quasar | f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
Size

12.8MB
MD5

1c1cd3ee6e73a4e599c7c32bae300b05
SHA1

dd22b9c9531efdecd80d37b01254e96728ef26c3
SHA256

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12
SHA512

484ab45694f4789a8f385dd6346c2711d8b79368760819065592163f763a8724c91993fbc0bfbf58ce0c1d0f7d9132f9b59a99645790e4e68ece6650b99cd037
SSDEEP

393216:IY/d0T2My8oDotr3LItcM4epPOgmYQbml1ay:IYeqvE1Sd/WmSy

Score

10^/10

quasar venomrat greedens evasion persistence rat rootkit spyware stealer themida trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

greedens

127.0.0.1:4782

Mutex

VNM_MUTEX_7DOOh0yZCLxX4Y4Ltu

Attributes

encryption_key
ZSBFYPSY9jJS688RgNV6
install_name
$77setup.exe
log_directory
gameboard
reconnect_delay
3000
startup_key
drivers
subdirectory
$77

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

photo_protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	photo_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	photo_protected.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe

Executes dropped EXE 4 IoCs

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

pid process

1796 photo_protected.exe
2028 $77setup.exe
856 $77setup.exe
1164 photo_protected.exe

pid	process
1796	photo_protected.exe
2028	$77setup.exe
856	$77setup.exe
1164	photo_protected.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1504 cmd.exe

pid	process
1504	cmd.exe

Loads dropped DLL 12 IoCs

Processes:

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exephoto_protected.exeWerFault.execmd.execmd.exe

pid	process
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1796	photo_protected.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1760	cmd.exe
108	cmd.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
C:\Windows\SysWOW64\$77\$77setup.exe	themida
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
C:\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
C:\Windows\SysWOW64\$77\$77setup.exe	themida
\Windows\SysWOW64\$77\$77setup.exe	themida
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
\Users\Admin\AppData\Local\Temp\photo_protected.exe	themida
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	photo_protected.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\drivers = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\photo_protected.exe\""	photo_protected.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

$77setup.exephoto_protected.exephoto_protected.exe$77setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
1 ip-api.com

flow	ioc
3	ip-api.com
1	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

photo_protected.exe$77setup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	photo_protected.exe
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	$77setup.exe
File opened for modification	C:\Windows\SysWOW64\$77	$77setup.exe
File created	C:\Windows\SysWOW64\$77\r77-x64.dll	photo_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

pid process

1796 photo_protected.exe
2028 $77setup.exe
856 $77setup.exe
1164 photo_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1228 2028 WerFault.exe $77setup.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1956 schtasks.exe
1116 schtasks.exe

pid	process
1796	photo_protected.exe
2028	$77setup.exe
856	$77setup.exe
1164	photo_protected.exe

pid	pid_target	process	target process
1228	2028	WerFault.exe	$77setup.exe

pid	process
1956	schtasks.exe
1116	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	photo_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	photo_protected.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1476 PING.EXE
1512 PING.EXE

pid	process
1476	PING.EXE
1512	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe$77setup.exephoto_protected.exephoto_protected.exe

pid	process
1784	powershell.exe
856	$77setup.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1164	photo_protected.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

photo_protected.exe$77setup.exepowershell.exe$77setup.exephoto_protected.exe

description	pid	process
Token: SeDebugPrivilege	1796	photo_protected.exe
Token: SeDebugPrivilege	2028	$77setup.exe
Token: SeDebugPrivilege	2028	$77setup.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	856	$77setup.exe
Token: SeDebugPrivilege	1164	photo_protected.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

