quasar | 98434fe3c17f66fea234631199b6ba3c4b472b52fbcf66b2f0329866b08fd797

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a83e969ffc192231f2690fab578e9767.exe
Size

3.1MB
MD5

a83e969ffc192231f2690fab578e9767
SHA1

c18087b36c233437d9357cb5a9ff4317ac0060ec
SHA256

98434fe3c17f66fea234631199b6ba3c4b472b52fbcf66b2f0329866b08fd797
SHA512

eb004be33eae8ec01cf1a279c06a3288b0a5be568586d92a93bfecd2a81429398a2e7524e3a2400976a836bb40f45650e6f4bd49cececb8bf987467d22248770
SSDEEP

49152:HvOlL26AaNeWgPhlmVqvMQ7XSKxeRJ6qbR3LoGdtzrTHHB72eh2NT:Hv+L26AaNeWgPhlmVqkQ7XSKxeRJ6E9

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-36149.portmap.host:36149

Mutex

63621aac-ae17-49da-9413-459827e68061

Attributes

encryption_key
4F2985A1DF21C9CA0E34D9186E1BC62AF4B58C14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3008-1-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar
behavioral1/memory/2596-8-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
behavioral1/memory/2420-22-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/1716-105-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2596 Client.exe
2420 Client.exe
2848 Client.exe
1480 Client.exe
876 Client.exe
328 Client.exe
864 Client.exe
2680 Client.exe
1940 Client.exe
1716 Client.exe
2056 Client.exe
1084 Client.exe

pid	process
2596	Client.exe
2420	Client.exe
2848	Client.exe
1480	Client.exe
876	Client.exe
328	Client.exe
864	Client.exe
2680	Client.exe
1940	Client.exe
1716	Client.exe
2056	Client.exe
1084	Client.exe

Drops file in System32 directory 27 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exea83e969ffc192231f2690fab578e9767.exeClient.exeClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	a83e969ffc192231f2690fab578e9767.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	a83e969ffc192231f2690fab578e9767.exe
File opened for modification	C:\Windows\system32\SubDir	a83e969ffc192231f2690fab578e9767.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1044 PING.EXE
2564 PING.EXE
2272 PING.EXE
1360 PING.EXE
2740 PING.EXE
1640 PING.EXE
2524 PING.EXE
2484 PING.EXE
2124 PING.EXE
2552 PING.EXE
600 PING.EXE
2816 PING.EXE
2428 PING.EXE

pid	process
1044	PING.EXE
2564	PING.EXE
2272	PING.EXE
1360	PING.EXE
2740	PING.EXE
1640	PING.EXE
2524	PING.EXE
2484	PING.EXE
2124	PING.EXE
2552	PING.EXE
600	PING.EXE
2816	PING.EXE
2428	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
748	schtasks.exe
2652	schtasks.exe
1720	schtasks.exe
596	schtasks.exe
2024	schtasks.exe
1500	schtasks.exe
2148	schtasks.exe
2600	schtasks.exe
2056	schtasks.exe
1680	schtasks.exe
2924	schtasks.exe
2036	schtasks.exe
2984	schtasks.exe
668	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

a83e969ffc192231f2690fab578e9767.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3008	a83e969ffc192231f2690fab578e9767.exe
Token: SeDebugPrivilege	2596	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	2848	Client.exe
Token: SeDebugPrivilege	1480	Client.exe
Token: SeDebugPrivilege	876	Client.exe
Token: SeDebugPrivilege	328	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	2680	Client.exe
Token: SeDebugPrivilege	1940	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	1084	Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2596 Client.exe
2420 Client.exe
2848 Client.exe
1480 Client.exe
876 Client.exe
328 Client.exe
864 Client.exe
2680 Client.exe
1940 Client.exe
1716 Client.exe
2056 Client.exe
1084 Client.exe
Suspicious use of SendNotifyMessage 12 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

