Malware Analysis Report

2025-08-05 14:11

Sample ID 230818-sp4rjsbc29
Target d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe
SHA256 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997
Tags
quasar senshi 2 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997

Threat Level: Known bad

The file d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe was found to be: Known bad.

Malicious Activity Summary

quasar senshi 2 spyware trojan

Quasar RAT

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-18 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-18 15:18

Reported

2023-08-18 15:21

Platform

win10v2004-20230703-en

Max time kernel

127s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2948 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif
PID 1728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif
PID 1728 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif
PID 1728 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1728 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1728 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2948 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe
PID 2948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe

"C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Anyone & exit

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell get-process avastui

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell get-process avgui

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^yorkshire$" Charts

C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif

22141\\Complement.pif 22141\\s

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url" & echo URL="C:\Users\Admin\AppData\Local\GcyVAQmegg\bHjXvqekX.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxPDhDxdPH.url"

C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 UYVbTUJUIf.UYVbTUJUIf udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.177.125.198:222 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 198.125.177.185.in-addr.arpa udp
US 8.8.8.8:53 254.149.241.8.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/3644-133-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\700559\Anyone

MD5 ee82d316318b3bb19e2a1aa13cfde12d
SHA1 83ae8b583212041c75c49c11947443c57d99ebc9
SHA256 ba1aa96299673031f84d6a589c990e8e4ee97f8755d40aa0caa1837e8c4b1730
SHA512 fef62456632d5d8579c174a137ba3eeed537885f41e550505abf90a9ecf60663fb584624343697fda1d0ba43ea200e2c552d495d0df475d61c1e1691da09e88d

memory/2616-150-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2616-151-0x0000000005060000-0x0000000005070000-memory.dmp

memory/2616-152-0x0000000002B30000-0x0000000002B66000-memory.dmp

memory/2616-153-0x00000000056A0000-0x0000000005CC8000-memory.dmp

memory/2616-154-0x0000000005470000-0x0000000005492000-memory.dmp

memory/2616-155-0x0000000005620000-0x0000000005686000-memory.dmp

memory/2616-156-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d35111q2.yoq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2616-166-0x0000000006460000-0x000000000647E000-memory.dmp

memory/2616-167-0x0000000007620000-0x00000000076B6000-memory.dmp

memory/2616-168-0x0000000006940000-0x000000000695A000-memory.dmp

memory/2616-169-0x0000000006990000-0x00000000069B2000-memory.dmp

memory/2616-170-0x0000000007C70000-0x0000000008214000-memory.dmp

memory/2616-173-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/2564-175-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2564-176-0x0000000004630000-0x0000000004640000-memory.dmp

memory/2564-177-0x0000000004630000-0x0000000004640000-memory.dmp

memory/3644-178-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 87213270273d51bd283908fae0b5533a
SHA1 ea96420e530e18f0d47b0929b28943280a4ef4bc
SHA256 8f20c77139c45bb35b5a972ccb2cef94e9c60f36d52a9ae423c649c309988440
SHA512 452a7799a0251687c69d50508470a96e6a0546680a60ecf6df55e0bb203cd38376277b96d298e1bf10f3856c815aa4e5e3af739df10c9dd24917ea953500d06b

memory/2564-190-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\700559\Ti

MD5 50dc0c5650c3a14ad534a566aa268c1c
SHA1 5c3b517061d303458dc7ee382b412473cd59ff1e
SHA256 f58e083d8de3f4ede66bb7e055e12829066747bcc313f2100206e1538067bde5
SHA512 8859e2f220a73c87214f4e26e3e104e1dfb6056c0aaef2999593a132fc32ebee07c374fc2f5209e2af89af285bd3d2be2c235913bacdd5b4faf264e7ca78fd99

C:\Users\Admin\AppData\Local\Temp\700559\Beat

MD5 83115bd6f1815edf7c78ae8af83fc6bd
SHA1 14b013d72b90dde79881288c9cfee399594b3323
SHA256 5a6a4b0563927bbf248317a729f0625d92bd2b8de9861f7d6ea5d08ee53aa1c1
SHA512 70195a5db0b7d0cec66fd406853b3b90cb6946f0ce89e0b2d93b51c8ee054d4ed28a64682727c6f31f978c318b13db8c6330ec3c857f3dc47668192aeae0ff71

C:\Users\Admin\AppData\Local\Temp\700559\Places

MD5 0b874152ef1e60b08eb50f09eb080b99
SHA1 4009738fcd5c4ba170863357c27d2a8c43432362
SHA256 a646d2eb870f18b49c3c3def597316ed44fec441527e52a80afad1e812c47595
SHA512 7054c84c7f11d5d08c4e3853d2ec178b604e24ff7cd1ea303b690b0c83484a39846648f1fe3936c070447426d2fbfd08937488cf7c60d85a92fec1cf8c2423ae

