quasar | f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
Size

12.8MB
MD5

1c1cd3ee6e73a4e599c7c32bae300b05
SHA1

dd22b9c9531efdecd80d37b01254e96728ef26c3
SHA256

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12
SHA512

484ab45694f4789a8f385dd6346c2711d8b79368760819065592163f763a8724c91993fbc0bfbf58ce0c1d0f7d9132f9b59a99645790e4e68ece6650b99cd037
SSDEEP

393216:IY/d0T2My8oDotr3LItcM4epPOgmYQbml1ay:IYeqvE1Sd/WmSy

Score

10^/10

quasar venomrat greedens evasion persistence rat rootkit spyware stealer themida trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

greedens

127.0.0.1:4782

Mutex

VNM_MUTEX_7DOOh0yZCLxX4Y4Ltu

Attributes

encryption_key
ZSBFYPSY9jJS688RgNV6
install_name
$77setup.exe
log_directory
gameboard
reconnect_delay
3000
startup_key
drivers
subdirectory
$77

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	disable_win_def
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

photo_protected.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	photo_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	photo_protected.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	family_quasar
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe

Executes dropped EXE 4 IoCs

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

pid	Process
1796	photo_protected.exe
2028	$77setup.exe
856	$77setup.exe
1164	photo_protected.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1504	cmd.exe

Loads dropped DLL 12 IoCs

Processes:

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exephoto_protected.exeWerFault.execmd.execmd.exe

pid	Process
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
1796	photo_protected.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1760	cmd.exe
108	cmd.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0008000000005c50-56.dat	themida
behavioral1/files/0x0008000000005c50-57.dat	themida
behavioral1/files/0x0008000000005c50-59.dat	themida
behavioral1/files/0x0008000000005c50-58.dat	themida
behavioral1/files/0x0008000000005c50-61.dat	themida
behavioral1/memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/files/0x0008000000005c50-71.dat	themida
behavioral1/files/0x000700000001311d-75.dat	themida
behavioral1/files/0x000700000001311d-77.dat	themida
behavioral1/memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/files/0x000700000001311d-89.dat	themida
behavioral1/files/0x000700000001311d-98.dat	themida
behavioral1/files/0x000700000001311d-97.dat	themida
behavioral1/files/0x000700000001311d-96.dat	themida
behavioral1/files/0x000700000001311d-99.dat	themida
behavioral1/files/0x000700000001311d-100.dat	themida
behavioral1/files/0x000700000001311d-105.dat	themida
behavioral1/files/0x000700000001311d-103.dat	themida
behavioral1/memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp	themida
behavioral1/memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/files/0x0008000000005c50-126.dat	themida
behavioral1/files/0x0008000000005c50-124.dat	themida
behavioral1/memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida
behavioral1/memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp	themida

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	photo_protected.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\drivers = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\photo_protected.exe\""	photo_protected.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

$77setup.exephoto_protected.exephoto_protected.exe$77setup.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com
1	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

photo_protected.exe$77setup.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	photo_protected.exe
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	$77setup.exe
File opened for modification	C:\Windows\SysWOW64\$77	$77setup.exe
File created	C:\Windows\SysWOW64\$77\r77-x64.dll	photo_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

photo_protected.exe$77setup.exe$77setup.exephoto_protected.exe

pid	Process
1796	photo_protected.exe
2028	$77setup.exe
856	$77setup.exe
1164	photo_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1228	2028	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1956	schtasks.exe
1116	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

photo_protected.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	photo_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	photo_protected.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
1476	PING.EXE
1512	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe$77setup.exephoto_protected.exephoto_protected.exe

pid	Process
1784	powershell.exe
856	$77setup.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1796	photo_protected.exe
1164	photo_protected.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

photo_protected.exe$77setup.exepowershell.exe$77setup.exephoto_protected.exe

description	pid	Process
Token: SeDebugPrivilege	1796	photo_protected.exe
Token: SeDebugPrivilege	2028	$77setup.exe
Token: SeDebugPrivilege	2028	$77setup.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	856	$77setup.exe
Token: SeDebugPrivilege	1164	photo_protected.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid	Process
780	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77setup.exe

pid	Process
2028	$77setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exephoto_protected.exe$77setup.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	28
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	28
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	28
PID 1192 wrote to memory of 1796	1192	f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe	28
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	30
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	30
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	30
PID 1796 wrote to memory of 1956	1796	photo_protected.exe	30
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 2028	1796	photo_protected.exe	32
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	33
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	33
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	33
PID 1796 wrote to memory of 1784	1796	photo_protected.exe	33
PID 2028 wrote to memory of 1116	2028	$77setup.exe	36
PID 2028 wrote to memory of 1116	2028	$77setup.exe	36
PID 2028 wrote to memory of 1116	2028	$77setup.exe	36
PID 2028 wrote to memory of 1116	2028	$77setup.exe	36
PID 2028 wrote to memory of 1760	2028	$77setup.exe	38
PID 2028 wrote to memory of 1760	2028	$77setup.exe	38
PID 2028 wrote to memory of 1760	2028	$77setup.exe	38
PID 2028 wrote to memory of 1760	2028	$77setup.exe	38
PID 1760 wrote to memory of 1564	1760	cmd.exe	39
PID 1760 wrote to memory of 1564	1760	cmd.exe	39
PID 1760 wrote to memory of 1564	1760	cmd.exe	39
PID 1760 wrote to memory of 1564	1760	cmd.exe	39
PID 2028 wrote to memory of 1228	2028	$77setup.exe	40
PID 2028 wrote to memory of 1228	2028	$77setup.exe	40
PID 2028 wrote to memory of 1228	2028	$77setup.exe	40
PID 2028 wrote to memory of 1228	2028	$77setup.exe	40
PID 1760 wrote to memory of 1476	1760	cmd.exe	41
PID 1760 wrote to memory of 1476	1760	cmd.exe	41
PID 1760 wrote to memory of 1476	1760	cmd.exe	41
PID 1760 wrote to memory of 1476	1760	cmd.exe	41
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1760 wrote to memory of 856	1760	cmd.exe	42
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	43
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	43
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	43
PID 1796 wrote to memory of 1496	1796	photo_protected.exe	43
PID 1496 wrote to memory of 1504	1496	cmd.exe	45
PID 1496 wrote to memory of 1504	1496	cmd.exe	45
PID 1496 wrote to memory of 1504	1496	cmd.exe	45
PID 1496 wrote to memory of 1504	1496	cmd.exe	45
PID 1796 wrote to memory of 108	1796	photo_protected.exe	46
PID 1796 wrote to memory of 108	1796	photo_protected.exe	46
PID 1796 wrote to memory of 108	1796	photo_protected.exe	46
PID 1796 wrote to memory of 108	1796	photo_protected.exe	46
PID 108 wrote to memory of 1340	108	cmd.exe	48
PID 108 wrote to memory of 1340	108	cmd.exe	48
PID 108 wrote to memory of 1340	108	cmd.exe	48
PID 108 wrote to memory of 1340	108	cmd.exe	48
PID 108 wrote to memory of 1512	108	cmd.exe	49
PID 108 wrote to memory of 1512	108	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe
"C:\Users\Admin\AppData\Local\Temp\f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1956
- - C:\Windows\SysWOW64\$77\$77setup.exe
    "C:\Windows\SysWOW64\$77\$77setup.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77\$77setup.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EI7T6uMiY2xs.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1476
    - - C:\Windows\SysWOW64\$77\$77setup.exe
        
        "C:\Windows\SysWOW64\$77\$77setup.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1400
      4⤵
      Loads dropped DLL
      Program crash
      PID:1228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      Deletes itself
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\se5DeOix93SI.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EI7T6uMiY2xs.bat

Filesize
195B

MD5
b060cfb63c9028463458ae5736d7d15a

SHA1
bb0ac5b1f1abd03aeea26c9fc260d5d9b84d187e

SHA256
a1f1881c992e3ac3a7eb50ff815a24f71111e674ff5bf856ab66016de0071802

SHA512
cd60dcb68aa94fd6890c13831cc428e40f358ebb625b3641a76766defac1075b4a98a7fe6d4769c204cd39172b92f6b1f0dbc91d583369bc8c3efd144faed800

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_2021-01-20_10-32-33.jpg

Filesize
15KB

MD5
4ed5be10b9b30e012b2b9ba0dae6cf8f

SHA1
675c76af77de29bc8edabfcff7161f3c5124aa26

SHA256
f7b9988a7419825092d7f6b01b99aa41e628023697b17850252705657ad42b41

SHA512
349e26ae4509ec2d606921d02d453137c27a4794223b8fdc5a4f6bae2dd0ae1776d83cc23deeeffc0ca0113917fb8e35eb00d0aecc3be5c59a2f0d36712a9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\se5DeOix93SI.bat

Filesize
212B

MD5
13607579969402d0db92cff4244374f8

SHA1
ffb0aea9aae52ff9605c160c0de51588a7d09d47

SHA256
7e04e9e2385ed56bf18c25b59a96145288797ea493444a28190cbe880a23c42f

SHA512
5d7b8f14996bf0b7f38749b1cc726ba50aad0afb91772edf0ef145b6657d083bb1f5fe668ceab39b0eb07e872901cd19f3fa81ad9034bc7ae97097c6477b854d

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
C:\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
\Windows\SysWOW64\$77\$77setup.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
memory/108-118-0x0000000000000000-mapping.dmp

Download
memory/856-111-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/856-114-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/856-104-0x0000000000000000-mapping.dmp

Download
memory/856-113-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/856-112-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/856-107-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/1116-88-0x0000000000000000-mapping.dmp

Download
memory/1164-128-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-125-0x0000000000000000-mapping.dmp

Download
memory/1164-132-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-133-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1164-134-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1164-135-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1228-94-0x0000000000000000-mapping.dmp

Download
memory/1340-120-0x0000000000000000-mapping.dmp

Download
memory/1476-95-0x0000000000000000-mapping.dmp

Download
memory/1496-116-0x0000000000000000-mapping.dmp

Download
memory/1504-117-0x0000000000000000-mapping.dmp

Download
memory/1512-121-0x0000000000000000-mapping.dmp

Download
memory/1564-93-0x0000000000000000-mapping.dmp

Download
memory/1760-91-0x0000000000000000-mapping.dmp

Download
memory/1784-78-0x0000000000000000-mapping.dmp

Download
memory/1784-102-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-90-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-115-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-74-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-73-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-60-0x0000000000000000-mapping.dmp

Download
memory/1796-63-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-67-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-68-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-122-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1796-123-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/1796-69-0x0000000000E80000-0x0000000002F4A000-memory.dmp

Filesize
32.8MB

Download
memory/1956-72-0x0000000000000000-mapping.dmp

Download
memory/2028-85-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-101-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-87-0x0000000077CF0000-0x0000000077E70000-memory.dmp

Filesize
1.5MB

Download
memory/2028-76-0x0000000000000000-mapping.dmp

Download
memory/2028-86-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download
memory/2028-82-0x0000000000B40000-0x0000000002C0A000-memory.dmp

Filesize
32.8MB

Download