2596 Client.exe
2420 Client.exe
2848 Client.exe
1480 Client.exe
876 Client.exe
328 Client.exe
864 Client.exe
2680 Client.exe
1940 Client.exe
1716 Client.exe
2056 Client.exe
1084 Client.exe

pid	process
2596	Client.exe
2420	Client.exe
2848	Client.exe
1480	Client.exe
876	Client.exe
328	Client.exe
864	Client.exe
2680	Client.exe
1940	Client.exe
1716	Client.exe
2056	Client.exe
1084	Client.exe

pid	process
2596	Client.exe
2420	Client.exe
2848	Client.exe
1480	Client.exe
876	Client.exe
328	Client.exe
864	Client.exe
2680	Client.exe
1940	Client.exe
1716	Client.exe
2056	Client.exe
1084	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a83e969ffc192231f2690fab578e9767.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 2036	3008	a83e969ffc192231f2690fab578e9767.exe	schtasks.exe
PID 3008 wrote to memory of 2036	3008	a83e969ffc192231f2690fab578e9767.exe	schtasks.exe
PID 3008 wrote to memory of 2036	3008	a83e969ffc192231f2690fab578e9767.exe	schtasks.exe
PID 3008 wrote to memory of 2596	3008	a83e969ffc192231f2690fab578e9767.exe	Client.exe
PID 3008 wrote to memory of 2596	3008	a83e969ffc192231f2690fab578e9767.exe	Client.exe
PID 3008 wrote to memory of 2596	3008	a83e969ffc192231f2690fab578e9767.exe	Client.exe
PID 2596 wrote to memory of 2600	2596	Client.exe	schtasks.exe
PID 2596 wrote to memory of 2600	2596	Client.exe	schtasks.exe
PID 2596 wrote to memory of 2600	2596	Client.exe	schtasks.exe
PID 2596 wrote to memory of 2416	2596	Client.exe	cmd.exe
PID 2596 wrote to memory of 2416	2596	Client.exe	cmd.exe
PID 2596 wrote to memory of 2416	2596	Client.exe	cmd.exe
PID 2416 wrote to memory of 2580	2416	cmd.exe	chcp.com
PID 2416 wrote to memory of 2580	2416	cmd.exe	chcp.com
PID 2416 wrote to memory of 2580	2416	cmd.exe	chcp.com
PID 2416 wrote to memory of 2524	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2524	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2524	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2420	2416	cmd.exe	Client.exe
PID 2416 wrote to memory of 2420	2416	cmd.exe	Client.exe
PID 2416 wrote to memory of 2420	2416	cmd.exe	Client.exe
PID 2420 wrote to memory of 2984	2420	Client.exe	schtasks.exe
PID 2420 wrote to memory of 2984	2420	Client.exe	schtasks.exe
PID 2420 wrote to memory of 2984	2420	Client.exe	schtasks.exe
PID 2420 wrote to memory of 620	2420	Client.exe	cmd.exe
PID 2420 wrote to memory of 620	2420	Client.exe	cmd.exe
PID 2420 wrote to memory of 620	2420	Client.exe	cmd.exe
PID 620 wrote to memory of 1632	620	cmd.exe	chcp.com
PID 620 wrote to memory of 1632	620	cmd.exe	chcp.com
PID 620 wrote to memory of 1632	620	cmd.exe	chcp.com
PID 620 wrote to memory of 600	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 600	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 600	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 2848	620	cmd.exe	Client.exe
PID 620 wrote to memory of 2848	620	cmd.exe	Client.exe
PID 620 wrote to memory of 2848	620	cmd.exe	Client.exe
PID 2848 wrote to memory of 748	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 748	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 748	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 2384	2848	Client.exe	cmd.exe
PID 2848 wrote to memory of 2384	2848	Client.exe	cmd.exe
PID 2848 wrote to memory of 2384	2848	Client.exe	cmd.exe
PID 2384 wrote to memory of 2792	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2792	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2792	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2740	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 2740	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 2740	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 1480	2384	cmd.exe	Client.exe
PID 2384 wrote to memory of 1480	2384	cmd.exe	Client.exe
PID 2384 wrote to memory of 1480	2384	cmd.exe	Client.exe
PID 1480 wrote to memory of 2056	1480	Client.exe	schtasks.exe
PID 1480 wrote to memory of 2056	1480	Client.exe	schtasks.exe
PID 1480 wrote to memory of 2056	1480	Client.exe	schtasks.exe
PID 1480 wrote to memory of 2312	1480	Client.exe	cmd.exe
PID 1480 wrote to memory of 2312	1480	Client.exe	cmd.exe
PID 1480 wrote to memory of 2312	1480	Client.exe	cmd.exe
PID 2312 wrote to memory of 1268	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 1268	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 1268	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 2428	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 2428	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 2428	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 876	2312	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a83e969ffc192231f2690fab578e9767.exe
"C:\Users\Admin\AppData\Local\Temp\a83e969ffc192231f2690fab578e9767.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\36yl7ckHlkjc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2524

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMzocYtJb7IJ.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:600

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qUFu3Dga0hiO.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2792

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2740

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKg4xQbfFTOF.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1268

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2428

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tTeTkDz8aQqE.bat" "
11⤵
PID:2356

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:744

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1044

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:328

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\p7NL2VQ8tZZX.bat" "
13⤵
PID:568

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2332

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2564

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:864

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYWh98SUx7zI.bat" "
15⤵
PID:3064

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2720

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2272

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yJNEf0kiDxvs.bat" "
17⤵
PID:2520

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2472

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2484

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUmfGrgc4ml9.bat" "
19⤵
PID:2328

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2796

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2816

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BEUUk9B856LH.bat" "
21⤵
PID:1512

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1360

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCe1KArF6xWu.bat" "
23⤵
PID:1612

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:1184

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2124

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1084

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Sc3wrSzdbUK.bat" "
25⤵
PID:1540

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2188

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1640

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
26⤵
PID:1532

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3qJx9PycYboy.bat" "
27⤵
PID:3068

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2200

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2552

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
28⤵
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36yl7ckHlkjc.bat
Filesize
196B

MD5
53bf2406a487b90534301af3a691ed95

SHA1
7ded173ef7296037e17abe2ae7a5fd9054ee2099

SHA256
8ee5012508f8724aca53359ab91d10440cf4cb06f994b4674f3fa32a42d64367

SHA512
42349741fe13b6b114f42c57e08f1958b9c644e03b3671eeccd72295d58d9095ebd66275ecfda71fbab5ac9545c4382349f885d8c0c5e4f50054da2a30121c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qJx9PycYboy.bat
Filesize
196B

MD5
f33723410f85e195cba800b2f96eae15

SHA1
ae9fea830b3382a5ad44392c8bf31f1d955e6fdd

SHA256
48dd154d31b59f0df682db2d329f02adf1418679d47d8dd06352fa24624b60de

SHA512
407b72aa94924909967d20a2e8b7fe0f2bbff541b42b705a0f10531218e6a96a94b5172cc9203539df989274cf6b97bc01d14c625ba7196833bb36cbbf5d12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Sc3wrSzdbUK.bat
Filesize
196B

MD5
3f1c5f94561e6351482cfe9264be9166

SHA1
21cdc077078410ad25020e0f2c62eac364a06b19

SHA256
86df3818547d2ba0ea4201743653c653722626be47b58b870bc56587019a9479

SHA512
589904581f5269465592601f03affa0a8ab4c4eb29f13227e2ce588ccbc3e78e57d44e59fd590f57fc5db2bd458385ef5e96477c5df5c56c5e6a7ae149c6ed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEUUk9B856LH.bat
Filesize
196B

MD5
3bef803e3eb67c80a3afd50fa71a4860

SHA1
01bae0f8c2b51c4e1e20238bf59d7ddc04d58146

SHA256
8d504940bda023f25b68fb793cd3cffdaef514ef871ffcfc4248fcfb8b68536f

SHA512
c65d7066fe4e25bef161c06149b15de743be2a662b8b825a5c4077602d17e7853154ec5449a2dc0432bbd6da1ea967014d4c314456be41983a5c905c3833eb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYWh98SUx7zI.bat
Filesize
196B

MD5
4289cb5ff1d2b3c90bc027a5da1dcc69

SHA1
474c809287d8dc24234026cdb87fe040cf2c7cff

SHA256
ce608a4fa5c3f6608b09fd5d07b25a75e5ecd250d43e30d820caad3a2ea72a7f

SHA512
3378572696ea28cd111f96a423b1a68288e9480651dfbfa6042b3e5a7bd1c465d9285d9eb150dc16bb1a073b98bc682dc5dd79518318742beee4c8c733a2d7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCe1KArF6xWu.bat
Filesize
196B

MD5
1663b56fa6841616ab407345113413c6

SHA1
825ec8ae48bb4a1b4d644d535816c31d2004c919

SHA256
1c2d211c3a04b1faa3eae425488955d5a52b61ece1b5f4c27bef2b6210843cf9

SHA512
92535afa172a813f492bff4f84cd7f1864253a3b6f683c1b748d7afbdbbb100ac11e5ab2dc13f5183b91dc5458253f2cbbc91afa6f94abaac9d0c4d99734a8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKg4xQbfFTOF.bat
Filesize
196B

MD5
543f949c6ebba527a7b968653f3366b4

SHA1
91ec510505ac1346d0301821aea152ff1122426a

SHA256
07234c8cd8c00f6e6e9875491ae92c419c169e281df97622b2aed8e1bef20ced

SHA512
f7bb8995cd6e6742b5a42b14b42e86268ca164e7b8652bbebf973d399e9a1a57866821ccf9705f56cddf76cfdfa8107d3e8bdb615061f560e45e3e0244601ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUmfGrgc4ml9.bat
Filesize
196B

