quasar | 329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903

Analysis

max time kernel
64s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe
Size

1.0MB
MD5

fc6cd521af42d5423b8ce0e53ae67703
SHA1

49a14b2ba77028b1dfb8167bdafdd2908c40f861
SHA256

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903
SHA512

0de482d1f6ae53197da70045f84f2071e3a17b9cc90a4e3b7c68c1210590fe5f6eb4ec86d1c233e4c0c4662fb639c861bed0c869509ddf9cf53b9b3b4b841bab
SSDEEP

24576:ucvkTM6qPOgKbORmiNbbAb21NUJ2k+U1kYC80Oy2dj08:pvkT9Q+4miNG217k9Z5x

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

127.0.0.1:4782

rat94522.ddnsking.com:4000

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
WIwQFd2V7FhUXFH7QX71
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 18 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\file1.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file1.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file1.exe	disable_win_def
behavioral1/memory/1984-68-0x0000000000980000-0x0000000000A0C000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
behavioral1/memory/1384-74-0x0000000000850000-0x00000000008DC000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
\Users\Admin\AppData\Local\Temp\file1.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\file1.exe	disable_win_def
behavioral1/memory/1100-99-0x0000000001360000-0x00000000013EC000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

file1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	file1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	file1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	file1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	file1.exe

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

timeout.exe

pid process

608 timeout.exe
1 ip-api.com
5 api.ipify.org

pid	process
608	timeout.exe
1	ip-api.com
5	api.ipify.org

Quasar payload 18 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\file1.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\file1.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\file1.exe	family_quasar
behavioral1/memory/1984-68-0x0000000000980000-0x0000000000A0C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/1384-74-0x0000000000850000-0x00000000008DC000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
\Users\Admin\AppData\Local\Temp\file1.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\file1.exe	family_quasar
behavioral1/memory/1100-99-0x0000000001360000-0x00000000013EC000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 5 IoCs

Processes:

Crypted.exefile1.exeClient.exefile1.exeClient.exe

pid process

1988 Crypted.exe
1984 file1.exe
1384 Client.exe
1100 file1.exe
1180 Client.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

364 cmd.exe
Loads dropped DLL 9 IoCs

Processes:

Crypted.exefile1.exeWerFault.execmd.execmd.exe

pid process

1988 Crypted.exe
1984 file1.exe
2028 WerFault.exe
2028 WerFault.exe
2028 WerFault.exe
2028 WerFault.exe
2028 WerFault.exe
544 cmd.exe
1708 cmd.exe

pid	process
1988	Crypted.exe
1984	file1.exe
1384	Client.exe
1100	file1.exe
1180	Client.exe

pid	process
364	cmd.exe

pid	process
1988	Crypted.exe
1984	file1.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
544	cmd.exe
1708	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	file1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	file1.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 1384 WerFault.exe Client.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

608 timeout.exe

flow	ioc
5	api.ipify.org
1	ip-api.com

pid	pid_target	process	target process
2028	1384	WerFault.exe	Client.exe

pid	process
608	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	file1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

824 PING.EXE
2000 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Crypted.exe

pid process

1988 Crypted.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exefile1.exefile1.exeClient.exe

pid process

1724 powershell.exe
1984 file1.exe
1984 file1.exe
1984 file1.exe
1984 file1.exe
1984 file1.exe
1984 file1.exe
1984 file1.exe
1100 file1.exe
1180 Client.exe

pid	process
824	PING.EXE
2000	PING.EXE

pid	process
1988	Crypted.exe

pid	process
1724	powershell.exe
1984	file1.exe
1984	file1.exe
1984	file1.exe
1984	file1.exe
1984	file1.exe
1984	file1.exe
1984	file1.exe
1100	file1.exe
1180	Client.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file1.exeClient.exepowershell.exefile1.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1984	file1.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	1100	file1.exe
Token: SeDebugPrivilege	1180	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1384 Client.exe

