quasar | 317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

General

Target

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
Size

2.6MB
MD5

017d1ddeb4f16982eda16fe8f07c63e6
SHA1

ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556
SHA256

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87
SHA512

d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc
SSDEEP

49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf

Score

10^/10

quasar venomrat rat evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes

encryption_key
txgQXKaATimN7DY8jnPH
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Signatures

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4788-140-0x0000000000400000-0x0000000000564000-memory.dmp	disable_win_def
behavioral2/memory/4788-141-0x0000000000400000-0x0000000000564000-memory.dmp	disable_win_def
behavioral2/memory/4788-142-0x0000000000400000-0x0000000000564000-memory.dmp	disable_win_def
behavioral2/memory/4788-143-0x0000000000400000-0x0000000000564000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE	disable_win_def
behavioral2/memory/4788-150-0x0000000000400000-0x0000000000564000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE	disable_win_def
behavioral2/memory/372-151-0x0000000000FC0000-0x000000000104C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

WINDOWS DEFENDER SECURITY.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	WINDOWS DEFENDER SECURITY.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WINDOWS DEFENDER SECURITY.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WINDOWS DEFENDER SECURITY.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WINDOWS DEFENDER SECURITY.EXE

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4788-140-0x0000000000400000-0x0000000000564000-memory.dmp	family_quasar
behavioral2/memory/4788-141-0x0000000000400000-0x0000000000564000-memory.dmp	family_quasar
behavioral2/memory/4788-142-0x0000000000400000-0x0000000000564000-memory.dmp	family_quasar
behavioral2/memory/4788-143-0x0000000000400000-0x0000000000564000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE	family_quasar
behavioral2/memory/4788-150-0x0000000000400000-0x0000000000564000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE	family_quasar
behavioral2/memory/372-151-0x0000000000FC0000-0x000000000104C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 3 IoCs

Processes:

AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXEWINDOWS DEFENDER SECURITY.EXEWindows Defender Security.exe

pid process

2392 AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
372 WINDOWS DEFENDER SECURITY.EXE
3940 Windows Defender Security.exe

pid	process
2392	AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
372	WINDOWS DEFENDER SECURITY.EXE
3940	Windows Defender Security.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exeWINDOWS DEFENDER SECURITY.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINDOWS DEFENDER SECURITY.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WINDOWS DEFENDER SECURITY.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	WINDOWS DEFENDER SECURITY.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	WINDOWS DEFENDER SECURITY.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

flow	ioc
10	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe

description	pid	process	target process
PID 5036 set thread context of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3852 2392 WerFault.exe AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4636 schtasks.exe
1128 schtasks.exe

pid	pid_target	process	target process
3852	2392	WerFault.exe	AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE

pid	process
4636	schtasks.exe
1128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exepowershell.exeWINDOWS DEFENDER SECURITY.EXE

pid	process
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
4420	powershell.exe
4420	powershell.exe
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE
372	WINDOWS DEFENDER SECURITY.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exeWINDOWS DEFENDER SECURITY.EXEpowershell.exeWindows Defender Security.exe

description	pid	process
Token: SeDebugPrivilege	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
Token: SeDebugPrivilege	372	WINDOWS DEFENDER SECURITY.EXE
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	3940	Windows Defender Security.exe
Token: SeDebugPrivilege	3940	Windows Defender Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security.exe

pid process

3940 Windows Defender Security.exe

pid	process
3940	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exeWINDOWS DEFENDER SECURITY.EXEWindows Defender Security.execmd.exe

description	pid	process	target process
PID 5036 wrote to memory of 4568	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4568	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4568	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4452	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4452	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4452	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 364	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 364	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 364	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 3300	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 3300	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 3300	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 5036 wrote to memory of 4788	5036	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
PID 4788 wrote to memory of 2392	4788	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
PID 4788 wrote to memory of 2392	4788	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
PID 4788 wrote to memory of 372	4788	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	WINDOWS DEFENDER SECURITY.EXE
PID 4788 wrote to memory of 372	4788	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	WINDOWS DEFENDER SECURITY.EXE
PID 4788 wrote to memory of 372	4788	317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe	WINDOWS DEFENDER SECURITY.EXE
PID 372 wrote to memory of 4636	372	WINDOWS DEFENDER SECURITY.EXE	schtasks.exe
PID 372 wrote to memory of 4636	372	WINDOWS DEFENDER SECURITY.EXE	schtasks.exe
PID 372 wrote to memory of 4636	372	WINDOWS DEFENDER SECURITY.EXE	schtasks.exe
PID 372 wrote to memory of 3940	372	WINDOWS DEFENDER SECURITY.EXE	Windows Defender Security.exe
PID 372 wrote to memory of 3940	372	WINDOWS DEFENDER SECURITY.EXE	Windows Defender Security.exe
PID 372 wrote to memory of 3940	372	WINDOWS DEFENDER SECURITY.EXE	Windows Defender Security.exe
PID 372 wrote to memory of 4420	372	WINDOWS DEFENDER SECURITY.EXE	powershell.exe
PID 372 wrote to memory of 4420	372	WINDOWS DEFENDER SECURITY.EXE	powershell.exe
PID 372 wrote to memory of 4420	372	WINDOWS DEFENDER SECURITY.EXE	powershell.exe
PID 3940 wrote to memory of 1128	3940	Windows Defender Security.exe	schtasks.exe
PID 3940 wrote to memory of 1128	3940	Windows Defender Security.exe	schtasks.exe
PID 3940 wrote to memory of 1128	3940	Windows Defender Security.exe	schtasks.exe
PID 372 wrote to memory of 2824	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe
PID 372 wrote to memory of 2824	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe
PID 372 wrote to memory of 2824	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe
PID 2824 wrote to memory of 4860	2824	cmd.exe	cmd.exe
PID 2824 wrote to memory of 4860	2824	cmd.exe	cmd.exe
PID 2824 wrote to memory of 4860	2824	cmd.exe	cmd.exe
PID 372 wrote to memory of 1976	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe
PID 372 wrote to memory of 1976	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe
PID 372 wrote to memory of 1976	372	WINDOWS DEFENDER SECURITY.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
2⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
2⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
2⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
2⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe
"C:\Users\Admin\AppData\Local\Temp\317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
"C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE"
3⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2392 -s 844
4⤵
- Program crash
PID:3852