MD5
986109529ebe68727ce23abca10cfdf0

SHA1
8b2b4ff13d739af2a48496b769e8f49a35479917

SHA256
91d0f46f2355c0117c1bc33d7ac74f3b0622a8c1fc5d6d933de7ee9e3a49f214

SHA512
c7259776c2c488f8902a54163ce83b9e3d0ee1984f2ad8bc3c3d67dee8da7f7c8c4be9a15e2acce12491a7cdb99be3601f0f74ef09f14f4072b9fa54206542ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMzocYtJb7IJ.bat
Filesize
196B

MD5
d5945c815837c8078497511befd0e44e

SHA1
61da655e6a444e609f36c8eb3cbec9babe5477e1

SHA256
4452001741345e2a5bcea86bbc73d486fe248dd3c1109f0ecef5efc06267d53c

SHA512
81b4298d2dedc77ae33a21a593641ac631509bb53d63bda48c36e8f2cf2fcb43ee21fff43846de8bede9109d16b221edda1add0af2a5d1c6d81bbccf96f011eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\p7NL2VQ8tZZX.bat
Filesize
196B

MD5
2cb9d6e9eda0fd7cc257536d26dc77ef

SHA1
6dd065df4066bbe6b89a8bdddbc62543f2f92330

SHA256
2b5960f00c9eda97ebbfd041d57e92d63f1f23d3b07fca2e2d82ba253750fda8

SHA512
6c0e106845353542b6651fb7bd4fcf7d8cdfe6b1691fec20680245750d419ab8f9d497566518002bfad85a93a5728d717d785a404d513193ceeccaca415f9d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUFu3Dga0hiO.bat
Filesize
196B

MD5
b1259f9a5a51f1c6ea57024606af3819

SHA1
62afaf1538f9dbf7a1f1ae01cd6f12cf67e97dd2

SHA256
dad79263b7ce465b7fbbab9f3b84befd7f45706dcdd4e20591119637ffe24e41

SHA512
a963cd7fdaad5ee080250d363d70067f9a32d6499d174c8089640d2096e1b3e5a91df87356e7d0ec58f7ef52bfb9f043d9f79aa1097612e42ee1e68ff6c9baba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tTeTkDz8aQqE.bat
Filesize
196B

MD5
981be4eff0ef809482835490ae91c5df

SHA1
2006471e3539ce1934bcfbe3380de9c3d4463a51

SHA256
3900d4bdf8c7a2da2c8d4a9de1adbf076f18a2d32d5f70c1890195487cae2fcd

SHA512
acf26304d9a23b3300de8b0a17765168e4bfaed451e293854cdcba0fa54ba3894b99347fc309513541e3fb78a35caa2c2b807025c34a384571ab289d8ad0befe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJNEf0kiDxvs.bat
Filesize
196B

MD5
c667d669bf3940a5074dbe18f0250dd7

SHA1
d856bab45ed195d67fede5d82c40ffb3d18e989f

SHA256
b27c6ca692f37255d5470d516d263fdfdc6379456d75f71d71f7d381391442b5

SHA512
e7eff05ea14f35fae769d980a2e21475e46177d745e4c1e6787a31ea816404bb6b658e210408a76f2c14501f545224ad21ce0ff990f0d979b905fc173d444e90

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
2.1MB

MD5
e8c41b945fe0ead03606889d6b5465a1

SHA1
e19bc6782fefd4b1c26226f8acd946fcfa23cbaf

SHA256
26e9460ee20ff097cd8840120c5cbdbd6950b182e0078833e704cc999076de95

SHA512
556dc40ec7b213ae0fb07a741591bab0e0fc7461e806fa9c71b888a93e4c45988931641fa0c1557acb16d64d7027ab3c57271608ba70e8abc92ebad1cad19827

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
a83e969ffc192231f2690fab578e9767

SHA1
c18087b36c233437d9357cb5a9ff4317ac0060ec

SHA256
98434fe3c17f66fea234631199b6ba3c4b472b52fbcf66b2f0329866b08fd797

SHA512
eb004be33eae8ec01cf1a279c06a3288b0a5be568586d92a93bfecd2a81429398a2e7524e3a2400976a836bb40f45650e6f4bd49cececb8bf987467d22248770

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1716-105-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2420-22-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/2596-20-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-9-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-8-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/3008-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/3008-32-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download