pid	process
1384	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.execmd.exeCrypted.exefile1.execmd.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 752 wrote to memory of 1072	752	329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe	cmd.exe
PID 752 wrote to memory of 1072	752	329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe	cmd.exe
PID 752 wrote to memory of 1072	752	329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe	cmd.exe
PID 752 wrote to memory of 1072	752	329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe	cmd.exe
PID 1072 wrote to memory of 608	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 608	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 608	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 1988	1072	cmd.exe	Crypted.exe
PID 1072 wrote to memory of 1988	1072	cmd.exe	Crypted.exe
PID 1072 wrote to memory of 1988	1072	cmd.exe	Crypted.exe
PID 1072 wrote to memory of 1988	1072	cmd.exe	Crypted.exe
PID 1988 wrote to memory of 1984	1988	Crypted.exe	file1.exe
PID 1988 wrote to memory of 1984	1988	Crypted.exe	file1.exe
PID 1988 wrote to memory of 1984	1988	Crypted.exe	file1.exe
PID 1988 wrote to memory of 1984	1988	Crypted.exe	file1.exe
PID 1984 wrote to memory of 1384	1984	file1.exe	Client.exe
PID 1984 wrote to memory of 1384	1984	file1.exe	Client.exe
PID 1984 wrote to memory of 1384	1984	file1.exe	Client.exe
PID 1984 wrote to memory of 1384	1984	file1.exe	Client.exe
PID 1984 wrote to memory of 1724	1984	file1.exe	powershell.exe
PID 1984 wrote to memory of 1724	1984	file1.exe	powershell.exe
PID 1984 wrote to memory of 1724	1984	file1.exe	powershell.exe
PID 1984 wrote to memory of 1724	1984	file1.exe	powershell.exe
PID 1984 wrote to memory of 556	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 556	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 556	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 556	1984	file1.exe	cmd.exe
PID 556 wrote to memory of 364	556	cmd.exe	cmd.exe
PID 556 wrote to memory of 364	556	cmd.exe	cmd.exe
PID 556 wrote to memory of 364	556	cmd.exe	cmd.exe
PID 556 wrote to memory of 364	556	cmd.exe	cmd.exe
PID 1984 wrote to memory of 544	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 544	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 544	1984	file1.exe	cmd.exe
PID 1984 wrote to memory of 544	1984	file1.exe	cmd.exe
PID 544 wrote to memory of 984	544	cmd.exe	chcp.com
PID 544 wrote to memory of 984	544	cmd.exe	chcp.com
PID 544 wrote to memory of 984	544	cmd.exe	chcp.com
PID 544 wrote to memory of 984	544	cmd.exe	chcp.com
PID 544 wrote to memory of 824	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 824	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 824	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 824	544	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1708	1384	Client.exe	cmd.exe
PID 1384 wrote to memory of 1708	1384	Client.exe	cmd.exe
PID 1384 wrote to memory of 1708	1384	Client.exe	cmd.exe
PID 1384 wrote to memory of 1708	1384	Client.exe	cmd.exe
PID 1384 wrote to memory of 2028	1384	Client.exe	WerFault.exe
PID 1384 wrote to memory of 2028	1384	Client.exe	WerFault.exe
PID 1384 wrote to memory of 2028	1384	Client.exe	WerFault.exe
PID 1384 wrote to memory of 2028	1384	Client.exe	WerFault.exe
PID 1708 wrote to memory of 1060	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1060	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1060	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 1060	1708	cmd.exe	chcp.com
PID 1708 wrote to memory of 2000	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2000	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2000	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2000	1708	cmd.exe	PING.EXE
PID 544 wrote to memory of 1100	544	cmd.exe	file1.exe
PID 544 wrote to memory of 1100	544	cmd.exe	file1.exe
PID 544 wrote to memory of 1100	544	cmd.exe	file1.exe
PID 544 wrote to memory of 1100	544	cmd.exe	file1.exe
PID 1708 wrote to memory of 1180	1708	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe
"C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FB50.tmp\FB51.tmp\FB52.bat C:\Users\Admin\AppData\Local\Temp\329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\timeout.exe
    timeout 2
    3⤵
    - Quasar RAT
    - Delays execution with timeout.exe
    PID:608
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    Crypted.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\file1.exe
      C:\Users\Admin\AppData\Local\Temp\\file1.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fdRsCNLqGLZb.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1496
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        6⤵
        Deletes itself
        
        PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SxwO3flfiUiV.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:824
      - C:\Users\Admin\AppData\Local\Temp\file1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\file1.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
1.3MB

MD5
3f68906bde81e068affd2fde48438c09

SHA1
5a885c286a8fab03b7e473dff4b79c4da94bd6f3

SHA256
b476a1cc9ca8b3191d5058ec792ec598159bef8d344d3d3e16361ef8cf20da50

SHA512
73cf19f408f7a32948f0254fa3a4ef917a23a50c35a4b729181d76bbf4d2465b4d514ae52b30422e26d9804620847e17de50bdb2f541d36c0d6e612cf535f130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
1.3MB