780 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77setup.exe

pid process

2028 $77setup.exe

pid	process
780	DllHost.exe

pid	process
2028	$77setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exephoto_protected.exe$77setup.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	photo_protected.exe
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	photo_protected.exe
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	photo_protected.exe
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	photo_protected.exe
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	schtasks.exe
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	schtasks.exe
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	schtasks.exe
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	schtasks.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	$77setup.exe
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	powershell.exe
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	powershell.exe
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	powershell.exe
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	powershell.exe
PID 2028 wrote to memory of 1116	2028	$77setup.exe	schtasks.exe
PID 2028 wrote to memory of 1116	2028	$77setup.exe	schtasks.exe
PID 2028 wrote to memory of 1116	2028	$77setup.exe	schtasks.exe
PID 2028 wrote to memory of 1116	2028	$77setup.exe	schtasks.exe
PID 2028 wrote to memory of 1760	2028	$77setup.exe	cmd.exe
PID 2028 wrote to memory of 1760	2028	$77setup.exe	cmd.exe
PID 2028 wrote to memory of 1760	2028	$77setup.exe	cmd.exe
PID 2028 wrote to memory of 1760	2028	$77setup.exe	cmd.exe
PID 1760 wrote to memory of 1564	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 1564	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 1564	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 1564	1760	cmd.exe	chcp.com
PID 2028 wrote to memory of 1228	2028	$77setup.exe	WerFault.exe
PID 2028 wrote to memory of 1228	2028	$77setup.exe	WerFault.exe
PID 2028 wrote to memory of 1228	2028	$77setup.exe	WerFault.exe
PID 2028 wrote to memory of 1228	2028	$77setup.exe	WerFault.exe
PID 1760 wrote to memory of 1476	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1476	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1476	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1476	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1760 wrote to memory of 856	1760	cmd.exe	$77setup.exe
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	cmd.exe
PID 1496 wrote to memory of 1504	1496	cmd.exe	cmd.exe
PID 1496 wrote to memory of 1504	1496	cmd.exe	cmd.exe
PID 1496 wrote to memory of 1504	1496	cmd.exe	cmd.exe
PID 1496 wrote to memory of 1504	1496	cmd.exe	cmd.exe
PID 1796 wrote to memory of 108	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 108	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 108	1796	photo_protected.exe	cmd.exe
PID 1796 wrote to memory of 108	1796	photo_protected.exe	cmd.exe
PID 108 wrote to memory of 1340	108	cmd.exe	chcp.com
PID 108 wrote to memory of 1340	108	cmd.exe	chcp.com
PID 108 wrote to memory of 1340	108	cmd.exe	chcp.com
PID 108 wrote to memory of 1340	108	cmd.exe	chcp.com
PID 108 wrote to memory of 1512	108	cmd.exe	PING.EXE
PID 108 wrote to memory of 1512	108	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
"C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
"C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\$77\$77setup.exe
"C:\Windows\SysWOW64\$77\$77setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77\$77setup.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EI7T6uMiY2xs.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1564

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1476

C:\Windows\SysWOW64\$77\$77setup.exe
"C:\Windows\SysWOW64\$77\$77setup.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1400
4⤵
- Loads dropped DLL
- Program crash
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
- Deletes itself
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\se5DeOix93SI.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1512

C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
"C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EI7T6uMiY2xs.bat
Filesize
195B

MD5
b060cfb63c9028463458ae5736d7d15a

SHA1
bb0ac5b1f1abd03aeea26c9fc260d5d9b84d187e

SHA256
a1f1881c992e3ac3a7eb50ff815a24f71111e674ff5bf856ab66016de0071802

SHA512
cd60dcb68aa94fd6890c13831cc428e40f358ebb625b3641a76766defac1075b4a98a7fe6d4769c204cd39172b92f6b1f0dbc91d583369bc8c3efd144faed800

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_2021-01-20_10-32-33.jpg
Filesize
15KB

MD5
4ed5be10b9b30e012b2b9ba0dae6cf8f

SHA1
675c76af77de29bc8edabfcff7161f3c5124aa26

SHA256
f7b9988a7419825092d7f6b01b99aa41e628023697b17850252705657ad42b41

SHA512
349e26ae4509ec2d606921d02d453137c27a4794223b8fdc5a4f6bae2dd0ae1776d83cc23deeeffc0ca0113917fb8e35eb00d0aecc3be5c59a2f0d36712a9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\se5DeOix93SI.bat
Filesize
212B

MD5
13607579969402d0db92cff4244374f8

SHA1
ffb0aea9aae52ff9605c160c0de51588a7d09d47

SHA256
7e04e9e2385ed56bf18c25b59a96145288797ea493444a28190cbe880a23c42f

SHA512
5d7b8f14996bf0b7f38749b1cc726ba50aad0afb91772edf0ef145b6657d083bb1f5fe668ceab39b0eb07e872901cd19f3fa81ad9034bc7ae97097c6477b854d

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe
Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
memory/108-118-0x0000000000000000-mapping.dmp

Download
memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/856-114-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/856-104-0x0000000000000000-mapping.dmp

Download
memory/856-113-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/856-107-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/1116-88-0x0000000000000000-mapping.dmp

Download
memory/1164-128-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-125-0x0000000000000000-mapping.dmp

Download
memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-134-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1164-135-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1228-94-0x0000000000000000-mapping.dmp

Download
memory/1340-120-0x0000000000000000-mapping.dmp

Download
memory/1476-95-0x0000000000000000-mapping.dmp

Download
memory/1496-116-0x0000000000000000-mapping.dmp

Download
memory/1504-117-0x0000000000000000-mapping.dmp

Download
memory/1512-121-0x0000000000000000-mapping.dmp

Download
memory/1564-93-0x0000000000000000-mapping.dmp

Download
memory/1760-91-0x0000000000000000-mapping.dmp

Download
memory/1784-78-0x0000000000000000-mapping.dmp

Download
memory/1784-102-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-90-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-115-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-74-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-73-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-60-0x0000000000000000-mapping.dmp

Download
memory/1796-63-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-67-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-123-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1956-72-0x0000000000000000-mapping.dmp

Download
memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-101-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-87-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/2028-76-0x0000000000000000-mapping.dmp

Download
memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-82-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download