quasar | bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
Size

1.1MB
MD5

a7bb91d79310d34d7c94e897257b3b5f
SHA1

156ef770d35ffc4da767fe156a91af27ec2808bd
SHA256

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d
SHA512

9a067c7d1382b6ab9869345d4f6d524f8ab3c0d862162ad5e48184a35b5dc8ebd9674dd8b81667b78b3e43895e9d97509d63d1642be15d35b390567a47f10284

Score

10^/10

quasar venomrat warzonerat wraith00hrs evasion infostealer persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes

encryption_key
VyRhk9JpIqX4HHIRBxn8
install_name
windows chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
chrome Startup
subdirectory
SubDir

Extracted

Family

warzonerat

100.26.221.183:5200

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/files/0x0009000000008527-59.dat	disable_win_def
behavioral1/files/0x0009000000008527-60.dat	disable_win_def
behavioral1/files/0x0009000000008527-62.dat	disable_win_def
behavioral1/memory/1616-64-0x0000000000BF0000-0x0000000000C7C000-memory.dmp	disable_win_def
behavioral1/files/0x00080000000122d4-82.dat	disable_win_def
behavioral1/files/0x00080000000122d4-84.dat	disable_win_def
behavioral1/files/0x00080000000122d4-85.dat	disable_win_def
behavioral1/memory/1076-86-0x0000000000910000-0x000000000099C000-memory.dmp	disable_win_def
behavioral1/files/0x0009000000008527-98.dat	disable_win_def
behavioral1/files/0x0009000000008527-100.dat	disable_win_def
behavioral1/memory/964-101-0x0000000000C40000-0x0000000000CCC000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000008527-59.dat	family_quasar
behavioral1/files/0x0009000000008527-60.dat	family_quasar
behavioral1/files/0x0009000000008527-62.dat	family_quasar
behavioral1/memory/1616-64-0x0000000000BF0000-0x0000000000C7C000-memory.dmp	family_quasar
behavioral1/files/0x00080000000122d4-82.dat	family_quasar
behavioral1/files/0x00080000000122d4-84.dat	family_quasar
behavioral1/files/0x00080000000122d4-85.dat	family_quasar
behavioral1/memory/1076-86-0x0000000000910000-0x000000000099C000-memory.dmp	family_quasar
behavioral1/files/0x0009000000008527-98.dat	family_quasar
behavioral1/files/0x0009000000008527-100.dat	family_quasar
behavioral1/memory/964-101-0x0000000000C40000-0x0000000000CCC000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1316-70-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-73-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-74-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-75-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-76-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1316-79-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1316-80-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 3 IoCs

Processes:

$77-Venom.exewindows chrome.exe$77-Venom.exe

pid	Process
1616	$77-Venom.exe
1076	windows chrome.exe
964	$77-Venom.exe

Loads dropped DLL 3 IoCs

Processes:

WScript.exe$77-Venom.execmd.exe

pid	Process
1704	WScript.exe
1616	$77-Venom.exe
912	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe$77-Venom.exebf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$77-Venom.exe\""	$77-Venom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe

description	pid	Process	procid_target
PID 868 set thread context of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1940	schtasks.exe
780	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	$77-Venom.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	$77-Venom.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
428	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exepowershell.exe$77-Venom.exe$77-Venom.exe

pid	Process
868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
1816	powershell.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
1616	$77-Venom.exe
964	$77-Venom.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe$77-Venom.exewindows chrome.exepowershell.exe$77-Venom.exe

description	pid	Process
Token: SeDebugPrivilege	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
Token: SeDebugPrivilege	1616	$77-Venom.exe
Token: SeDebugPrivilege	1076	windows chrome.exe
Token: SeDebugPrivilege	1076	windows chrome.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	964	$77-Venom.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windows chrome.exe

pid	Process
1076	windows chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exeWScript.exe$77-Venom.exewindows chrome.execmd.execmd.exe

