quasar | d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

General

Target

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Size

655KB
MD5

c6b8dff8c0e4204c318dc7e349d5f531
SHA1

af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3
SHA256

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
SHA512

6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f
SSDEEP

12288:QNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ56m:QKIDAEQSy2TbKuKN

Score

10^/10

quasar venomrat ajith evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

ajith

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_NdVd2sPSSqFdo7I35g

Attributes

encryption_key
jyerms3KOWmt3C9DBFuq
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-63-0x0000000000486C4E-mapping.dmp	disable_win_def
behavioral1/memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1676-83-0x0000000000486C4E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-63-0x0000000000486C4E-mapping.dmp	family_quasar
behavioral1/memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1676-83-0x0000000000486C4E-mapping.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 2 IoCs

Processes:

Windows Defender Security.exeWindows Defender Security.exe

pid process

632 Windows Defender Security.exe
1676 Windows Defender Security.exe
Loads dropped DLL 1 IoCs

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

pid process

1036 d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

pid	process
632	Windows Defender Security.exe
1676	Windows Defender Security.exe

pid	process
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exeWindows Defender Security.exe

description	pid	process	target process
PID 1340 set thread context of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 632 set thread context of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1096 schtasks.exe
1436 schtasks.exe

pid	process
1096	schtasks.exe
1436	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exed76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

pid	process
564	powershell.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exepowershell.exeWindows Defender Security.exe

description	pid	process
Token: SeDebugPrivilege	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1676	Windows Defender Security.exe
Token: SeDebugPrivilege	1676	Windows Defender Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security.exe

pid process

1676 Windows Defender Security.exe

pid	process
1676	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exed76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exeWindows Defender Security.exeWindows Defender Security.execmd.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1340 wrote to memory of 1036	1340	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	schtasks.exe
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	schtasks.exe
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	schtasks.exe
PID 1036 wrote to memory of 1096	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	schtasks.exe
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	Windows Defender Security.exe
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	Windows Defender Security.exe
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	Windows Defender Security.exe
PID 1036 wrote to memory of 632	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	Windows Defender Security.exe
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	powershell.exe
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	powershell.exe
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	powershell.exe
PID 1036 wrote to memory of 564	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	powershell.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 632 wrote to memory of 1676	632	Windows Defender Security.exe	Windows Defender Security.exe
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	schtasks.exe
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	schtasks.exe
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	schtasks.exe
PID 1676 wrote to memory of 1436	1676	Windows Defender Security.exe	schtasks.exe
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 912	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 912 wrote to memory of 1632	912	cmd.exe	cmd.exe
PID 912 wrote to memory of 1632	912	cmd.exe	cmd.exe
PID 912 wrote to memory of 1632	912	cmd.exe	cmd.exe
PID 912 wrote to memory of 1632	912	cmd.exe	cmd.exe
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1036 wrote to memory of 1728	1036	d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe	cmd.exe
PID 1728 wrote to memory of 1964	1728	cmd.exe	chcp.com
PID 1728 wrote to memory of 1964	1728	cmd.exe	chcp.com
PID 1728 wrote to memory of 1964	1728	cmd.exe	chcp.com
PID 1728 wrote to memory of 1964	1728	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
"C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe
"C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1096

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCfCHWwUnnjq.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

2

T1089

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xCfCHWwUnnjq.bat
Filesize
261B

MD5
13ebfc24a45ce1fde1b19b6da2568ca2

SHA1
ece19d6e3500c9d313700279cbc70aa61d7a6e4b

SHA256
dd39833ee59624c68a5b76fa6d57001666bf439d5e317671ccdf34c4d1c19e45

SHA512
169e4c23b04041fb2c0e0174cadcee99b0923f77f02adceb1bae8bb1c2af1052c9f6c9a4fea4270144cd29792a71c229d4e12fceed6fe06378497f1e9f3859ec

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security.exe
Filesize
655KB

MD5
c6b8dff8c0e4204c318dc7e349d5f531

SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3

SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc

SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f

Download Submit
memory/564-92-0x000000006EBF0000-0x000000006F19B000-memory.dmp

Filesize
5.7MB

Download
memory/564-90-0x000000006EBF0000-0x000000006F19B000-memory.dmp

Filesize
5.7MB

Download
memory/564-74-0x0000000000000000-mapping.dmp

Download
memory/632-75-0x0000000000860000-0x000000000090A000-memory.dmp

Filesize
680KB

Download
memory/632-71-0x0000000000000000-mapping.dmp

Download
memory/912-93-0x0000000000000000-mapping.dmp

Download
memory/1036-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-63-0x0000000000486C4E-mapping.dmp

Download
memory/1036-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1036-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1096-69-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/1340-56-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1340-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1436-91-0x0000000000000000-mapping.dmp

Download
memory/1632-94-0x0000000000000000-mapping.dmp

Download
memory/1676-83-0x0000000000486C4E-mapping.dmp

Download
memory/1728-95-0x0000000000000000-mapping.dmp

Download
memory/1964-97-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads