quasar | 1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-04-2022 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Size

655KB
MD5

cf12948c21f9411602f6ee1b2ea3eb7d
SHA1

e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9
SHA256

1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e
SHA512

3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_px0s48GfhAUBhjVpWU

Attributes

encryption_key
yvDiKJ3lhd7v25pBa6mQ
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1540-72-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1540-73-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1540-75-0x0000000000486C7E-mapping.dmp	disable_win_def
behavioral1/memory/1540-74-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1540-77-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1540-79-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1944-120-0x0000000000486C7E-mapping.dmp	disable_win_def
behavioral1/memory/1944-122-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1944-124-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/940-153-0x0000000000486C7E-mapping.dmp	disable_win_def
behavioral1/memory/1624-195-0x0000000000486C7E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

resource	yara_rule
behavioral1/memory/1540-72-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1540-73-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1540-75-0x0000000000486C7E-mapping.dmp	family_quasar
behavioral1/memory/1540-74-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1540-77-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1540-79-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1944-120-0x0000000000486C7E-mapping.dmp	family_quasar
behavioral1/memory/1944-122-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1944-124-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/940-153-0x0000000000486C7E-mapping.dmp	family_quasar
behavioral1/memory/1624-195-0x0000000000486C7E-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 9 IoCs

pid	Process
1320	Windows Security.exe
584	Windows Security.exe
708	Windows Security.exe
112	Windows Security.exe
760	Windows Security.exe
1560	Windows Security.exe
760	Windows Security.exe
1436	Windows Security.exe
940	Windows Security.exe

Loads dropped DLL 6 IoCs

pid	Process
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FmDbHBLHnX = "C:\\Users\\Admin\\AppData\\Roaming\\GpBWBmwTZQ\\DeLFBwWiZH.exe"	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HzJbNMFEqt = "C:\\Users\\Admin\\AppData\\Roaming\\sQNEWfeLDF\\GgRNMizXTP.exe"	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 1896 set thread context of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 860 set thread context of 2032	860	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	50
PID 2032 set thread context of 1944	2032	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	51
PID 760 set thread context of 1436	760	Windows Security.exe	57
PID 1436 set thread context of 940	1436	Windows Security.exe	58
PID 1884 set thread context of 1548	1884	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	74
PID 1548 set thread context of 1624	1548	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	940	WerFault.exe	58

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1848	schtasks.exe
1488	schtasks.exe
1664	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2020	PING.EXE
1712	PING.EXE
1464	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1320	Windows Security.exe
1864	powershell.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
860	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
860	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
324	powershell.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
1624	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Token: SeDebugPrivilege	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Token: SeDebugPrivilege	1320	Windows Security.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	860	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Token: SeDebugPrivilege	1944	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	940	Windows Security.exe
Token: SeDebugPrivilege	940	Windows Security.exe
Token: SeDebugPrivilege	1624	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
940	Windows Security.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1880	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	26
PID 2036 wrote to memory of 1880	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	26
PID 2036 wrote to memory of 1880	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	26
PID 2036 wrote to memory of 1880	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	26
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 2036 wrote to memory of 1896	2036	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	27
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1896 wrote to memory of 1540	1896	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	28
PID 1540 wrote to memory of 1848	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	30
PID 1540 wrote to memory of 1848	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	30
PID 1540 wrote to memory of 1848	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	30
PID 1540 wrote to memory of 1848	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	30
PID 1540 wrote to memory of 1320	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	32
PID 1540 wrote to memory of 1320	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	32
PID 1540 wrote to memory of 1320	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	32
PID 1540 wrote to memory of 1320	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	32
PID 1540 wrote to memory of 1864	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	33
PID 1540 wrote to memory of 1864	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	33
PID 1540 wrote to memory of 1864	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	33
PID 1540 wrote to memory of 1864	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	33
PID 1320 wrote to memory of 584	1320	Windows Security.exe	35
PID 1320 wrote to memory of 584	1320	Windows Security.exe	35
PID 1320 wrote to memory of 584	1320	Windows Security.exe	35
PID 1320 wrote to memory of 584	1320	Windows Security.exe	35
PID 1320 wrote to memory of 708	1320	Windows Security.exe	36
PID 1320 wrote to memory of 708	1320	Windows Security.exe	36
PID 1320 wrote to memory of 708	1320	Windows Security.exe	36
PID 1320 wrote to memory of 708	1320	Windows Security.exe	36
PID 1320 wrote to memory of 112	1320	Windows Security.exe	37
PID 1320 wrote to memory of 112	1320	Windows Security.exe	37
PID 1320 wrote to memory of 112	1320	Windows Security.exe	37
PID 1320 wrote to memory of 112	1320	Windows Security.exe	37
PID 1320 wrote to memory of 760	1320	Windows Security.exe	38
PID 1320 wrote to memory of 760	1320	Windows Security.exe	38
PID 1320 wrote to memory of 760	1320	Windows Security.exe	38
PID 1320 wrote to memory of 760	1320	Windows Security.exe	38
PID 1320 wrote to memory of 1560	1320	Windows Security.exe	39
PID 1320 wrote to memory of 1560	1320	Windows Security.exe	39
PID 1320 wrote to memory of 1560	1320	Windows Security.exe	39
PID 1320 wrote to memory of 1560	1320	Windows Security.exe	39
PID 1540 wrote to memory of 944	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	40
PID 1540 wrote to memory of 944	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	40
PID 1540 wrote to memory of 944	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	40
PID 1540 wrote to memory of 944	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	40
PID 944 wrote to memory of 1960	944	cmd.exe	42
PID 944 wrote to memory of 1960	944	cmd.exe	42
PID 944 wrote to memory of 1960	944	cmd.exe	42
PID 944 wrote to memory of 1960	944	cmd.exe	42
PID 1540 wrote to memory of 1288	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	43
PID 1540 wrote to memory of 1288	1540	1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe	43