C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4636

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
5⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9juan57TROqw.bat" "
4⤵
PID:1976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2392 -ip 2392
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9juan57TROqw.bat
Filesize
222B

MD5
93904974b851bcc4d46100b89a26a19b

SHA1
df94eeed79e641de284aae840637addc6d18540e

SHA256
91507193671745a7869f4820b3afad781779f8c765f25473508bf51098485082

SHA512
5c3a75ce0099d758393cc290c59cc606e91d968fd83fb7a5c2626055c6b921a59be4f0b0f1e83a16edd715b00709bcf29364e7a016ad894ebb3cfae76570868d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
Filesize
803KB

MD5
305aa19532d3f9b073a00554136f0e98

SHA1
e09303e02e1205319979676e73aff57b69ea8c17

SHA256
5d7840b21dfc68963642589e4089f762cb4af25653ed66db8ff880efbe8b86c6

SHA512
1b078b431a12e869d6aa9c0bf44815934d6c1548ba8f09f37ddccd0988a3bcd2dc40944ddcb53003f1a259c26576f37fa9cec7a8ca1285ddbb459f66e297f83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAZON VALID EMAILS CHECKER BY X-SLAYER.EXE
Filesize
803KB

MD5
305aa19532d3f9b073a00554136f0e98

SHA1
e09303e02e1205319979676e73aff57b69ea8c17

SHA256
5d7840b21dfc68963642589e4089f762cb4af25653ed66db8ff880efbe8b86c6

SHA512
1b078b431a12e869d6aa9c0bf44815934d6c1548ba8f09f37ddccd0988a3bcd2dc40944ddcb53003f1a259c26576f37fa9cec7a8ca1285ddbb459f66e297f83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS DEFENDER SECURITY.EXE
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
Filesize
535KB

MD5
0bd3018c9c566328497be54c7d882159

SHA1
8d90c23ee373ab935ba930f25c96374762c4a5a6

SHA256
026971c3fba531247627dd9f3f7d51c566d8df28a52332bd3d0eb8ca55d96176

SHA512
90cfde84ae14de5151c4950b8f8fe05d108a9716f3e0c104e2793a9c8bbb6a4385fe24a1bd9bc020cd061a128bb258ef44ef8679ac4b0e8a280107b22ed9e8cc

Download Submit
memory/364-137-0x0000000000000000-mapping.dmp

Download
memory/372-156-0x00000000068E0000-0x00000000068F2000-memory.dmp

Filesize
72KB

Download
memory/372-157-0x0000000006D10000-0x0000000006D4C000-memory.dmp

Filesize
240KB

Download
memory/372-154-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/372-151-0x0000000000FC0000-0x000000000104C000-memory.dmp

Filesize
560KB

Download
memory/372-147-0x0000000000000000-mapping.dmp

Download
memory/1128-168-0x0000000000000000-mapping.dmp

Download
memory/1976-182-0x0000000000000000-mapping.dmp

Download
memory/2392-153-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

Filesize
10.8MB

Download
memory/2392-155-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp

Filesize
10.8MB

Download
memory/2392-144-0x0000000000000000-mapping.dmp

Download
memory/2392-152-0x0000028CF2220000-0x0000028CF22F2000-memory.dmp

Filesize
840KB

Download
memory/2824-180-0x0000000000000000-mapping.dmp

Download
memory/3300-138-0x0000000000000000-mapping.dmp

Download
memory/3940-159-0x0000000000000000-mapping.dmp

Download
memory/3940-169-0x0000000006780000-0x000000000678A000-memory.dmp

Filesize
40KB

Download
memory/4420-175-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/4420-177-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/4420-179-0x00000000078E0000-0x00000000078E8000-memory.dmp

Filesize
32KB

Download
memory/4420-178-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/4420-170-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/4420-176-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/4420-162-0x0000000000000000-mapping.dmp

Download
memory/4420-174-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/4420-163-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/4420-164-0x0000000005420000-0x0000000005A48000-memory.dmp

Filesize
6.2MB

Download
memory/4420-165-0x0000000005B40000-0x0000000005B62000-memory.dmp

Filesize
136KB

Download
memory/4420-171-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/4420-167-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/4420-173-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/4420-172-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4420-166-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/4452-136-0x0000000000000000-mapping.dmp

Download
memory/4568-135-0x0000000000000000-mapping.dmp

Download
memory/4636-158-0x0000000000000000-mapping.dmp

Download
memory/4788-139-0x0000000000000000-mapping.dmp

Download
memory/4788-150-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4788-141-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4788-140-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4788-143-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4788-142-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/4860-181-0x0000000000000000-mapping.dmp

Download
memory/5036-132-0x0000000000DF0000-0x0000000001090000-memory.dmp

Filesize
2.6MB

Download
memory/5036-134-0x0000000005DE0000-0x0000000005E72000-memory.dmp

Filesize
584KB

Download
memory/5036-133-0x00000000061F0000-0x0000000006794000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads