quasar | 6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

Analysis

max time kernel
4294222s
max time network
198s
platform
windows7_x64
resource
win7-20220311-en
submitted
24-03-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Size

663KB
MD5

ce171e0a1a242feebb1ea67a852fe6cd
SHA1

25c0ae74d178e052aac7a4f49f26bf1c65e410ce
SHA256

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92
SHA512

8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

82.153.167.249:4782

Mutex

VNM_MUTEX_madi8mVzHkv9VeMWQh

Attributes

encryption_key
T2hhcYUj1x3W0YPA9otN
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1300-63-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1300-64-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1300-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1300-66-0x0000000000486C4E-mapping.dmp	disable_win_def
behavioral1/memory/1300-68-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1300-70-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1732-94-0x0000000000486C4E-mapping.dmp	disable_win_def
behavioral1/memory/1608-123-0x0000000000486C4E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1300-63-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1300-64-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1300-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1300-66-0x0000000000486C4E-mapping.dmp	family_quasar
behavioral1/memory/1300-68-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1300-70-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1732-94-0x0000000000486C4E-mapping.dmp	family_quasar
behavioral1/memory/1608-123-0x0000000000486C4E-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid	Process
1272	Client.exe
1732	Client.exe

Loads dropped DLL 8 IoCs

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.exeWerFault.exe

pid	Process
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1272	Client.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SubDir\Client.exe = "0"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe = "0"	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

pid	Process
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

description	pid	Process	procid_target
PID 1048 set thread context of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1272 set thread context of 1732	1272	Client.exe	39
PID 1436 set thread context of 1608	1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1000	1048	WerFault.exe	9
1684	1272	WerFault.exe	34
1980	1436	WerFault.exe	48

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
360	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exepowershell.exepowershell.exeClient.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exepowershell.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

pid	Process
1712	powershell.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1976	powershell.exe
856	powershell.exe
1272	Client.exe
1272	Client.exe
1272	Client.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
948	powershell.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
1608	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exepowershell.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.exepowershell.exepowershell.exeClient.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exepowershell.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

description	pid	Process
Token: SeDebugPrivilege	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Token: SeDebugPrivilege	1272	Client.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	1436	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1608	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1732	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exeClient.execmd.execmd.exe

description	pid	Process	procid_target
PID 1048 wrote to memory of 1712	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	29
PID 1048 wrote to memory of 1712	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	29
PID 1048 wrote to memory of 1712	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	29
PID 1048 wrote to memory of 1712	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	29
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1300	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	31
PID 1048 wrote to memory of 1000	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	32
PID 1048 wrote to memory of 1000	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	32
PID 1048 wrote to memory of 1000	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	32
PID 1048 wrote to memory of 1000	1048	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	32
PID 1300 wrote to memory of 1272	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	34
PID 1300 wrote to memory of 1272	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	34
PID 1300 wrote to memory of 1272	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	34
PID 1300 wrote to memory of 1272	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	34
PID 1300 wrote to memory of 1976	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	35
PID 1300 wrote to memory of 1976	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	35
PID 1300 wrote to memory of 1976	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	35
PID 1300 wrote to memory of 1976	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	35
PID 1272 wrote to memory of 856	1272	Client.exe	37
PID 1272 wrote to memory of 856	1272	Client.exe	37
PID 1272 wrote to memory of 856	1272	Client.exe	37
PID 1272 wrote to memory of 856	1272	Client.exe	37
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1732	1272	Client.exe	39
PID 1272 wrote to memory of 1684	1272	Client.exe	40
PID 1272 wrote to memory of 1684	1272	Client.exe	40
PID 1272 wrote to memory of 1684	1272	Client.exe	40
PID 1272 wrote to memory of 1684	1272	Client.exe	40
PID 1300 wrote to memory of 1752	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	41
PID 1300 wrote to memory of 1752	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	41
PID 1300 wrote to memory of 1752	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	41
PID 1300 wrote to memory of 1752	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	41
PID 1752 wrote to memory of 896	1752	cmd.exe	43
PID 1752 wrote to memory of 896	1752	cmd.exe	43
PID 1752 wrote to memory of 896	1752	cmd.exe	43
PID 1752 wrote to memory of 896	1752	cmd.exe	43
PID 1300 wrote to memory of 988	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	44
PID 1300 wrote to memory of 988	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	44
PID 1300 wrote to memory of 988	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	44
PID 1300 wrote to memory of 988	1300	6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe	44
PID 988 wrote to memory of 916	988	cmd.exe	46
PID 988 wrote to memory of 916	988	cmd.exe	46
PID 988 wrote to memory of 916	988	cmd.exe	46
PID 988 wrote to memory of 916	988	cmd.exe	46
PID 988 wrote to memory of 360	988	cmd.exe	47
PID 988 wrote to memory of 360	988	cmd.exe	47
PID 988 wrote to memory of 360	988	cmd.exe	47
PID 988 wrote to memory of 360	988	cmd.exe	47
PID 988 wrote to memory of 1436	988	cmd.exe	48
PID 988 wrote to memory of 1436	988	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
"C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
  "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1736
      4⤵
      Loads dropped DLL
      Program crash
      PID:1684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RZHFMVT1HQPf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:360
  - - C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
      "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe" -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1712
        5⤵
        Program crash
        
        PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1704
  2⤵
  - Program crash
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RZHFMVT1HQPf.bat

MD5
96a86fdace8f6c130925d27116020e13

SHA1
6cff2ad46c6fd97a808ccb26212786cc57e8786b

SHA256
6bc3a2bc8e344d92fc0e1013b2d386cb01f1b69509385da544c3874d596c795d

SHA512
4232fb0288e92b8a79724261590e7b05d5758d7051c4b13ba35ad4fd9783117e02e308aa2c0b93de320c5b441e1a1a5b5372428ff9d51a3691f1afa93ecd5513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
65da584df0657ab445eba39ff3bcba7a

SHA1
abbf8ec26af3e788d6ba09443316756dbbd84af4

SHA256
71156c04706f9fee57de276e1e10133e6bceee1a2db15f1d9895c6ca4a64f5e3

SHA512
47fffd7c2a925e75bd3911927674994fe7085a11531ee0a89213044db91b3777d53ea9093b4cda8253c5cfe04c4a736cec128306b0b26e691fb4c619a34d987a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
71c2c3d0ad4de0006c569ac17350c505

SHA1
ca475c2a7c37870d0f3505f7917b693dd30d8a7a

SHA256
642396fbb40b8c3f353cc7d87abc9408c769393ccbe12f1aad16d47899f3ec98

SHA512
608be3d343989c10aa25f49306c671c6a967005e87dc78147d38f00ba2c38f800244e8b8ff1dd6b5d37a733d8f5b5a32008e66c42a27c0554a3a28212a56263d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
65da584df0657ab445eba39ff3bcba7a

SHA1
abbf8ec26af3e788d6ba09443316756dbbd84af4

SHA256
71156c04706f9fee57de276e1e10133e6bceee1a2db15f1d9895c6ca4a64f5e3

SHA512
47fffd7c2a925e75bd3911927674994fe7085a11531ee0a89213044db91b3777d53ea9093b4cda8253c5cfe04c4a736cec128306b0b26e691fb4c619a34d987a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
ce171e0a1a242feebb1ea67a852fe6cd

SHA1
25c0ae74d178e052aac7a4f49f26bf1c65e410ce

SHA256
6342882a032f216c051f670a0ea1fd484e894686f9fd48f18fa10e58b3ba8a92

SHA512
8d38df569af8da74c3c6c94fee7449860472d81d100668774cc0e375cecb9972772d90c0e3c8fc1cf929d0cfb5ef0b961c5440aed4be952c0742f74ac78289cb

Download Submit
memory/360-111-0x0000000000000000-mapping.dmp

Download
memory/856-86-0x000000006E0A0000-0x000000006E64B000-memory.dmp

Filesize
5.7MB

Download
memory/856-80-0x0000000000000000-mapping.dmp

Download
memory/896-107-0x0000000000000000-mapping.dmp

Download
memory/916-110-0x0000000000000000-mapping.dmp

Download
memory/948-116-0x000000006DC20000-0x000000006E1CB000-memory.dmp

Filesize
5.7MB

Download
memory/948-113-0x0000000000000000-mapping.dmp

Download
memory/988-108-0x0000000000000000-mapping.dmp

Download
memory/1000-71-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x0000000000EE0000-0x0000000000F8C000-memory.dmp

Filesize
688KB

Download
memory/1048-55-0x0000000000DB0000-0x0000000000E50000-memory.dmp

Filesize
640KB

Download
memory/1272-78-0x00000000011B0000-0x000000000125C000-memory.dmp

Filesize
688KB

Download
memory/1272-74-0x0000000000000000-mapping.dmp

Download
memory/1300-63-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-70-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1300-66-0x0000000000486C4E-mapping.dmp

Download
memory/1300-68-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1436-112-0x0000000000000000-mapping.dmp

Download
memory/1608-123-0x0000000000486C4E-mapping.dmp

Download
memory/1684-99-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download
memory/1712-57-0x00000000749A1000-0x00000000749A3000-memory.dmp

Filesize
8KB

Download
memory/1712-58-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-59-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1732-94-0x0000000000486C4E-mapping.dmp

Download
memory/1752-106-0x0000000000000000-mapping.dmp

Download
memory/1976-85-0x000000006E0A0000-0x000000006E64B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-77-0x0000000000000000-mapping.dmp

Download
memory/1980-127-0x0000000000000000-mapping.dmp

Download