quasar | 343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5

Analysis

max time kernel
117s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-12-2021 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
Size

442KB
MD5

6d5f00a23f0fc84d7e44a9dbcd31e0b4
SHA1

fcfe53ac6c4727a7d711415632882fc7f5569491
SHA256

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5
SHA512

15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236

Score

10^/10

quasar warzonerat success collection infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

jerenyankipong.duckdns.org:5200

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

jerenyankipong.duckdns.org:4782

Mutex

MUTEX_jh9iPmixBt74IpSqEj

Attributes

encryption_key
uO9yacYVMmi8921rParX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Mozilla Thunderbird\\thunderbird.exe\","	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe	family_quasar
behavioral1/memory/3876-199-0x0000000000F70000-0x0000000000FCE000-memory.dmp	family_quasar
behavioral1/memory/3876-200-0x0000000000F70000-0x0000000000FCE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2420-284-0x0000000000170000-0x00000000001CE000-memory.dmp	family_quasar
behavioral1/memory/2420-282-0x0000000000170000-0x00000000001CE000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2872-135-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2872-136-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2872-140-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIkasra.vt.exeClient.exe

pid process

3412 AdvancedRun.exe
1288 AdvancedRun.exe
3592 AdvancedRun.exe
728 AdvancedRun.exe
3876 Ikasra.vt.exe
2420 Client.exe

Loads dropped DLL 6 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

pid	process
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ip-api.com

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

description	pid	process	target process
PID 4016 set thread context of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3732 schtasks.exe
1332 schtasks.exe

pid	process
3732	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exepowershell.exepowershell.exe

pid	process
3412	AdvancedRun.exe
3412	AdvancedRun.exe
3412	AdvancedRun.exe
3412	AdvancedRun.exe
1288	AdvancedRun.exe
1288	AdvancedRun.exe
1288	AdvancedRun.exe
1288	AdvancedRun.exe
3592	AdvancedRun.exe
3592	AdvancedRun.exe
3592	AdvancedRun.exe
3592	AdvancedRun.exe
728	AdvancedRun.exe
728	AdvancedRun.exe
728	AdvancedRun.exe
728	AdvancedRun.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
3264	powershell.exe
3264	powershell.exe
1932	powershell.exe
3264	powershell.exe
1932	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeIkasra.vt.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
Token: SeDebugPrivilege	3412	AdvancedRun.exe
Token: SeImpersonatePrivilege	3412	AdvancedRun.exe
Token: SeDebugPrivilege	1288	AdvancedRun.exe
Token: SeImpersonatePrivilege	1288	AdvancedRun.exe
Token: SeDebugPrivilege	3592	AdvancedRun.exe
Token: SeImpersonatePrivilege	3592	AdvancedRun.exe
Token: SeDebugPrivilege	728	AdvancedRun.exe
Token: SeImpersonatePrivilege	728	AdvancedRun.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3876	Ikasra.vt.exe
Token: SeDebugPrivilege	2420	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exeClient.exe

pid process

2872 343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
2420 Client.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exeAdvancedRun.exeAdvancedRun.exe343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exeIkasra.vt.exeClient.exe

description	pid	process	target process
PID 4016 wrote to memory of 3412	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3412	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3412	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 3412 wrote to memory of 1288	3412	AdvancedRun.exe	AdvancedRun.exe
PID 3412 wrote to memory of 1288	3412	AdvancedRun.exe	AdvancedRun.exe
PID 3412 wrote to memory of 1288	3412	AdvancedRun.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3592	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3592	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3592	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	AdvancedRun.exe
PID 3592 wrote to memory of 728	3592	AdvancedRun.exe	AdvancedRun.exe
PID 3592 wrote to memory of 728	3592	AdvancedRun.exe	AdvancedRun.exe
PID 3592 wrote to memory of 728	3592	AdvancedRun.exe	AdvancedRun.exe
PID 4016 wrote to memory of 3264	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 4016 wrote to memory of 3264	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 4016 wrote to memory of 3264	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 4016 wrote to memory of 1620	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 1620	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 1620	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 4016 wrote to memory of 2872	4016	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
PID 2872 wrote to memory of 1932	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 2872 wrote to memory of 1932	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 2872 wrote to memory of 1932	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	powershell.exe
PID 2872 wrote to memory of 1360	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	cmd.exe
PID 2872 wrote to memory of 1360	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	cmd.exe
PID 2872 wrote to memory of 1360	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	cmd.exe
PID 2872 wrote to memory of 1360	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	cmd.exe
PID 2872 wrote to memory of 1360	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	cmd.exe
PID 2872 wrote to memory of 3876	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	Ikasra.vt.exe
PID 2872 wrote to memory of 3876	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	Ikasra.vt.exe
PID 2872 wrote to memory of 3876	2872	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe	Ikasra.vt.exe
PID 3876 wrote to memory of 1332	3876	Ikasra.vt.exe	schtasks.exe
PID 3876 wrote to memory of 1332	3876	Ikasra.vt.exe	schtasks.exe
PID 3876 wrote to memory of 1332	3876	Ikasra.vt.exe	schtasks.exe
PID 3876 wrote to memory of 2420	3876	Ikasra.vt.exe	Client.exe
PID 3876 wrote to memory of 2420	3876	Ikasra.vt.exe	Client.exe
PID 3876 wrote to memory of 2420	3876	Ikasra.vt.exe	Client.exe
PID 2420 wrote to memory of 3732	2420	Client.exe	schtasks.exe
PID 2420 wrote to memory of 3732	2420	Client.exe	schtasks.exe
PID 2420 wrote to memory of 3732	2420	Client.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

outlook_win_path 1 IoCs

Processes:

343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe

C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
"C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3412
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3592
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
  C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
  C:\Users\Admin\AppData\Local\Temp\343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
  2⤵
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1360
- - C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe
    "C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1332
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "cmd" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
224eab1ee8f8bbf6b4683fb79b6055d1

SHA1
33cd2fdabbbc241411b813a9a27004ac36e750c1

SHA256
9adb51554502af88dcce67501fcf525760236a704332e44775d00cd132c23032

SHA512
8b2cfe4959f86f2f67e64d98c44ffd8bb8f9fc04a3a7cad4b8a07d313efb5269ee6986d13c7cfe08e9867bcd70f486c9e60880e78b0d15ab788d4b2075d049a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5b0174a4ccb45b2c1b55b0d2f63e607d

SHA1
0fa3d60faddf132d2c436c34bc8d650572a7591c

SHA256
94856516cde7e7c1f57b4b478206751a998d4cf2344b68065c19b74e409a739c

SHA512
2eb704eab11c58a93b98f978a1a767081b066b1388a81cdc1996c11ab550c2169f6f02603ee9a8e93715bf411aa1fd124808e08ca5e8b9b9ef217112f81fe45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\Ikasra.vt.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
7411c8d36761ca9edc88373cfc7a3cb7

SHA1
8b31d6b61ee03da19817d3ffd59c0aa41ef32d81

SHA256
5ab1aac03c053e025319aac9bbe317a163d56bf4657819c6a43ffb97099ec322

SHA512
37f29a792ca641f29144032575f7f42ced5345c541cbdad33e935ef7b5b70d6b5623196596587be95ef00a86a58d604c295c1fcc4a9b159b80cc273fe1623342

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/728-129-0x0000000000000000-mapping.dmp

Download
memory/1288-125-0x0000000000000000-mapping.dmp

Download
memory/1332-278-0x0000000000000000-mapping.dmp

Download
memory/1360-163-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1360-148-0x0000000000000000-mapping.dmp

Download
memory/1932-203-0x0000000008FE0000-0x0000000009074000-memory.dmp

Filesize
592KB

Download
memory/1932-156-0x0000000007230000-0x0000000007296000-memory.dmp

Filesize
408KB

Download
memory/1932-188-0x0000000007E40000-0x0000000007E8B000-memory.dmp

Filesize
300KB

Download
memory/1932-187-0x00000000073A0000-0x0000000007406000-memory.dmp

Filesize
408KB

Download
memory/1932-183-0x0000000008CE0000-0x0000000008D13000-memory.dmp

Filesize
204KB

Download
memory/1932-186-0x0000000007230000-0x0000000007296000-memory.dmp

Filesize
408KB

Download
memory/1932-185-0x0000000006A50000-0x0000000006A72000-memory.dmp

Filesize
136KB

Download
memory/1932-184-0x000000007EB20000-0x000000007EB21000-memory.dmp

Filesize
4KB

Download
memory/1932-206-0x0000000004253000-0x0000000004254000-memory.dmp

Filesize
4KB

Download
memory/1932-189-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/1932-147-0x0000000000000000-mapping.dmp

Download
memory/1932-181-0x0000000008CE0000-0x0000000008D13000-memory.dmp

Filesize
204KB

Download
memory/1932-149-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1932-150-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1932-151-0x0000000000C90000-0x0000000000CC6000-memory.dmp

Filesize
216KB

Download
memory/1932-153-0x0000000006C00000-0x0000000007228000-memory.dmp

Filesize
6.2MB

Download
memory/1932-180-0x0000000006C00000-0x0000000007228000-memory.dmp

Filesize
6.2MB

Download
memory/1932-155-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1932-154-0x0000000006A50000-0x0000000006A72000-memory.dmp

Filesize
136KB

Download
memory/1932-190-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/1932-157-0x0000000004252000-0x0000000004253000-memory.dmp