C:\Users\Admin\AppData\Local\Temp\700559\Soviet

MD5 0a64e1b01d7e5384208b5d94615525a2
SHA1 90a89dd2135b526e87b8b55bba0ae42303437b1e
SHA256 205cda8c912c15f9ab25db7ab7c3fccd05f075fcba287e26b282fe96f7a42f48
SHA512 c187c12d6f13452893235be8bfa2838cf4c4b2a3e3609c9245b790f0ab74f8f1c6a2b402ab2c24dce22a99e0e5bbfab92037d380bd1775d92a46957bc84d8a71

C:\Users\Admin\AppData\Local\Temp\700559\References

MD5 3ae01e40a182487659d55773b3f47558
SHA1 c3777f389895cfb73e5ce7df7fd2285445a097f3
SHA256 5ebbab41747828eee78d2efd2f04701464e6d29fd44fd1a90148fb595c041220
SHA512 fb3fee2359b6d7a0d000f5b723086d9664c57fefc9beabebe77ad8a1a47d724331882c3669927bb4f429e92c71504c57c5efd25cc9e2bcf577083027c12cf277

C:\Users\Admin\AppData\Local\Temp\700559\Functional

MD5 fa899ff99f2a3a0de6c4b02df7fdee32
SHA1 3094f78cd6ba6b9546769d12cdea7f8356811e9e
SHA256 c8318ebd986adc373a758540428b227eab5a1535396dd548cb2644fc818738f6
SHA512 b56fd9ee1187a07a70d08700c6028e6b6f6016a99d2ef2a758662a0c2e310522eb9d31e268b8196d856ba2234cb7e4d99e3f080023265e1ff4343dde913dd771

C:\Users\Admin\AppData\Local\Temp\700559\Vitamins

MD5 b939a30973ed57a4e5fa327b2230a5f2
SHA1 830e1014360a583bc2b5d8f0e55db7c98ea77dfe
SHA256 cbe33811165f8f86c97186d5e2fff26ee0a3fc09f1265a6b0f8eee40c144e2b2
SHA512 4353260c4c79ecfa06d10cb227e7f056a66502d20489fea793346aaf2ea731727daa0f6b4d01f7705ee3e6b31c638e3a7a29f0b06872ed1b99eafe8d6a39e69d

C:\Users\Admin\AppData\Local\Temp\700559\Clinic

MD5 268bb7ba7d9d079fcd52610c688ff820
SHA1 ac1126a4263dc3787b8f535bc115e5e2e903390e
SHA256 c903e1ccc15a4d219e87d4f3d7caab4cae1ef70cb18f3a135f5e09f1971109a0
SHA512 6e75af5194d04ccb01c5f16968186af447bb43e012d462402726b289f570e1f8082085e5899c25feba550945ff9f6e1e223c76f5b95e0d24a211a9f2368f3646

C:\Users\Admin\AppData\Local\Temp\700559\Signature

MD5 88e9b235c566960e0d87a22d649b9408
SHA1 b7027502acff9594c9b9db424751abf307215d44
SHA256 6443c69271dc8e71aceda8a2a1ea776e550bfa32be93df1831dbe4ed0de2c365
SHA512 637415f77ea929afae776db72013cc8bb0b8cd875ee7c738a5b6e72bb2aefbf1a2c890dc822e4a45ec710516488d8458f789aebf2010872abd8f8b3ca8c46778

C:\Users\Admin\AppData\Local\Temp\700559\Marie

MD5 801b30bdcd8b219135eb536dbbd8338d
SHA1 8e9b5c6dbf281686fb0ec2a20d09dd5ab082ac62
SHA256 693064a675812d4cc40b9c031eea9be8a51710aab49fa1b4116f156f2c5d0518
SHA512 54d4b6a07e286be7726b0d22e47c2b5364ce156f9fbd9042ef9b7958ff4a130a52143a4db4d5ca9474dbc8abf86425dee2dc963640c109b0f110c2bf4e75fc1e

C:\Users\Admin\AppData\Local\Temp\700559\Davis

MD5 6268badba8c162b2615511b92dffa673
SHA1 51bbf8cdd12978259ccdbb2cc3a17994cf8adf6a
SHA256 3f835216d30710916917c0d54ac944a56c1c23b59c86b7634073c25572f3754b
SHA512 73d5dcbfe2790561eac0536542fea51ff9e58ccd5a405e09f3f19cfe4e91febbff6930ca78fb8f390768c5c3b64965815d5d59c90a86871835bf1d2d294f8383

C:\Users\Admin\AppData\Local\Temp\700559\Curves

MD5 069d3ef04f3216b6b356adab141ce596
SHA1 f788088d19f3b0ff59f45e98e3df89e6bb011545
SHA256 03fbfd236057624a0fb9094a0a0758cdbc42ffd3444a65e71653ad765fe90048
SHA512 ee6cae922d072d5532758df8a378edb76a5e51c901279c310f19a8ebc464eab92889e1e82da647cf044ea1393781183db828acef7ed35ccde5666f7c313f640b

C:\Users\Admin\AppData\Local\Temp\700559\Adds

MD5 f8ecc05e767090afbdc65be2584fd331
SHA1 796d7eb5f021cd3383a2c0eedc658a91a783a6ee
SHA256 46fb07531ea612b9e77ec1f9fa0e19ca12fc00fb9d7024e5c25c8eb972d7ce04
SHA512 cee60719a9dcd6bd8cc38851202c7835df294e0b19923fa580bd47207b2cf87619106c5dff04ab6dbc5f5ab3177920bbeb3322135fc5ab5ee0f30e12e4b92a43

C:\Users\Admin\AppData\Local\Temp\700559\Charts

MD5 f5c2c7e2ae83fffa01748388c911c958
SHA1 7d21e2f0519914e8e8e9c81ae232efdc406703a5
SHA256 bc8f65d81703352582ab6b0b9dfe17658a78354aeaa7ef43915d3b030b3b2046
SHA512 d5bae120df27f81817a3352ab9d914fd5f2bb44d9f3b51e1c07395e558f5b186dda51d29e5828569778c30f8cafda9bfe1d2d0241c51d977b8c77150487b72f4

C:\Users\Admin\AppData\Local\Temp\700559\Scenarios

MD5 154b3f1fbccf1e4c1e06418e6f4d17e6
SHA1 560fbd2a0b344c1f9213c170064bf6d68be189ac
SHA256 d82772c377a20932efe8611bdca909ce685de1b69617940b31068dc4d57080e3
SHA512 ce92fd1d657a1287f3e118dc59a1534d9a300e558a8bf12ff61fcd07623c64b809848c443e55dde995fb0d97f978ca9e69e1f113355871e107e87613e4bb0c45

C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

memory/3644-211-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\700559\22141\Complement.pif

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

memory/3644-218-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2948-220-0x00000000040B0000-0x00000000040B1000-memory.dmp

memory/1580-222-0x0000000000E00000-0x0000000000E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

MD5 94c8e57a80dfca2482dedb87b93d4fd9
SHA1 5729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA256 39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA512 1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

C:\Users\Admin\AppData\Local\Temp\700559\22141\jsc.exe

MD5 94c8e57a80dfca2482dedb87b93d4fd9
SHA1 5729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA256 39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA512 1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

memory/1580-226-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1580-227-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/1580-228-0x0000000005310000-0x0000000005320000-memory.dmp

memory/1580-229-0x0000000005920000-0x0000000005932000-memory.dmp

memory/1580-230-0x00000000068E0000-0x000000000691C000-memory.dmp

memory/1580-232-0x0000000006C50000-0x0000000006C5A000-memory.dmp

memory/1580-233-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1580-234-0x0000000005310000-0x0000000005320000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-18 15:18

Reported

2023-08-18 15:21

Platform

win7-20230712-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe

"C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Anyone & exit

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell get-process avastui

Network

N/A

Files

memory/2220-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\949325\Anyone

MD5 ee82d316318b3bb19e2a1aa13cfde12d
SHA1 83ae8b583212041c75c49c11947443c57d99ebc9
SHA256 ba1aa96299673031f84d6a589c990e8e4ee97f8755d40aa0caa1837e8c4b1730
SHA512 fef62456632d5d8579c174a137ba3eeed537885f41e550505abf90a9ecf60663fb584624343697fda1d0ba43ea200e2c552d495d0df475d61c1e1691da09e88d

memory/2220-73-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2220-74-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2340-75-0x0000000073CF0000-0x000000007429B000-memory.dmp

memory/2340-76-0x0000000073CF0000-0x000000007429B000-memory.dmp

memory/2340-77-0x0000000000550000-0x0000000000590000-memory.dmp

memory/2340-78-0x0000000000550000-0x0000000000590000-memory.dmp

memory/2340-79-0x0000000000550000-0x0000000000590000-memory.dmp

memory/2340-80-0x0000000073CF0000-0x000000007429B000-memory.dmp

memory/2340-81-0x0000000073CF0000-0x000000007429B000-memory.dmp

memory/2340-82-0x0000000073CF0000-0x000000007429B000-memory.dmp

memory/2220-83-0x0000000000400000-0x0000000000484000-memory.dmp