quasar | 09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369

Analysis

max time kernel
23s
max time network
29s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05603775ae6c66c7207556660da29de4.exe
Size

13.8MB
MD5

05603775ae6c66c7207556660da29de4
SHA1

96f1bed1e99e6cd51c4973a8b586f08097009c15
SHA256

09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
SHA512

7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326

Score

10^/10

quasar driver spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Driver

134.255.220.204:4782

Mutex

6IzunZymIRucbMwSQj

Attributes

encryption_key
85wBI2y5JEbQcrqb3u8l
install_name
Driver.exe
log_directory
Driver
reconnect_delay
1000
startup_key
Realtek® High Definition Audio Driver
subdirectory
Realtek® High Definition Audio Driver

Signatures

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar
C:\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar
C:\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar
C:\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

keylogger py best.exerat v6.exeloader.exeRtkBtManServ.exerat v6.exe

pid process

1636 keylogger py best.exe
1500 rat v6.exe
1488 loader.exe
544 RtkBtManServ.exe
1888 rat v6.exe

pid	process
1636	keylogger py best.exe
1500	rat v6.exe
1488	loader.exe
544	RtkBtManServ.exe
1888	rat v6.exe

Loads dropped DLL 4 IoCs

Processes:

05603775ae6c66c7207556660da29de4.exekeylogger py best.exe

pid	process
776	05603775ae6c66c7207556660da29de4.exe
776	05603775ae6c66c7207556660da29de4.exe
776	05603775ae6c66c7207556660da29de4.exe
1636	keylogger py best.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

rat v6.exeDriver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	rat v6.exe
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	rat v6.exe
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	Driver.exe
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver	Driver.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

loader.exe

pid process

1488 loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1956 schtasks.exe
1508 schtasks.exe
1920 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

844 PING.EXE

pid	process
1956	schtasks.exe
1508	schtasks.exe
1920	schtasks.exe

pid	process
844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loader.exeDriver.exe

pid	process
1488	loader.exe
1488	loader.exe
1488	loader.exe
1488	loader.exe
1488	loader.exe
1488	loader.exe
1488	loader.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe
1316	Driver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rat v6.exeRtkBtManServ.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	1500	rat v6.exe
Token: SeDebugPrivilege	544	RtkBtManServ.exe
Token: SeDebugPrivilege	1316	Driver.exe
Token: SeDebugPrivilege	1316	Driver.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

05603775ae6c66c7207556660da29de4.exekeylogger py best.exerat v6.execmd.exeDriver.exe

description	pid	process	target process
PID 776 wrote to memory of 1636	776	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 776 wrote to memory of 1636	776	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 776 wrote to memory of 1636	776	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 776 wrote to memory of 1636	776	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 776 wrote to memory of 1500	776	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 776 wrote to memory of 1500	776	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 776 wrote to memory of 1500	776	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 776 wrote to memory of 1500	776	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 776 wrote to memory of 1488	776	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 776 wrote to memory of 1488	776	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 776 wrote to memory of 1488	776	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 776 wrote to memory of 1488	776	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 1636 wrote to memory of 544	1636	keylogger py best.exe	RtkBtManServ.exe
PID 1636 wrote to memory of 544	1636	keylogger py best.exe	RtkBtManServ.exe
PID 1636 wrote to memory of 544	1636	keylogger py best.exe	RtkBtManServ.exe
PID 1636 wrote to memory of 544	1636	keylogger py best.exe	RtkBtManServ.exe
PID 1500 wrote to memory of 1956	1500	rat v6.exe	schtasks.exe
PID 1500 wrote to memory of 1956	1500	rat v6.exe	schtasks.exe
PID 1500 wrote to memory of 1956	1500	rat v6.exe	schtasks.exe
PID 1500 wrote to memory of 1956	1500	rat v6.exe	schtasks.exe
PID 1500 wrote to memory of 1720	1500	rat v6.exe	cmd.exe
PID 1500 wrote to memory of 1720	1500	rat v6.exe	cmd.exe
PID 1500 wrote to memory of 1720	1500	rat v6.exe	cmd.exe
PID 1500 wrote to memory of 1720	1500	rat v6.exe	cmd.exe
PID 1720 wrote to memory of 1692	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1692	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1692	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 1692	1720	cmd.exe	chcp.com
PID 1720 wrote to memory of 844	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 844	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 844	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 844	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 1888	1720	cmd.exe	rat v6.exe
PID 1720 wrote to memory of 1888	1720	cmd.exe	rat v6.exe
PID 1720 wrote to memory of 1888	1720	cmd.exe	rat v6.exe
PID 1720 wrote to memory of 1888	1720	cmd.exe	rat v6.exe
PID 1316 wrote to memory of 1920	1316	Driver.exe	schtasks.exe
PID 1316 wrote to memory of 1920	1316	Driver.exe	schtasks.exe
PID 1316 wrote to memory of 1920	1316	Driver.exe	schtasks.exe
PID 1316 wrote to memory of 1920	1316	Driver.exe	schtasks.exe
PID 1316 wrote to memory of 984	1316	Driver.exe	explorer.exe
PID 1316 wrote to memory of 984	1316	Driver.exe	explorer.exe
PID 1316 wrote to memory of 984	1316	Driver.exe	explorer.exe
PID 1316 wrote to memory of 984	1316	Driver.exe	explorer.exe
PID 1316 wrote to memory of 1796	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1796	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1796	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1796	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1360	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1360	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1360	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1360	1316	Driver.exe	WScript.exe
PID 1316 wrote to memory of 1948	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1948	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1948	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1948	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1572	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1572	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1572	1316	Driver.exe	conhost.exe
PID 1316 wrote to memory of 1572	1316	Driver.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe
"C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\keylogger py best.exe
"C:\Users\Admin\AppData\Roaming\keylogger py best.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4gbUNbdjDVoEzuwe9QI1beMhUDwpgbq9t8eYqac7ixuzdX2esxhonYoBWN9FbGupbkub/9oCF5YryYcksMtSymyriBd/PbXKARudWjYmyujJNq14nt3KQdYmw2VrgARL8=
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Users\Admin\AppData\Roaming\rat v6.exe
"C:\Users\Admin\AppData\Roaming\rat v6.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ﾒム尺ﾑﾌ丂刀ﾉ乃ムﾘﾘｷﾉﾚひ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1692