Filesize
4KB

Download
memory/1932-158-0x00000000073A0000-0x0000000007406000-memory.dmp

Filesize
408KB

Download
memory/1932-159-0x00000000074F0000-0x0000000007840000-memory.dmp

Filesize
3.3MB

Download
memory/1932-195-0x0000000008E10000-0x0000000008EB5000-memory.dmp

Filesize
660KB

Download
memory/1932-162-0x00000000074D0000-0x00000000074EC000-memory.dmp

Filesize
112KB

Download
memory/1932-168-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1932-164-0x0000000007E40000-0x0000000007E8B000-memory.dmp

Filesize
300KB

Download
memory/1932-165-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/2420-324-0x0000000004BF0000-0x0000000004C56000-memory.dmp

Filesize
408KB

Download
memory/2420-305-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/2420-286-0x0000000004E60000-0x000000000535E000-memory.dmp

Filesize
5.0MB

Download
memory/2420-282-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download
memory/2420-287-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/2420-279-0x0000000000000000-mapping.dmp

Download
memory/2420-284-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download
memory/2872-182-0x0000000004530000-0x000000000466C000-memory.dmp

Filesize
1.2MB

Download
memory/2872-207-0x0000000005060000-0x00000000050E4000-memory.dmp

Filesize
528KB

Download
memory/2872-135-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2872-136-0x0000000000405CE2-mapping.dmp

Download
memory/2872-140-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3264-139-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/3264-141-0x0000000007660000-0x0000000007682000-memory.dmp

Filesize
136KB

Download
memory/3264-174-0x0000000009D80000-0x000000000A3F8000-memory.dmp

Filesize
6.5MB

Download
memory/3264-131-0x0000000000000000-mapping.dmp

Download
memory/3264-160-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3264-152-0x0000000008700000-0x0000000008776000-memory.dmp

Filesize
472KB

Download
memory/3264-132-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3264-291-0x00000000093B0000-0x00000000093D2000-memory.dmp

Filesize
136KB

Download
memory/3264-293-0x000000000A900000-0x000000000ADFE000-memory.dmp

Filesize
5.0MB

Download
memory/3264-290-0x0000000009900000-0x0000000009994000-memory.dmp

Filesize
592KB

Download
memory/3264-146-0x0000000008920000-0x000000000896B000-memory.dmp

Filesize
300KB

Download
memory/3264-145-0x0000000007E20000-0x0000000007E3C000-memory.dmp

Filesize
112KB

Download
memory/3264-144-0x0000000008040000-0x0000000008390000-memory.dmp

Filesize
3.3MB

Download
memory/3264-133-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3264-134-0x0000000006F70000-0x0000000006FA6000-memory.dmp

Filesize
216KB

Download
memory/3264-137-0x0000000007730000-0x0000000007D58000-memory.dmp

Filesize
6.2MB

Download
memory/3264-138-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3264-143-0x0000000007D60000-0x0000000007DC6000-memory.dmp

Filesize
408KB

Download
memory/3264-142-0x0000000007E40000-0x0000000007EA6000-memory.dmp

Filesize
408KB

Download
memory/3264-175-0x00000000094F0000-0x000000000950A000-memory.dmp

Filesize
104KB

Download
memory/3412-122-0x0000000000000000-mapping.dmp

Download
memory/3592-127-0x0000000000000000-mapping.dmp

Download
memory/3732-361-0x0000000000000000-mapping.dmp

Download
memory/3876-199-0x0000000000F70000-0x0000000000FCE000-memory.dmp

Filesize
376KB

Download
memory/3876-227-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/3876-202-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/3876-201-0x0000000005C90000-0x000000000618E000-memory.dmp

Filesize
5.0MB

Download
memory/3876-200-0x0000000000F70000-0x0000000000FCE000-memory.dmp

Filesize
376KB

Download
memory/3876-277-0x0000000006CA0000-0x0000000006CDE000-memory.dmp

Filesize
248KB

Download
memory/3876-196-0x0000000000000000-mapping.dmp

Download
memory/3876-208-0x0000000005790000-0x0000000005C8E000-memory.dmp

Filesize
5.0MB

Download
memory/3876-274-0x00000000068D0000-0x00000000068E2000-memory.dmp

Filesize
72KB

Download
memory/4016-121-0x00000000058C0000-0x00000000058E2000-memory.dmp

Filesize
136KB

Download
memory/4016-120-0x00000000060F0000-0x00000000065EE000-memory.dmp

Filesize
5.0MB

Download
memory/4016-119-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4016-118-0x0000000005810000-0x0000000005874000-memory.dmp

Filesize
400KB

Download
memory/4016-115-0x0000000000810000-0x0000000000882000-memory.dmp

Filesize
456KB

Download
memory/4016-117-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4016-116-0x0000000000810000-0x0000000000882000-memory.dmp

Filesize
456KB

Download