-memory.dmp family_quasar -
Executes dropped EXE 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2596 Client.exe 2420 Client.exe 2848 Client.exe 1480 Client.exe 876 Client.exe 328 Client.exe 864 Client.exe 2680 Client.exe 1940 Client.exe 1716 Client.exe 2056 Client.exe 1084 Client.exe -
Drops file in System32 directory 27 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exea83e969ffc192231f2690fab578e9767.exeClient.exeClient.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe a83e969ffc192231f2690fab578e9767.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe a83e969ffc192231f2690fab578e9767.exe File opened for modification C:\Windows\system32\SubDir a83e969ffc192231f2690fab578e9767.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 13 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1044 PING.EXE 2564 PING.EXE 2272 PING.EXE 1360 PING.EXE 2740 PING.EXE 1640 PING.EXE 2524 PING.EXE 2484 PING.EXE 2124 PING.EXE 2552 PING.EXE 600 PING.EXE 2816 PING.EXE 2428 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 748 schtasks.exe 2652 schtasks.exe 1720 schtasks.exe 596 schtasks.exe 2024 schtasks.exe 1500 schtasks.exe 2148 schtasks.exe 2600 schtasks.exe 2056 schtasks.exe 1680 schtasks.exe 2924 schtasks.exe 2036 schtasks.exe 2984 schtasks.exe 668 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
a83e969ffc192231f2690fab578e9767.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 3008 a83e969ffc192231f2690fab578e9767.exe Token: SeDebugPrivilege 2596 Client.exe Token: SeDebugPrivilege 2420 Client.exe Token: SeDebugPrivilege 2848 Client.exe Token: SeDebugPrivilege 1480 Client.exe Token: SeDebugPrivilege 876 Client.exe Token: SeDebugPrivilege 328 Client.exe Token: SeDebugPrivilege 864 Client.exe Token: SeDebugPrivilege 2680 Client.exe Token: SeDebugPrivilege 1940 Client.exe Token: SeDebugPrivilege 1716 Client.exe Token: SeDebugPrivilege 2056 Client.exe Token: SeDebugPrivilege 1084 Client.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2596 Client.exe 2420 Client.exe 2848 Client.exe 1480 Client.exe 876 Client.exe 328 Client.exe 864 Client.exe 2680 Client.exe 1940 Client.exe 1716 Client.exe 2056 Client.exe 1084 Client.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2596 Client.exe 2420 Client.exe 2848 Client.exe 1480 Client.exe 876 Client.exe 328 Client.exe 864 Client.exe 2680 Client.exe 1940 Client.exe 1716 Client.exe 2056 Client.exe 1084 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a83e969ffc192231f2690fab578e9767.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 3008 wrote to memory of 2036 3008 a83e969ffc192231f2690fab578e9767.exe schtasks.exe PID 3008 wrote to memory of 2036 3008 a83e969ffc192231f2690fab578e9767.exe schtasks.exe PID 3008 wrote to memory of 2036 3008 a83e969ffc192231f2690fab578e9767.exe schtasks.exe PID 3008 wrote to memory of 2596 3008 a83e969ffc192231f2690fab578e9767.exe Client.exe PID 3008 wrote to memory of 2596 3008 a83e969ffc192231f2690fab578e9767.exe Client.exe PID 3008 wrote to memory of 2596 3008 a83e969ffc192231f2690fab578e9767.exe Client.exe PID 2596 wrote to memory of 2600 2596 Client.exe schtasks.exe PID 2596 wrote to memory of 2600 2596 Client.exe schtasks.exe PID 2596 wrote to memory of 2600 2596 Client.exe schtasks.exe PID 2596 wrote to memory of 2416 2596 Client.exe cmd.exe PID 2596 wrote to memory of 2416 2596 Client.exe cmd.exe PID 2596 wrote to memory of 2416 2596 Client.exe