MD5
3f68906bde81e068affd2fde48438c09

SHA1
5a885c286a8fab03b7e473dff4b79c4da94bd6f3

SHA256
b476a1cc9ca8b3191d5058ec792ec598159bef8d344d3d3e16361ef8cf20da50

SHA512
73cf19f408f7a32948f0254fa3a4ef917a23a50c35a4b729181d76bbf4d2465b4d514ae52b30422e26d9804620847e17de50bdb2f541d36c0d6e612cf535f130

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB50.tmp\FB51.tmp\FB52.bat

Filesize
72B

MD5
532fe973c7846cd45dd713eab9ccf5a2

SHA1
5c7ffe8a5f2ae88c6edc261e96dcdabbf9c357c6

SHA256
704862a14c3b03e464cde36c6dfff69bd6f835638a57ddcda697ccae2eaf620e

SHA512
fe3d666e611ab797fee9df860bf1719775d90e32d94b3b7d658c82e7e973790e360fb4294c76c169c4d26603b59347d9387bf0a16e143e69e9a34b7cfd6dfd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\SxwO3flfiUiV.bat

Filesize
202B

MD5
fab8f86965f65463005bc604eb992cd3

SHA1
786be2ac09159d66145b88571cc1bd8eccc39bdd

SHA256
053525754227e1bd5ea8bedf9f6bce7eb88c166f138d1012f65a149e65996886

SHA512
40ef4acca9e51a7b89db255a59a79222b526be092d306ceddc18db4179acad677ff0cc4611026ab6030b38e62d043ede79371da8dda6753d34fe427ef546e3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdRsCNLqGLZb.bat

Filesize
207B

MD5
5095caa4a20d412dcd27db563d6c2484

SHA1
397d713eafb0168d28ee30680fdaadc0aa11c570

SHA256
9ef0e4fd0f3bec8097506402dd32dad932f0d22896069e3535f943862795bc62

SHA512
4684332dd35842186bccb9a8372e9e3c9a6c816b1e63fd9b6ef68fc14501a24095a457fb03afe06b0a147eb3469c7600e056f689d15c4860e279c5953c4d9198

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\version.html

Filesize
7B

MD5
c3e5db9ee69e08ea7c1d3606e792f395

SHA1
fef456f1a4a7bfdbb8c8fc5d4dbe784953640889

SHA256
2fb033ae057446c19dbab9b9f9b54351f7d0f28f975d22560124eae402ac21f8

SHA512
ede02f77273374298455f437455cbb15f1b71cd15a0345647693bb5cf0fe46b670fc862105e91362a755d51243205011e5463cdd95cddec6996d9c8b92b5337c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
c3e9d09f741548288dae2d21cdd8d05a

SHA1
79245cec78e2793ba75cbadc88b30aebd13cf9d9

SHA256
0fe098471d1c513f29fbcd3a7c10deb467bb62aa35da59cca1b88b16f6c88db5

SHA512
cea14fa657f3779008fde0acdcf94880b26662a49009e2ac5fcdd85a6fc36d736df3d5e67af6ae6b20a76c6734dbc3a849433b002be9c803a62abd4d2ce3dbca

Download Submit
memory/364-81-0x0000000000000000-mapping.dmp

Download
memory/544-82-0x0000000000000000-mapping.dmp

Download
memory/556-80-0x0000000000000000-mapping.dmp

Download
memory/608-57-0x0000000000000000-mapping.dmp

Download
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/824-85-0x0000000000000000-mapping.dmp

Download
memory/984-84-0x0000000000000000-mapping.dmp

Download
memory/1060-89-0x0000000000000000-mapping.dmp

Download
memory/1072-55-0x0000000000000000-mapping.dmp

Download
memory/1100-99-0x0000000001360000-0x00000000013EC000-memory.dmp

Filesize
560KB

Download
memory/1100-97-0x0000000000000000-mapping.dmp

Download
memory/1180-102-0x0000000000000000-mapping.dmp

Download
memory/1384-71-0x0000000000000000-mapping.dmp

Download
memory/1384-74-0x0000000000850000-0x00000000008DC000-memory.dmp

Filesize
560KB

Download
memory/1708-86-0x0000000000000000-mapping.dmp

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download
memory/1724-79-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-78-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-68-0x0000000000980000-0x0000000000A0C000-memory.dmp

Filesize
560KB

Download
memory/1984-65-0x0000000000000000-mapping.dmp

Download
memory/1988-61-0x0000000000F80000-0x0000000000FDE000-memory.dmp

Filesize
376KB

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/2000-94-0x0000000000000000-mapping.dmp

Download
memory/2028-88-0x0000000000000000-mapping.dmp

Download