quasar | a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
Size

550KB
MD5

87288d8d050aa668f25388f9e12d56f6
SHA1

fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf
SHA256

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8
SHA512

28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
Utv1d8B5zhHYcWfy3OEQ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2044-59-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2044-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2044-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2044-62-0x0000000000486CBE-mapping.dmp	disable_win_def
behavioral1/memory/2044-64-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2044-66-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1076-83-0x0000000000486CBE-mapping.dmp	disable_win_def
behavioral1/memory/1968-105-0x0000000000486CBE-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-59-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2044-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2044-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2044-62-0x0000000000486CBE-mapping.dmp	family_quasar
behavioral1/memory/2044-64-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2044-66-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1076-83-0x0000000000486CBE-mapping.dmp	family_quasar
behavioral1/memory/1968-105-0x0000000000486CBE-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid	Process
1096	Client.exe
1076	Client.exe

Loads dropped DLL 2 IoCs

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exeClient.exe

pid	Process
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
1096	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exeClient.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

description	pid	Process	procid_target
PID 1932 set thread context of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1096 set thread context of 1076	1096	Client.exe	34
PID 1620 set thread context of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
436	schtasks.exe
1652	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
604	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

pid	Process
1688	powershell.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
1968	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exepowershell.exeClient.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

description	pid	Process
Token: SeDebugPrivilege	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1076	Client.exe
Token: SeDebugPrivilege	1076	Client.exe
Token: SeDebugPrivilege	1968	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1076	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exeClient.exeClient.execmd.execmd.exea5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe

description	pid	Process	procid_target
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 1932 wrote to memory of 2044	1932	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	27
PID 2044 wrote to memory of 436	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	29
PID 2044 wrote to memory of 436	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	29
PID 2044 wrote to memory of 436	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	29
PID 2044 wrote to memory of 436	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	29
PID 2044 wrote to memory of 1096	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	31
PID 2044 wrote to memory of 1096	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	31
PID 2044 wrote to memory of 1096	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	31
PID 2044 wrote to memory of 1096	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	31
PID 2044 wrote to memory of 1688	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	32
PID 2044 wrote to memory of 1688	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	32
PID 2044 wrote to memory of 1688	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	32
PID 2044 wrote to memory of 1688	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	32
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1096 wrote to memory of 1076	1096	Client.exe	34
PID 1076 wrote to memory of 1652	1076	Client.exe	35
PID 1076 wrote to memory of 1652	1076	Client.exe	35
PID 1076 wrote to memory of 1652	1076	Client.exe	35
PID 1076 wrote to memory of 1652	1076	Client.exe	35
PID 2044 wrote to memory of 1136	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	37
PID 2044 wrote to memory of 1136	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	37
PID 2044 wrote to memory of 1136	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	37
PID 2044 wrote to memory of 1136	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	37
PID 1136 wrote to memory of 748	1136	cmd.exe	39
PID 1136 wrote to memory of 748	1136	cmd.exe	39
PID 1136 wrote to memory of 748	1136	cmd.exe	39
PID 1136 wrote to memory of 748	1136	cmd.exe	39
PID 2044 wrote to memory of 1692	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	40
PID 2044 wrote to memory of 1692	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	40
PID 2044 wrote to memory of 1692	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	40
PID 2044 wrote to memory of 1692	2044	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	40
PID 1692 wrote to memory of 1144	1692	cmd.exe	42
PID 1692 wrote to memory of 1144	1692	cmd.exe	42
PID 1692 wrote to memory of 1144	1692	cmd.exe	42
PID 1692 wrote to memory of 1144	1692	cmd.exe	42
PID 1692 wrote to memory of 604	1692	cmd.exe	43
PID 1692 wrote to memory of 604	1692	cmd.exe	43
PID 1692 wrote to memory of 604	1692	cmd.exe	43
PID 1692 wrote to memory of 604	1692	cmd.exe	43
PID 1692 wrote to memory of 1620	1692	cmd.exe	44
PID 1692 wrote to memory of 1620	1692	cmd.exe	44
PID 1692 wrote to memory of 1620	1692	cmd.exe	44
PID 1692 wrote to memory of 1620	1692	cmd.exe	44
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45
PID 1620 wrote to memory of 1968	1620	a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe	45

C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
"C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
  "C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:436
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZY9bqiOLWoY4.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:604
  - - C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
      "C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZY9bqiOLWoY4.bat

Filesize
261B

MD5
a09c9dddcb3d25f1da0ae2b591048de7

SHA1
f27b1c50dcad2cef0ff7f1d35deb02f692a2886c

SHA256
24c3b1bc2d5240fecc7887c835489e4a99ce4936971dba6b8319a1d006938ecd

SHA512
3880d3b58870e6b0e0a6d2e59cdab5d6860677afc0ecb40d65940ce3e10c78608c70d1fd9c776a5b93f5a78beda1328435761dc6803776f05d011f33b5139b9f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
550KB

MD5
87288d8d050aa668f25388f9e12d56f6

SHA1
fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

SHA256
a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

SHA512
28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
550KB

MD5
87288d8d050aa668f25388f9e12d56f6

SHA1
fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

SHA256
a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

SHA512
28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
550KB

MD5
87288d8d050aa668f25388f9e12d56f6

SHA1
fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

SHA256
a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

SHA512
28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
550KB

MD5
87288d8d050aa668f25388f9e12d56f6

SHA1
fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

SHA256
a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

SHA512
28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
550KB

MD5
87288d8d050aa668f25388f9e12d56f6

SHA1
fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

SHA256
a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

SHA512
28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Download Submit
memory/436-68-0x0000000000000000-mapping.dmp

Download
memory/604-97-0x0000000000000000-mapping.dmp

Download
memory/748-93-0x0000000000000000-mapping.dmp

Download
memory/1076-83-0x0000000000486CBE-mapping.dmp

Download
memory/1096-73-0x0000000000C40000-0x0000000000CD0000-memory.dmp

Filesize
576KB

Download
memory/1096-70-0x0000000000000000-mapping.dmp

Download
memory/1136-92-0x0000000000000000-mapping.dmp

Download
memory/1144-96-0x0000000000000000-mapping.dmp

Download
memory/1620-98-0x0000000000000000-mapping.dmp

Download
memory/1652-91-0x0000000000000000-mapping.dmp

Download
memory/1688-90-0x000000006E6A0000-0x000000006EC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-74-0x0000000000000000-mapping.dmp

Download
memory/1692-94-0x0000000000000000-mapping.dmp

Download
memory/1932-55-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/1932-54-0x0000000000DA0000-0x0000000000E30000-memory.dmp

Filesize
576KB

Download
memory/1968-105-0x0000000000486CBE-mapping.dmp

Download
memory/2044-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-62-0x0000000000486CBE-mapping.dmp

Download
memory/2044-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-59-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-56-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-66-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-67-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download