description	pid	Process	procid_target
PID 868 wrote to memory of 1704	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	28
PID 868 wrote to memory of 1704	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	28
PID 868 wrote to memory of 1704	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	28
PID 868 wrote to memory of 1704	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	28
PID 1704 wrote to memory of 1616	1704	WScript.exe	29
PID 1704 wrote to memory of 1616	1704	WScript.exe	29
PID 1704 wrote to memory of 1616	1704	WScript.exe	29
PID 1704 wrote to memory of 1616	1704	WScript.exe	29
PID 868 wrote to memory of 592	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	30
PID 868 wrote to memory of 592	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	30
PID 868 wrote to memory of 592	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	30
PID 868 wrote to memory of 592	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	30
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 868 wrote to memory of 1316	868	bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe	31
PID 1616 wrote to memory of 1940	1616	$77-Venom.exe	33
PID 1616 wrote to memory of 1940	1616	$77-Venom.exe	33
PID 1616 wrote to memory of 1940	1616	$77-Venom.exe	33
PID 1616 wrote to memory of 1940	1616	$77-Venom.exe	33
PID 1616 wrote to memory of 1076	1616	$77-Venom.exe	35
PID 1616 wrote to memory of 1076	1616	$77-Venom.exe	35
PID 1616 wrote to memory of 1076	1616	$77-Venom.exe	35
PID 1616 wrote to memory of 1076	1616	$77-Venom.exe	35
PID 1616 wrote to memory of 1816	1616	$77-Venom.exe	36
PID 1616 wrote to memory of 1816	1616	$77-Venom.exe	36
PID 1616 wrote to memory of 1816	1616	$77-Venom.exe	36
PID 1616 wrote to memory of 1816	1616	$77-Venom.exe	36
PID 1076 wrote to memory of 780	1076	windows chrome.exe	38
PID 1076 wrote to memory of 780	1076	windows chrome.exe	38
PID 1076 wrote to memory of 780	1076	windows chrome.exe	38
PID 1076 wrote to memory of 780	1076	windows chrome.exe	38
PID 1616 wrote to memory of 1692	1616	$77-Venom.exe	40
PID 1616 wrote to memory of 1692	1616	$77-Venom.exe	40
PID 1616 wrote to memory of 1692	1616	$77-Venom.exe	40
PID 1616 wrote to memory of 1692	1616	$77-Venom.exe	40
PID 1692 wrote to memory of 1772	1692	cmd.exe	42
PID 1692 wrote to memory of 1772	1692	cmd.exe	42
PID 1692 wrote to memory of 1772	1692	cmd.exe	42
PID 1692 wrote to memory of 1772	1692	cmd.exe	42
PID 1616 wrote to memory of 912	1616	$77-Venom.exe	43
PID 1616 wrote to memory of 912	1616	$77-Venom.exe	43
PID 1616 wrote to memory of 912	1616	$77-Venom.exe	43
PID 1616 wrote to memory of 912	1616	$77-Venom.exe	43
PID 912 wrote to memory of 1688	912	cmd.exe	45
PID 912 wrote to memory of 1688	912	cmd.exe	45
PID 912 wrote to memory of 1688	912	cmd.exe	45
PID 912 wrote to memory of 1688	912	cmd.exe	45
PID 912 wrote to memory of 428	912	cmd.exe	46
PID 912 wrote to memory of 428	912	cmd.exe	46
PID 912 wrote to memory of 428	912	cmd.exe	46
PID 912 wrote to memory of 428	912	cmd.exe	46
PID 912 wrote to memory of 964	912	cmd.exe	47
PID 912 wrote to memory of 964	912	cmd.exe	47
PID 912 wrote to memory of 964	912	cmd.exe	47
PID 912 wrote to memory of 964	912	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
"C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cnlfayagwcnd.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
    "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1940
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "chrome Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        
        PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FeRNShmk94M.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:428
    - - C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
- C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
  "C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"
  2⤵
  PID:592
- C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe
  "C:\Users\Admin\AppData\Local\Temp\bf9d1ce445841e9cc60347ec69a86ce1131695e93c50235022ed5964d428c15d.exe"
  2⤵
  - Adds Run key to start application
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FeRNShmk94M.bat