C:\Windows\SysWOW64\PING.EXE
ping -\Common 10 localhost
4⤵
- Runs ping.exe
PID:844

C:\Users\Admin\AppData\Roaming\rat v6.exe
"C:\Users\Admin\AppData\Roaming\rat v6.exe"
4⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe
"C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
6⤵
PID:984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
6⤵
PID:1796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
6⤵
PID:1360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
6⤵
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
6⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
6⤵
PID:592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
6⤵
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
6⤵
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
6⤵
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
6⤵
PID:1044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
6⤵
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
6⤵
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
6⤵
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
6⤵
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
6⤵
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
6⤵
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
6⤵
PID:828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
6⤵
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
6⤵
PID:2072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
6⤵
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
6⤵
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
6⤵
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:2236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:2252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ムﾚり尺ｷﾘﾘりﾘ√りゐﾉｱ尺ᄃ.bat" "
6⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ᄃﾉ乃ズﾌｲ√んﾉ乇ム√乙刀ᄃᄃ.bat" "
5⤵
PID:2184

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2348

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
2⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1328126241991120274-1561569992253893810-1445296795-2367036713013149801217809446"
1⤵
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1400704528-11540688901002455783666105746-521151200-2967132471009405368-11829814"
1⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs
MD5
a76dc4fbd53fe8d087cb78ff16134a26

SHA1
8f565d5b491f4f7b27e6af34bb7798f9b5bb558b

SHA256
b15dbb3f1554b1e6b0a66423df0a205b157276e2e3d31d7a1c7dd480d615e1e6

SHA512
69de3d0f22c921f07e0db2324d4dfcec717a1cdcb47b24f19a53d21f7876b9099ff1a7e44ae037c38e1cc864d53b8ecac45c8b376bd7e497dd745c4347307470

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs
MD5
cf1d37e3ccdde125c06f1383c88d9358

SHA1
dcb51cbdab941e7cec28817ffae2fba1f27f1931

SHA256
35873184c68848d8275eea24d4484870cad72972c34e4c553786fec6f4321d7a

SHA512
dade8e3835b9f4b317ab2a7e4e52b4df619b4e1ccb3ede46d90a440b77da1f9ffb30804e5b889c866661122f16b6a44319b71ddaf277f4bb43acf24f076b3d0b

Download Submit
C:\Users\Admin\AppData\Local\Execution5.vbs
MD5
05a460cc05b28e1fc6ee9aadd0e2e7b1

SHA1
4ac79e93d6467e809acfbb2a5b0370537fb99460

SHA256
2e841a3b2fcb2f3e5f87a25656a85cd6ea8bd9c04421ac636239fccc5f7cc7a9

SHA512
471f54955d054cfe3b2f23a801e84f7261e70271c18bc9bba736cab948a6c4544b62b40f318d4a55df29e3e640f0529432fe7b69822238dbbcec222da86b13f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\ﾒム尺ﾑﾌ丂刀ﾉ乃ムﾘﾘｷﾉﾚひ.bat
MD5
915635b483fd0ad042568d6d85a185c0

SHA1
0b6524eaad0ad392594b7dad1461fc6864838ce9

SHA256
d1ff0e80092079bc0fbf70a0249cb9955f67d83ec402deea359c07c5f37f8890

SHA512
d1bb91efe6cf70019fb3d7cec3723c9ca8fd036c2c5fbfdde46f7f7d8883775bba8a6b14f7c9ef4bee4771ed1b8992b1fa9aeb65b608476edbd8e7bb124955fe

Download Submit
C:\Users\Admin\AppData\Roaming\keylogger py best.exe
MD5
a20d50809d850ea9621ec8056ca52ee9

SHA1
47cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7

SHA256
ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f

SHA512
0f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f

Download Submit
C:\Users\Admin\AppData\Roaming\keylogger py best.exe
MD5
a20d50809d850ea9621ec8056ca52ee9

SHA1
47cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7

SHA256
ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f

SHA512
0f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cd8ab729965533ed53755d09ad10c790

SHA1
d09623a311dad9eb598cd2ef234ea1d6bfaf318e

SHA256
9e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f

SHA512
834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cd8ab729965533ed53755d09ad10c790

SHA1
d09623a311dad9eb598cd2ef234ea1d6bfaf318e

SHA256
9e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f

SHA512
834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f

Download Submit
C:\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
C:\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
C:\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
\Users\Admin\AppData\Roaming\keylogger py best.exe
MD5
a20d50809d850ea9621ec8056ca52ee9

SHA1
47cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7

SHA256
ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f

SHA512
0f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f

Download Submit
\Users\Admin\AppData\Roaming\loader.exe
MD5
cd8ab729965533ed53755d09ad10c790

SHA1
d09623a311dad9eb598cd2ef234ea1d6bfaf318e

SHA256
9e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f

SHA512
834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f

Download Submit
\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
memory/544-99-0x000000001B490000-0x000000001B492000-memory.dmp

Filesize
8KB

Download
memory/544-98-0x0000000000E70000-0x0000000000F1C000-memory.dmp

Filesize
688KB

Download
memory/544-84-0x0000000000000000-mapping.dmp

Download
memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmp

Filesize
3.2MB

Download
memory/544-97-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/544-88-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/592-116-0x0000000000000000-mapping.dmp

Download
memory/776-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/776-56-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/828-137-0x0000000000000000-mapping.dmp

Download
memory/844-93-0x0000000000000000-mapping.dmp

Download
memory/920-131-0x0000000000000000-mapping.dmp

Download
memory/984-105-0x0000000000000000-mapping.dmp

Download
memory/984-108-0x000000006F001000-0x000000006F003000-memory.dmp

Filesize
8KB

Download
memory/1044-122-0x0000000000000000-mapping.dmp

Download
memory/1100-118-0x0000000000000000-mapping.dmp

Download
memory/1112-127-0x0000000000000000-mapping.dmp

Download
memory/1112-136-0x0000000000000000-mapping.dmp

Download
memory/1152-129-0x0000000000000000-mapping.dmp

Download
memory/1316-103-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1316-100-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1360-110-0x0000000000000000-mapping.dmp

Download
memory/1384-125-0x0000000000000000-mapping.dmp

Download
memory/1392-120-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1488-80-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1488-70-0x0000000000000000-mapping.dmp

Download
memory/1488-76-0x0000000140000000-0x0000000141434000-memory.dmp

Filesize
20.2MB

Download
memory/1488-81-0x0000000076ED0000-0x0000000077079000-memory.dmp

Filesize
1.7MB

Download
memory/1488-82-0x0000000076CB0000-0x0000000076DCF000-memory.dmp

Filesize
1.1MB

Download
memory/1500-73-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1500-66-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1572-115-0x0000000000000000-mapping.dmp

Download
memory/1636-58-0x0000000000000000-mapping.dmp

Download
memory/1636-65-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1636-74-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1640-117-0x0000000000000000-mapping.dmp

Download
memory/1652-124-0x0000000000000000-mapping.dmp

Download
memory/1660-138-0x0000000000000000-mapping.dmp

Download
memory/1692-92-0x0000000000000000-mapping.dmp

Download
memory/1716-132-0x0000000000000000-mapping.dmp

Download
memory/1720-90-0x0000000000000000-mapping.dmp

Download
memory/1780-134-0x0000000000000000-mapping.dmp

Download
memory/1780-139-0x0000000000000000-mapping.dmp

Download
memory/1796-107-0x0000000000000000-mapping.dmp

Download
memory/1888-94-0x0000000000000000-mapping.dmp

Download
memory/1920-104-0x0000000000000000-mapping.dmp

Download
memory/1948-114-0x0000000000000000-mapping.dmp

Download
memory/1956-87-0x0000000000000000-mapping.dmp

Download
memory/2008-126-0x0000000000000000-mapping.dmp

Download
memory/2020-119-0x0000000000000000-mapping.dmp

Download
memory/2044-121-0x0000000000000000-mapping.dmp

Download
memory/2072-141-0x0000000000000000-mapping.dmp

Download
memory/2092-142-0x0000000000000000-mapping.dmp

Download
memory/2116-143-0x0000000000000000-mapping.dmp

Download
memory/2160-144-0x0000000000000000-mapping.dmp

Download
memory/2200-145-0x0000000000000000-mapping.dmp

Download
memory/2236-146-0x0000000000000000-mapping.dmp

Download
memory/2252-147-0x0000000000000000-mapping.dmp

Download
memory/2304-148-0x0000000000000000-mapping.dmp

Download
memory/2348-149-0x0000000000000000-mapping.dmp

Download
memory/2360-150-0x0000000000000000-mapping.dmp

Download