quasar | 150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8

Analysis

max time kernel
148s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
Size

1.2MB
MD5

a56950b911b53a07e64b1a2f87c2907c
SHA1

2d61afb037ac5ce044b5258b581b28badffae235
SHA256

150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8
SHA512

16a3417b212243bb8bb9814636f364971292a75cf2901d936141ddb7afa7ad63da52bcbfa429de7f867ac05fa71d7c7c34459d3e86243cecfeee46f34ccf0bcc

Score

10^/10

quasar venomrat warzonerat wraith00hrs evasion infostealer persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes

encryption_key
VyRhk9JpIqX4HHIRBxn8
install_name
windows chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
chrome Startup
subdirectory
SubDir

Extracted

Family

warzonerat

100.26.221.183:5200

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0009000000008527-61.dat	disable_win_def
behavioral1/files/0x0009000000008527-62.dat	disable_win_def
behavioral1/memory/1868-65-0x0000000001020000-0x00000000010AC000-memory.dmp	disable_win_def
behavioral1/files/0x0009000000008527-64.dat	disable_win_def
behavioral1/files/0x00080000000122c3-83.dat	disable_win_def
behavioral1/files/0x00080000000122c3-85.dat	disable_win_def
behavioral1/files/0x00080000000122c3-87.dat	disable_win_def
behavioral1/memory/1924-88-0x0000000001190000-0x000000000121C000-memory.dmp	disable_win_def
behavioral1/files/0x0009000000008527-99.dat	disable_win_def
behavioral1/files/0x0009000000008527-101.dat	disable_win_def
behavioral1/memory/524-102-0x0000000000160000-0x00000000001EC000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000008527-61.dat	family_quasar
behavioral1/files/0x0009000000008527-62.dat	family_quasar
behavioral1/memory/1868-65-0x0000000001020000-0x00000000010AC000-memory.dmp	family_quasar
behavioral1/files/0x0009000000008527-64.dat	family_quasar
behavioral1/files/0x00080000000122c3-83.dat	family_quasar
behavioral1/files/0x00080000000122c3-85.dat	family_quasar
behavioral1/files/0x00080000000122c3-87.dat	family_quasar
behavioral1/memory/1924-88-0x0000000001190000-0x000000000121C000-memory.dmp	family_quasar
behavioral1/files/0x0009000000008527-99.dat	family_quasar
behavioral1/files/0x0009000000008527-101.dat	family_quasar
behavioral1/memory/524-102-0x0000000000160000-0x00000000001EC000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/1916-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-72-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-74-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-75-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-76-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-77-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1916-80-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1916-81-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 3 IoCs