Filesize
206B

MD5
c3e238ff4f9787e9e7bfa1015d9a4a25

SHA1
bd629eece979a068f5fbd09ae2d0173ca26a2d37

SHA256
c0051a29642801f7208f7aa6726e6c6c0f1ba547342377d7e20a3892718acee5

SHA512
3523227d109995e19dffe41c0326b57eae5b368dfc1ac380de213eddfe214d9705c798b9fa68a05f2e0a3b1921005a0f69e8dd96082dbebbaad69c0efedf19b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cnlfayagwcnd.vbs

Filesize
97B

MD5
21cf56d4b0a76046820523108fb676e0

SHA1
9535221712c50c9a3fa7e06efe5e1efc016f715d

SHA256
2f931374cab0f3601d1698f4943f8e4f83cbfc3efb478bf518091ab23642dbc3

SHA512
5c2238aece0a82b63a541142dcee3527e3d1baad206d3fb7c3d226fd99c26c1c2d5d4113584be08118316fd5d78c3f7aca2f3d0e957c87f76b92615a24601cd5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Local\Temp\$77-Venom.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Local\Temp\$77-Venom.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
\Users\Admin\AppData\Roaming\SubDir\windows chrome.exe

Filesize
534KB

MD5
4ad1c7279f350bad69cec245674fbdbd

SHA1
af9cb6ea681d09f9c535d5bd55a9adcf5c9bc7f2

SHA256
9505524dff86345befdf3ce0dba5a7a58abe57725badbe0aa19a16ac20579422

SHA512
740190c6aceab1a81c37455cf86ae87908f77feb1dcff042c90ade2baeae730fdd0ade9f3921b56df6f55e726e2fb284909c62a0862147f6e679b7aa51f79d86

Download Submit
memory/428-97-0x0000000000000000-mapping.dmp

Download
memory/780-89-0x0000000000000000-mapping.dmp

Download
memory/868-54-0x00000000012A0000-0x00000000013C6000-memory.dmp

Filesize
1.1MB

Download
memory/868-63-0x0000000000C20000-0x0000000000C3C000-memory.dmp

Filesize
112KB

Download
memory/868-55-0x0000000000C80000-0x0000000000D14000-memory.dmp

Filesize
592KB

Download
memory/912-94-0x0000000000000000-mapping.dmp

Download
memory/964-99-0x0000000000000000-mapping.dmp

Download
memory/964-101-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/1076-86-0x0000000000910000-0x000000000099C000-memory.dmp

Filesize
560KB

Download
memory/1076-83-0x0000000000000000-mapping.dmp

Download
memory/1316-70-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-80-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-79-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-76-0x0000000000405CE2-mapping.dmp

Download
memory/1316-75-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-74-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-73-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1316-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1616-64-0x0000000000BF0000-0x0000000000C7C000-memory.dmp

Filesize
560KB

Download
memory/1616-61-0x0000000000000000-mapping.dmp

Download
memory/1688-96-0x0000000000000000-mapping.dmp

Download
memory/1692-92-0x0000000000000000-mapping.dmp

Download
memory/1704-58-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1704-56-0x0000000000000000-mapping.dmp

Download
memory/1772-93-0x0000000000000000-mapping.dmp

Download
memory/1816-91-0x0000000002522000-0x0000000002524000-memory.dmp

Filesize
8KB

Download
memory/1816-90-0x000000006F250000-0x000000006F7FB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-87-0x0000000000000000-mapping.dmp

Download
memory/1940-81-0x0000000000000000-mapping.dmp

Download