quasar | 427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638

Resubmissions

14-06-2024 04:34

240614-e7engsvfqb 10

10-09-2023 03:56

230910-ehlqhafa99 10

10-09-2023 03:52

230910-ee9yxsfa96 10

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-09-2023 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLoggerV12.exe
Size

67.2MB
MD5

c32642c9ee6b0645a1b8e79827d3b527
SHA1

c91233c4cb87e810989c4135aa5956aadb74240a
SHA256

427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
SHA512

6447dc0a21efe22b7b80143e34aeba0e0a788a6d7802f16ae9430fb2040284ea8254b4740da84229447410e4ddbadc235b1cebcf8d797915b66c83aa88c8b2fc
SSDEEP

1572864:132XjX2pJxhQnieFTnt9bN4bfZDbNmkXfSWd+Ut8y4:1N7iTn2dDJF6WDO

Score

10^/10

quasar xmrig office04 miner spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

NareReti-40382.portmap.host:40382

Mutex

1f3547a3-6112-47d5-9c48-4fb1bd3d6344

Attributes

encryption_key
CE886B4F24E457903274F7555F940215147255CD
install_name
CasNic.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\GC.exe	family_quasar
behavioral1/memory/1736-67-0x0000000000B40000-0x0000000000E64000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

mainPannel.exeupdater.exe

description	pid	process	target process
PID 2492 created 1348	2492	mainPannel.exe	Explorer.EXE
PID 2492 created 1348	2492	mainPannel.exe	Explorer.EXE
PID 2492 created 1348	2492	mainPannel.exe	Explorer.EXE
PID 2492 created 1348	2492	mainPannel.exe	Explorer.EXE
PID 2256 created 1348	2256	updater.exe	Explorer.EXE
PID 2256 created 1348	2256	updater.exe	Explorer.EXE
PID 2256 created 1348	2256	updater.exe	Explorer.EXE
PID 2256 created 1348	2256	updater.exe	Explorer.EXE
PID 2256 created 1348	2256	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2256-160-0x000000013F7B0000-0x000000014303E000-memory.dmp	xmrig
behavioral1/memory/3004-162-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3004-165-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3004-168-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3004-170-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3004-172-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3004-174-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

3 3004 cmd.exe
Executes dropped EXE 7 IoCs

Processes:

Logger.exeLogger.exemainPannel.exeExplorer.EXEUI.exeGC.exeupdater.exe

pid process

2712 Logger.exe
2752 Logger.exe
2492 mainPannel.exe
1348 Explorer.EXE
2040 UI.exe
1736 GC.exe
2256 updater.exe
Loads dropped DLL 5 IoCs

Processes:

ImageLoggerV12.exeLogger.exeExplorer.EXEtaskeng.exe

pid process

796 ImageLoggerV12.exe
2752 Logger.exe
796 ImageLoggerV12.exe
1348 Explorer.EXE
1500 taskeng.exe

flow	pid	process
3	3004	cmd.exe

pid	process
2712	Logger.exe
2752	Logger.exe
2492	mainPannel.exe
1348	Explorer.EXE
2040	UI.exe
1736	GC.exe
2256	updater.exe

pid	process
796	ImageLoggerV12.exe
2752	Logger.exe
796	ImageLoggerV12.exe
1348	Explorer.EXE
1500	taskeng.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll	upx
behavioral1/memory/2752-43-0x000007FEEC480000-0x000007FEECA69000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 2256 set thread context of 1196	2256	updater.exe	conhost.exe
PID 2256 set thread context of 3004	2256	updater.exe	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

mainPannel.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	mainPannel.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2892 schtasks.exe
1276 schtasks.exe
1076 schtasks.exe

pid	process
2892	schtasks.exe
1276	schtasks.exe
1076	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00d95c6b9ae3d901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exemainPannel.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exe