C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
"C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
  "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
  "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
    "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
    3⤵
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1848
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:584
    - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:708
    - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:112
    - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:760
    - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ws67TbQJAf9F.bat" "
      4⤵
      PID:1288
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        6⤵
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        7⤵
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WXzdtJn75j2e.bat" "
        11⤵
        
        PID:320
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:1712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1492
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:1480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        8⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        9⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\x8R5PD5yBibG.bat" "
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        9⤵
        Suspicious use of SetThreadContext
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e.exe"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WXzdtJn75j2e.bat

Filesize
217B

MD5
a1f2ee7db0e866e4cbd52f97e093cede

SHA1
261b17aad22a7e746d80b0550c30f216606b6f1a

SHA256
680ed8ab72efefd364adda94ec2e6e8982d5c035f8edda32a2860dfc2411156f

SHA512
f91f828127014e8a992e809de6ee8b2c1bb817b0b1c4250fe28d19652e2015f20bff43c9dc50d1678735a20023d661d9c8126a1a080a76c46cf8fdd19cf3271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ws67TbQJAf9F.bat

Filesize
261B

MD5
cc020cf8f0ab1c39c37df63112fe5421

SHA1
26ae0aa5e1455a37249ec85a916b9d9d6a42cb44

SHA256
0446d291b6f11e3a770e7adff3e4dedbdc03e85629e16f2a611f4e94bb8e6ebb

SHA512
9ad99bd3903256658d20edb38d7be5f45ad904d3188a5fb376d628043c4e99a5cb43b31cf10ec5f77bc8623f879b474c4909f35dc63b8334edec3b8eefc7373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8R5PD5yBibG.bat

Filesize
261B

MD5
fee8cfdfcc8476f02c1fd537b6300ffd

SHA1
7989447967cd4c4be0740cd635fd3245bbdc1667

SHA256
f91885153744ac9ec426648700d217e6fbc16652e96b3d23e1c79139e841a7e5

SHA512
0a238d2eb5b18d1fc7f509246d9f35ffa5911e0c5e7b758f071ae311a0d8df5c8dc9cacd9432ddcdda65688d0dfb88b8ec5bf98afc9cc0f5ec5a955d29a1ad9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fc8100e8ab7cb68a2238f79f65ac521d

SHA1
c33ed5e85ad457b13ec3eca155ae70dab4d8459c

SHA256
fb10bde5638badeddb3b1b247d5b13cd09c571a3d7ff0dccc5616b97fda90765

SHA512
2bf9aa8a8e5e601ccf98dc3954a28490811ec03a82356716adcf9cfb06aaa952a6cfc84f4ad09e28ecdce97a68a20365585274c6c0982a9812ab34f55ebd1f4e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe

Filesize
655KB

MD5
cf12948c21f9411602f6ee1b2ea3eb7d

SHA1
e8bbf3f9f04e2c428775b7d5b8801b66bd87e8a9

SHA256
1cbd590173371cacf94c493b7a603eaf43f301174e86ae49534f2879cd5dd57e

SHA512
3049fb6186c95bb9b03c0f6b70ce52c1b6e80b6d7162ca6655516dbd3ea58e9f621fd58460bb4bf0e6a9ef827cda1e4c890e94f3896d9aeedaed7c291c4d29ef

Download Submit
memory/324-152-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/760-131-0x0000000000BD0000-0x0000000000C7A000-memory.dmp

Filesize
680KB

Download
memory/860-102-0x0000000001230000-0x00000000012DA000-memory.dmp

Filesize
680KB

Download
memory/1320-87-0x0000000000390000-0x000000000043A000-memory.dmp

Filesize
680KB

Download
memory/1540-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-69-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-74-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1540-70-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1864-94-0x000000006F100000-0x000000006F6AB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-62-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-61-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-67-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-57-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-58-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-65-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1896-60-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1944-122-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1944-124-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-113-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2032-111-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2036-54-0x0000000001060000-0x000000000110A000-memory.dmp

Filesize
680KB

Download
memory/2036-56-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2036-55-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download