quasar | d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Size

664KB
MD5

1f2f26a299287d8353502a9133df4cf1
SHA1

ee40f71067f91d23841e2f2f2b178a153e0f4e07
SHA256

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
SHA512

135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
Utv1d8B5zhHYcWfy3OEQ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1016-59-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1016-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1016-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1016-62-0x0000000000486CBE-mapping.dmp	disable_win_def
behavioral1/memory/1016-64-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1016-66-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1808-82-0x0000000000486CBE-mapping.dmp	disable_win_def
behavioral1/memory/240-106-0x0000000000486CBE-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1016-59-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1016-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1016-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1016-62-0x0000000000486CBE-mapping.dmp	family_quasar
behavioral1/memory/1016-64-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1016-66-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1808-82-0x0000000000486CBE-mapping.dmp	family_quasar
behavioral1/memory/240-106-0x0000000000486CBE-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid	Process
820	Client.exe
1808	Client.exe

Loads dropped DLL 2 IoCs

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exeClient.exe

pid	Process
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
820	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exeClient.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

description	pid	Process	procid_target
PID 1948 set thread context of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 820 set thread context of 1808	820	Client.exe	34
PID 1688 set thread context of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1704	schtasks.exe
1504	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1720	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

pid	Process
680	powershell.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
240	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exeClient.exepowershell.exeClient.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

description	pid	Process
Token: SeDebugPrivilege	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Token: SeDebugPrivilege	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Token: SeDebugPrivilege	820	Client.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1808	Client.exe
Token: SeDebugPrivilege	1808	Client.exe
Token: SeDebugPrivilege	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Token: SeDebugPrivilege	240	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1808	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exeClient.exeClient.execmd.execmd.exed959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

description	pid	Process	procid_target
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1948 wrote to memory of 1016	1948	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	27
PID 1016 wrote to memory of 1704	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	29
PID 1016 wrote to memory of 1704	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	29
PID 1016 wrote to memory of 1704	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	29
PID 1016 wrote to memory of 1704	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	29
PID 1016 wrote to memory of 820	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	31
PID 1016 wrote to memory of 820	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	31
PID 1016 wrote to memory of 820	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	31
PID 1016 wrote to memory of 820	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	31
PID 1016 wrote to memory of 680	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	32
PID 1016 wrote to memory of 680	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	32
PID 1016 wrote to memory of 680	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	32
PID 1016 wrote to memory of 680	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	32
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 820 wrote to memory of 1808	820	Client.exe	34
PID 1808 wrote to memory of 1504	1808	Client.exe	35
PID 1808 wrote to memory of 1504	1808	Client.exe	35
PID 1808 wrote to memory of 1504	1808	Client.exe	35
PID 1808 wrote to memory of 1504	1808	Client.exe	35
PID 1016 wrote to memory of 2012	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	37
PID 1016 wrote to memory of 2012	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	37
PID 1016 wrote to memory of 2012	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	37
PID 1016 wrote to memory of 2012	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	37
PID 2012 wrote to memory of 636	2012	cmd.exe	39
PID 2012 wrote to memory of 636	2012	cmd.exe	39
PID 2012 wrote to memory of 636	2012	cmd.exe	39
PID 2012 wrote to memory of 636	2012	cmd.exe	39
PID 1016 wrote to memory of 1616	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	40
PID 1016 wrote to memory of 1616	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	40
PID 1016 wrote to memory of 1616	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	40
PID 1016 wrote to memory of 1616	1016	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	40
PID 1616 wrote to memory of 1948	1616	cmd.exe	42
PID 1616 wrote to memory of 1948	1616	cmd.exe	42
PID 1616 wrote to memory of 1948	1616	cmd.exe	42
PID 1616 wrote to memory of 1948	1616	cmd.exe	42
PID 1616 wrote to memory of 1720	1616	cmd.exe	43
PID 1616 wrote to memory of 1720	1616	cmd.exe	43
PID 1616 wrote to memory of 1720	1616	cmd.exe	43
PID 1616 wrote to memory of 1720	1616	cmd.exe	43
PID 1616 wrote to memory of 1688	1616	cmd.exe	44
PID 1616 wrote to memory of 1688	1616	cmd.exe	44
PID 1616 wrote to memory of 1688	1616	cmd.exe	44
PID 1616 wrote to memory of 1688	1616	cmd.exe	44
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45
PID 1688 wrote to memory of 240	1688	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	45

C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
"C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
  "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1704
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NPybuUXcCCcQ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
      "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NPybuUXcCCcQ.bat

Filesize
261B

MD5
38b8fa435e15dd8861eb190f677974c9

SHA1
5ef14d4c548d5fcfd1e894e5f374148826a0acb2

SHA256
a789bfcd8ff003a2cddf5d7127479e5fd20872abef6d4f40ecbeb94c2d26eaf6

SHA512
e763767316d1edcaf7fe5278b3182164f6bf3060db6e87240291f8b4d618feea22dba8e5ff55a9f9663c64da8bbf32d16c48945ed9f35be9f71217a5425ca4a1

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
memory/240-106-0x0000000000486CBE-mapping.dmp

Download
memory/636-93-0x0000000000000000-mapping.dmp

Download
memory/680-90-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/680-74-0x0000000000000000-mapping.dmp

Download
memory/820-73-0x0000000000C70000-0x0000000000D1C000-memory.dmp

Filesize
688KB

Download
memory/820-70-0x0000000000000000-mapping.dmp

Download
memory/1016-56-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-66-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-59-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-62-0x0000000000486CBE-mapping.dmp

Download
memory/1016-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1016-67-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1016-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1504-91-0x0000000000000000-mapping.dmp

Download
memory/1616-94-0x0000000000000000-mapping.dmp

Download
memory/1688-98-0x0000000000000000-mapping.dmp

Download
memory/1688-99-0x0000000000120000-0x00000000001CC000-memory.dmp

Filesize
688KB

Download
memory/1704-68-0x0000000000000000-mapping.dmp

Download
memory/1720-97-0x0000000000000000-mapping.dmp

Download
memory/1808-82-0x0000000000486CBE-mapping.dmp

Download
memory/1948-55-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1948-96-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000000970000-0x0000000000A1C000-memory.dmp

Filesize
688KB

Download
memory/2012-92-0x0000000000000000-mapping.dmp

Download