pid	Process
1868	CreativeCloudv.exe
1924	windows chrome.exe
524	CreativeCloudv.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	WScript.exe
1868	CreativeCloudv.exe
1152	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	CreativeCloudv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CreativeCloudv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\windows chrome.exe\""	windows chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1088	schtasks.exe
1604	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	CreativeCloudv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	CreativeCloudv.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
936	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
1536	powershell.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
1868	CreativeCloudv.exe
524	CreativeCloudv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
Token: SeDebugPrivilege	1868	CreativeCloudv.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1924	windows chrome.exe
Token: SeDebugPrivilege	1924	windows chrome.exe
Token: SeDebugPrivilege	524	CreativeCloudv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1924	windows chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2000	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	28
PID 952 wrote to memory of 2000	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	28
PID 952 wrote to memory of 2000	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	28
PID 952 wrote to memory of 2000	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	28
PID 952 wrote to memory of 1308	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	29
PID 952 wrote to memory of 1308	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	29
PID 952 wrote to memory of 1308	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	29
PID 952 wrote to memory of 1308	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	29
PID 2000 wrote to memory of 1868	2000	WScript.exe	30
PID 2000 wrote to memory of 1868	2000	WScript.exe	30
PID 2000 wrote to memory of 1868	2000	WScript.exe	30
PID 2000 wrote to memory of 1868	2000	WScript.exe	30
PID 952 wrote to memory of 1960	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	31
PID 952 wrote to memory of 1960	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	31
PID 952 wrote to memory of 1960	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	31
PID 952 wrote to memory of 1960	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	31
PID 952 wrote to memory of 1796	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	32
PID 952 wrote to memory of 1796	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	32
PID 952 wrote to memory of 1796	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	32
PID 952 wrote to memory of 1796	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	32
PID 952 wrote to memory of 1920	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	33
PID 952 wrote to memory of 1920	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	33
PID 952 wrote to memory of 1920	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	33
PID 952 wrote to memory of 1920	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	33
PID 952 wrote to memory of 1264	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	34
PID 952 wrote to memory of 1264	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	34
PID 952 wrote to memory of 1264	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	34
PID 952 wrote to memory of 1264	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	34
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 952 wrote to memory of 1916	952	150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe	35
PID 1868 wrote to memory of 1088	1868	CreativeCloudv.exe	37
PID 1868 wrote to memory of 1088	1868	CreativeCloudv.exe	37
PID 1868 wrote to memory of 1088	1868	CreativeCloudv.exe	37
PID 1868 wrote to memory of 1088	1868	CreativeCloudv.exe	37
PID 1868 wrote to memory of 1924	1868	CreativeCloudv.exe	39
PID 1868 wrote to memory of 1924	1868	CreativeCloudv.exe	39
PID 1868 wrote to memory of 1924	1868	CreativeCloudv.exe	39
PID 1868 wrote to memory of 1924	1868	CreativeCloudv.exe	39
PID 1868 wrote to memory of 1536	1868	CreativeCloudv.exe	40
PID 1868 wrote to memory of 1536	1868	CreativeCloudv.exe	40
PID 1868 wrote to memory of 1536	1868	CreativeCloudv.exe	40
PID 1868 wrote to memory of 1536	1868	CreativeCloudv.exe	40
PID 1924 wrote to memory of 1604	1924	windows chrome.exe	42
PID 1924 wrote to memory of 1604	1924	windows chrome.exe	42
PID 1924 wrote to memory of 1604	1924	windows chrome.exe	42
PID 1924 wrote to memory of 1604	1924	windows chrome.exe	42
PID 1868 wrote to memory of 2036	1868	CreativeCloudv.exe	44
PID 1868 wrote to memory of 2036	1868	CreativeCloudv.exe	44
PID 1868 wrote to memory of 2036	1868	CreativeCloudv.exe	44
PID 1868 wrote to memory of 2036	1868	CreativeCloudv.exe	44
PID 2036 wrote to memory of 1228	2036	cmd.exe	46
PID 2036 wrote to memory of 1228	2036	cmd.exe	46
PID 2036 wrote to memory of 1228	2036	cmd.exe	46
PID 2036 wrote to memory of 1228	2036	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
"C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ucjyesajhla.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
    "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1088
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\wZCZMKCqKHy2.bat" "
      4⤵
      Loads dropped DLL
      PID:1152
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:824
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:936
    - - C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe
  "C:\Users\Admin\AppData\Local\Temp\150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8.exe"
  2⤵
  - Adds Run key to start application
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucjyesajhla.vbs

Filesize
102B

MD5
4e190d8967b1a3444f9415b850f7f1de

SHA1
ba0336117fd8f29d19befb740d702cb32b9458ec

SHA256
5968a1b0a70ee3af256dbbc94ea040822985a965b68fa5964037b25231a1151d

SHA512
5afbd7492274ec2abb6d6fae4bd5f97f684fe1f27e11f73e4548b16a93f50fddb889a0747e2171345ededa8674ee8c50508cb7db188ca30a468c590075f528e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wZCZMKCqKHy2.bat

Filesize
211B

MD5
f86ca844709005564774188aa73d75ca

SHA1
30752de5df992114c0d3fb19489ca115fe386184

SHA256
4e0dd6d60033e339bacb9e31d58091b70c04423dc81ff44b5608ce3440d2022c

SHA512
204889624e72f2c1f229eec3276f0a87646548a278bea0f0db9742d0c07eea141e4bda3a4dcebb00e7d687dcc35adbb7e237157d3a5290fcf5e5c083a2377ea7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Local\Temp\CreativeCloudv.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
memory/524-102-0x0000000000160000-0x00000000001EC000-memory.dmp

Filesize
560KB

Download
memory/952-55-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/952-54-0x0000000000200000-0x0000000000334000-memory.dmp

Filesize
1.2MB

Download
memory/952-58-0x0000000000660000-0x000000000067C000-memory.dmp

Filesize
112KB

Download
memory/952-56-0x0000000000550000-0x00000000005E4000-memory.dmp

Filesize
592KB

Download
memory/1536-90-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-92-0x0000000002272000-0x0000000002274000-memory.dmp

Filesize
8KB

Download
memory/1868-65-0x0000000001020000-0x00000000010AC000-memory.dmp

Filesize
560KB

Download
memory/1916-74-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-69-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-81-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-72-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-75-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-80-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-76-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1916-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1924-88-0x0000000001190000-0x000000000121C000-memory.dmp

Filesize
560KB

Download
memory/2000-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download