cmd.exe PID 2416 wrote to memory of 2580 2416 cmd.exe chcp.com PID 2416 wrote to memory of 2580 2416 cmd.exe chcp.com PID 2416 wrote to memory of 2580 2416 cmd.exe chcp.com PID 2416 wrote to memory of 2524 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 2524 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 2524 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 2420 2416 cmd.exe Client.exe PID 2416 wrote to memory of 2420 2416 cmd.exe Client.exe PID 2416 wrote to memory of 2420 2416 cmd.exe Client.exe PID 2420 wrote to memory of 2984 2420 Client.exe schtasks.exe PID 2420 wrote to memory of 2984 2420 Client.exe schtasks.exe PID 2420 wrote to memory of 2984 2420 Client.exe schtasks.exe PID 2420 wrote to memory of 620 2420 Client.exe cmd.exe PID 2420 wrote to memory of 620 2420 Client.exe cmd.exe PID 2420 wrote to memory of 620 2420 Client.exe cmd.exe PID 620 wrote to memory of 1632 620 cmd.exe chcp.com PID 620 wrote to memory of 1632 620 cmd.exe chcp.com PID 620 wrote to memory of 1632 620 cmd.exe chcp.com PID 620 wrote to memory of 600 620 cmd.exe PING.EXE PID 620 wrote to memory of 600 620 cmd.exe PING.EXE PID 620 wrote to memory of 600 620 cmd.exe PING.EXE PID 620 wrote to memory of 2848 620 cmd.exe Client.exe PID 620 wrote to memory of 2848 620 cmd.exe Client.exe PID 620 wrote to memory of 2848 620 cmd.exe Client.exe PID 2848 wrote to memory of 748 2848 Client.exe schtasks.exe PID 2848 wrote to memory of 748 2848 Client.exe schtasks.exe PID 2848 wrote to memory of 748 2848 Client.exe schtasks.exe PID 2848 wrote to memory of 2384 2848 Client.exe cmd.exe PID 2848 wrote to memory of 2384 2848 Client.exe cmd.exe PID 2848 wrote to memory of 2384 2848 Client.exe cmd.exe PID 2384 wrote to memory of 2792 2384 cmd.exe chcp.com PID 2384 wrote to memory of 2792 2384 cmd.exe chcp.com PID 2384 wrote to memory of 2792 2384 cmd.exe chcp.com PID 2384 wrote to memory of 2740 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 2740 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 2740 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 1480 2384 cmd.exe Client.exe PID 2384 wrote to memory of 1480 2384 cmd.exe Client.exe PID 2384 wrote to memory of 1480 2384 cmd.exe Client.exe PID 1480 wrote to memory of 2056 1480 Client.exe schtasks.exe PID 1480 wrote to memory of 2056 1480 Client.exe schtasks.exe PID 1480 wrote to memory of 2056 1480 Client.exe schtasks.exe PID 1480 wrote to memory of 2312 1480 Client.exe cmd.exe PID 1480 wrote to memory of 2312 1480 Client.exe cmd.exe PID 1480 wrote to memory of 2312 1480 Client.exe cmd.exe PID 2312 wrote to memory of 1268 2312 cmd.exe chcp.com PID 2312 wrote to memory of 1268 2312 cmd.exe chcp.com PID 2312 wrote to memory of 1268 2312 cmd.exe chcp.com PID 2312 wrote to memory of 2428 2312 cmd.exe PING.EXE PID 2312 wrote to memory of 2428 2312 cmd.exe PING.EXE PID 2312 wrote to memory of 2428 2312 cmd.exe PING.EXE PID 2312 wrote to memory of 876 2312 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a83e969ffc192231f2690fab578e9767.exe"C:\Users\Admin\AppData\Local\Temp\a83e969ffc192231f2690fab578e9767.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\36yl7ckHlkjc.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hMzocYtJb7IJ.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qUFu3Dga0hiO.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eKg4xQbfFTOF.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tTeTkDz8aQqE.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\p7NL2VQ8tZZX.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aYWh98SUx7zI.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yJNEf0kiDxvs.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gUmfGrgc4ml9.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BEUUk9B856LH.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bCe1KArF6xWu.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5Sc3wrSzdbUK.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"26⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3qJx9PycYboy.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"28⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\36yl7ckHlkjc.batFilesize
196B
MD553bf2406a487b90534301af3a691ed95
SHA17ded173ef7296037e17abe2ae7a5fd9054ee2099
SHA2568ee5012508f8724aca53359ab91d10440cf4cb06f994b4674f3fa32a42d64367
SHA51242349741fe13b6b114f42c57e08f1958b9c644e03b3671eeccd72295d58d9095ebd66275ecfda71fbab5ac9545c4382349f885d8c0c5e4f50054da2a30121c62
-
C:\Users\Admin\AppData\Local\Temp\3qJx9PycYboy.batFilesize
196B
MD5f33723410f85e195cba800b2f96eae15
SHA1ae9fea830b3382a5ad44392c8bf31f1d955e6fdd
SHA25648dd154d31b59f0df682db2d329f02adf1418679d47d8dd06352fa24624b60de
SHA512407b72aa94924909967d20a2e8b7fe0f2bbff541b42b705a0f10531218e6a96a94b5172cc9203539df989274cf6b97bc01d14c625ba7196833bb36cbbf5d12a2
-
C:\Users\Admin\AppData\Local\Temp\5Sc3wrSzdbUK.batFilesize
196B
MD53f1c5f94561e6351482cfe9264be9166
SHA121cdc077078410ad25020e0f2c62eac364a06b19
SHA25686df3818547d2ba0ea4201743653c653722626be47b58b870bc56587019a9479
SHA512589904581f5269465592601f03affa0a8ab4c4eb29f13227e2ce588ccbc3e78e57d44e59fd590f57fc5db2bd458385ef5e96477c5df5c56c5e6a7ae149c6ed7f
-
C:\Users\Admin\AppData\Local\Temp\BEUUk9B856LH.batFilesize
196B
MD53bef803e3eb67c80a3afd50fa71a4860
SHA101bae0f8c2b51c4e1e20238bf59d7ddc04d58146
SHA2568d504940bda023f25b68fb793cd3cffdaef514ef871ffcfc4248fcfb8b68536f
SHA512c65d7066fe4e25bef161c06149b15de743be2a662b8b825a5c4077602d17e7853154ec5449a2dc0432bbd6da1ea967014d4c314456be41983a5c905c3833eb84
-
C:\Users\Admin\AppData\Local\Temp\aYWh98SUx7zI.batFilesize
196B
MD54289cb5ff1d2b3c90bc027a5da1dcc69
SHA1474c809287d8dc24234026cdb87fe040cf2c7cff
SHA256ce608a4fa5c3f6608b09fd5d07b25a75e5ecd250d43e30d820caad3a2ea72a7f
SHA5123378572696ea28cd111f96a423b1a68288e9480651dfbfa6042b3e5a7bd1c465d9285d9eb150dc16bb1a073b98bc682dc5dd79518318742beee4c8c733a2d7f6
-
C:\Users\Admin\AppData\Local\Temp\bCe1KArF6xWu.batFilesize
196B
MD51663b56fa6841616ab407345113413c6
SHA1825ec8ae48bb4a1b4d644d535816c31d2004c919
SHA2561c2d211c3a04b1faa3eae425488955d5a52b61ece1b5f4c27bef2b6210843cf9
SHA51292535afa172a813f492bff4f84cd7f1864253a3b6f683c1b748d7afbdbbb100ac11e5ab2dc13f5183b91dc5458253f2cbbc91afa6f94abaac9d0c4d99734a8e0
-
C:\Users\Admin\AppData\Local\Temp\eKg4xQbfFTOF.batFilesize
196B
MD5543f949c6ebba527a7b968653f3366b4
SHA191ec510505ac1346d0301821aea152ff1122426a
SHA25607234c8cd8c00f6e6e9875491ae92c419c169e281df97622b2aed8e1bef20ced
SHA512f7bb8995cd6e6742b5a42b14b42e86268ca164e7b8652bbebf973d399e9a1a57866821ccf9705f56cddf76cfdfa8107d3e8bdb615061f560e45e3e0244601ec8
-
C:\Users\Admin\AppData\Local\Temp\gUmfGrgc4ml9.batFilesize
196B
MD5986109529ebe68727ce23abca10cfdf0
SHA18b2b4ff13d739af2a48496b769e8f49a35479917
SHA25691d0f46f2355c0117c1bc33d7ac74f3b0622a8c1fc5d6d933de7ee9e3a49f214
SHA512c7259776c2c488f8902a54163ce83b9e3d0ee1984f2ad8bc3c3d67dee8da7f7c8c4be9a15e2acce12491a7cdb99be3601f0f74ef09f14f4072b9fa54206542ba
-
C:\Users\Admin\AppData\Local\Temp\hMzocYtJb7IJ.batFilesize
196B
MD5d5945c815837c8078497511befd0e44e
SHA161da655e6a444e609f36c8eb3cbec9babe5477e1
SHA2564452001741345e2a5bcea86bbc73d486fe248dd3c1109f0ecef5efc06267d53c
SHA51281b4298d2dedc77ae33a21a593641ac631509bb53d63bda48c36e8f2cf2fcb43ee21fff43846de8bede9109d16b221edda1add0af2a5d1c6d81bbccf96f011eb
-
C:\Users\Admin\AppData\Local\Temp\p7NL2VQ8tZZX.batFilesize
196B
MD52cb9d6e9eda0fd7cc257536d26dc77ef
SHA16dd065df4066bbe6b89a8bdddbc62543f2f92330
SHA2562b5960f00c9eda97ebbfd041d57e92d63f1f23d3b07fca2e2d82ba253750fda8
SHA5126c0e106845353542b6651fb7bd4fcf7d8cdfe6b1691fec20680245750d419ab8f9d497566518002bfad85a93a5728d717d785a404d513193ceeccaca415f9d3a
-
C:\Users\Admin\AppData\Local\Temp\qUFu3Dga0hiO.batFilesize
196B
MD5b1259f9a5a51f1c6ea57024606af3819
SHA162afaf1538f9dbf7a1f1ae01cd6f12cf67e97dd2
SHA256dad79263b7ce465b7fbbab9f3b84befd7f45706dcdd4e20591119637ffe24e41
SHA512a963cd7fdaad5ee080250d363d70067f9a32d6499d174c8089640d2096e1b3e5a91df87356e7d0ec58f7ef52bfb9f043d9f79aa1097612e42ee1e68ff6c9baba
-
C:\Users\Admin\AppData\Local\Temp\tTeTkDz8aQqE.batFilesize
196B
MD5981be4eff0ef809482835490ae91c5df
SHA12006471e3539ce1934bcfbe3380de9c3d4463a51
SHA2563900d4bdf8c7a2da2c8d4a9de1adbf076f18a2d32d5f70c1890195487cae2fcd
SHA512acf26304d9a23b3300de8b0a17765168e4bfaed451e293854cdcba0fa54ba3894b99347fc309513541e3fb78a35caa2c2b807025c34a384571ab289d8ad0befe
-
C:\Users\Admin\AppData\Local\Temp\yJNEf0kiDxvs.batFilesize
196B
MD5c667d669bf3940a5074dbe18f0250dd7
SHA1d856bab45ed195d67fede5d82c40ffb3d18e989f
SHA256b27c6ca692f37255d5470d516d263fdfdc6379456d75f71d71f7d381391442b5
SHA512e7eff05ea14f35fae769d980a2e21475e46177d745e4c1e6787a31ea816404bb6b658e210408a76f2c14501f545224ad21ce0ff990f0d979b905fc173d444e90
-
C:\Windows\System32\SubDir\Client.exeFilesize
2.1MB
MD5e8c41b945fe0ead03606889d6b5465a1
SHA1e19bc6782fefd4b1c26226f8acd946fcfa23cbaf
SHA25626e9460ee20ff097cd8840120c5cbdbd6950b182e0078833e704cc999076de95
SHA512556dc40ec7b213ae0fb07a741591bab0e0fc7461e806fa9c71b888a93e4c45988931641fa0c1557acb16d64d7027ab3c57271608ba70e8abc92ebad1cad19827
-
C:\Windows\System32\SubDir\Client.exeFilesize
3.1MB
MD5a83e969ffc192231f2690fab578e9767
SHA1c18087b36c233437d9357cb5a9ff4317ac0060ec
SHA25698434fe3c17f66fea234631199b6ba3c4b472b52fbcf66b2f0329866b08fd797
SHA512eb004be33eae8ec01cf1a279c06a3288b0a5be568586d92a93bfecd2a81429398a2e7524e3a2400976a836bb40f45650e6f4bd49cececb8bf987467d22248770
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1716-105-0x0000000001160000-0x0000000001484000-memory.dmpFilesize
3.1MB
-
memory/2420-22-0x00000000010A0000-0x00000000013C4000-memory.dmpFilesize
3.1MB
-
memory/2596-20-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmpFilesize
9.9MB
-
memory/2596-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmpFilesize
9.9MB
-
memory/2596-9-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmpFilesize
9.9MB
-
memory/2596-8-0x0000000000DD0000-0x00000000010F4000-memory.dmpFilesize
3.1MB
-
memory/3008-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmpFilesize
4KB
-
memory/3008-32-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmpFilesize
9.9MB
-
memory/3008-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmpFilesize
9.9MB
-
memory/3008-1-0x0000000000150000-0x0000000000474000-memory.dmpFilesize
3.1MB