pid	process
2580	powershell.exe
2492	mainPannel.exe
2492	mainPannel.exe
2604	powershell.exe
2492	mainPannel.exe
2492	mainPannel.exe
2492	mainPannel.exe
2492	mainPannel.exe
1404	powershell.exe
2492	mainPannel.exe
2492	mainPannel.exe
2256	updater.exe
2256	updater.exe
312	powershell.exe
2256	updater.exe
2256	updater.exe
2256	updater.exe
2256	updater.exe
1452	powershell.exe
2256	updater.exe
2256	updater.exe
2256	updater.exe
2256	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeGC.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1736	GC.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeShutdownPrivilege	1228	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeShutdownPrivilege	1132	powercfg.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeShutdownPrivilege	1140	powercfg.exe
Token: SeShutdownPrivilege	1760	powercfg.exe
Token: SeShutdownPrivilege	2332	powercfg.exe
Token: SeLockMemoryPrivilege	3004	cmd.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

ImageLoggerV12.exeLogger.exeGC.execmd.exepowershell.exetaskeng.execmd.exepowershell.exeupdater.exe

description	pid	process	target process
PID 796 wrote to memory of 2580	796	ImageLoggerV12.exe	powershell.exe
PID 796 wrote to memory of 2580	796	ImageLoggerV12.exe	powershell.exe
PID 796 wrote to memory of 2580	796	ImageLoggerV12.exe	powershell.exe
PID 796 wrote to memory of 2712	796	ImageLoggerV12.exe	Logger.exe
PID 796 wrote to memory of 2712	796	ImageLoggerV12.exe	Logger.exe
PID 796 wrote to memory of 2712	796	ImageLoggerV12.exe	Logger.exe
PID 2712 wrote to memory of 2752	2712	Logger.exe	Logger.exe
PID 2712 wrote to memory of 2752	2712	Logger.exe	Logger.exe
PID 2712 wrote to memory of 2752	2712	Logger.exe	Logger.exe
PID 796 wrote to memory of 2492	796	ImageLoggerV12.exe	mainPannel.exe
PID 796 wrote to memory of 2492	796	ImageLoggerV12.exe	mainPannel.exe
PID 796 wrote to memory of 2492	796	ImageLoggerV12.exe	mainPannel.exe
PID 796 wrote to memory of 2040	796	ImageLoggerV12.exe	UI.exe
PID 796 wrote to memory of 2040	796	ImageLoggerV12.exe	UI.exe
PID 796 wrote to memory of 2040	796	ImageLoggerV12.exe	UI.exe
PID 796 wrote to memory of 2040	796	ImageLoggerV12.exe	UI.exe
PID 796 wrote to memory of 1736	796	ImageLoggerV12.exe	GC.exe
PID 796 wrote to memory of 1736	796	ImageLoggerV12.exe	GC.exe
PID 796 wrote to memory of 1736	796	ImageLoggerV12.exe	GC.exe
PID 1736 wrote to memory of 2892	1736	GC.exe	schtasks.exe
PID 1736 wrote to memory of 2892	1736	GC.exe	schtasks.exe
PID 1736 wrote to memory of 2892	1736	GC.exe	schtasks.exe
PID 1260 wrote to memory of 688	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 688	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 688	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 1228	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 1228	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 1228	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2280	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2280	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2280	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2392	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2392	1260	cmd.exe	powercfg.exe
PID 1260 wrote to memory of 2392	1260	cmd.exe	powercfg.exe
PID 1404 wrote to memory of 1276	1404	powershell.exe	schtasks.exe
PID 1404 wrote to memory of 1276	1404	powershell.exe	schtasks.exe
PID 1404 wrote to memory of 1276	1404	powershell.exe	schtasks.exe
PID 1500 wrote to memory of 2256	1500	taskeng.exe	updater.exe
PID 1500 wrote to memory of 2256	1500	taskeng.exe	updater.exe
PID 1500 wrote to memory of 2256	1500	taskeng.exe	updater.exe
PID 332 wrote to memory of 1132	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1132	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1132	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1140	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1140	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1140	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1760	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1760	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 1760	332	cmd.exe	powercfg.exe
PID 1452 wrote to memory of 1076	1452	powershell.exe	schtasks.exe
PID 1452 wrote to memory of 1076	1452	powershell.exe	schtasks.exe
PID 1452 wrote to memory of 1076	1452	powershell.exe	schtasks.exe
PID 332 wrote to memory of 2332	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 2332	332	cmd.exe	powercfg.exe
PID 332 wrote to memory of 2332	332	cmd.exe	powercfg.exe
PID 2256 wrote to memory of 1196	2256	updater.exe	conhost.exe
PID 2256 wrote to memory of 3004	2256	updater.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
3⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1196

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\taskeng.exe
taskeng.exe {27E97AAA-FFF7-433A-8605-9DBBCBCC20B5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC.exe
Filesize
3.1MB

MD5
b2bcd053c6452f8a04ba108d850f9781

SHA1
d69a9b01e46a84347317f93898c270b0df1fd4ca

SHA256
4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec

SHA512
e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\UI.exe
Filesize
443KB

MD5
a6d1f2686c50110de2fd76df4dcb7057

SHA1
75f47ac32fada1bb9371b45006c2b1744347790a

SHA256
ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446

SHA512
f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1M6RKDWZFAF9BT382SJ6.temp
Filesize
7KB

MD5
c9ab725df7ac69aea672060fe6b3b455

SHA1
696ec9158c738053cd5aa7be954cd044bd6bc342

SHA256
3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43

SHA512
38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c9ab725df7ac69aea672060fe6b3b455

SHA1
696ec9158c738053cd5aa7be954cd044bd6bc342

SHA256
3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43

SHA512
38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c9ab725df7ac69aea672060fe6b3b455

SHA1
696ec9158c738053cd5aa7be954cd044bd6bc342

SHA256
3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43

SHA512
38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
\Users\Admin\AppData\Local\Temp\mainPannel.exe
Filesize
56.5MB

MD5
4bcdea1ce4588a550b35ddfd88ffe867

SHA1
79319590abb95dfbbe7ec789d78531655e75a61b

SHA256
ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e

SHA512
df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
\Users\Admin\AppData\Roaming\Logger.exe
Filesize
7.0MB

MD5
90a149cf408f4173e445ec61c7c5a418

SHA1
352ec472076c3f48fc2e60e71b50bf5d7fb13bf3

SHA256
bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2

SHA512
917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

Download Submit
memory/312-141-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/312-147-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/312-140-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/312-142-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/312-143-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/312-144-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/796-69-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/796-2-0x000000001F560000-0x000000001F5E0000-memory.dmp

Filesize
512KB

Download
memory/796-1-0x0000000000BF0000-0x0000000004F1C000-memory.dmp

Filesize
67.2MB

Download
memory/796-0-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/796-66-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1196-167-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1196-161-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1404-121-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1404-131-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1404-128-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1404-127-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1404-126-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1404-125-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1404-124-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1404-123-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1404-122-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1452-151-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/1452-154-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1452-153-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/1452-152-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1452-149-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/1452-150-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/1452-148-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

Filesize
9.6MB

Download
memory/1736-103-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-68-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-112-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download
memory/1736-67-0x0000000000B40000-0x0000000000E64000-memory.dmp

Filesize
3.1MB

Download
memory/1736-72-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download
memory/2040-74-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2040-120-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2040-97-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-96-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2040-71-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-130-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2040-70-0x00000000002B0000-0x0000000000326000-memory.dmp

Filesize
472KB

Download
memory/2256-160-0x000000013F7B0000-0x000000014303E000-memory.dmp

Filesize
56.6MB

Download
memory/2256-146-0x000000013F7B0000-0x000000014303E000-memory.dmp

Filesize
56.6MB

Download
memory/2256-138-0x000000013F7B0000-0x000000014303E000-memory.dmp

Filesize
56.6MB

Download
memory/2492-134-0x000000013F030000-0x00000001428BE000-memory.dmp

Filesize
56.6MB

Download
memory/2492-129-0x000000013F030000-0x00000001428BE000-memory.dmp

Filesize
56.6MB

Download
memory/2492-95-0x000000013F030000-0x00000001428BE000-memory.dmp

Filesize
56.6MB

Download
memory/2492-108-0x000000013F030000-0x00000001428BE000-memory.dmp

Filesize
56.6MB

Download
memory/2580-36-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2580-45-0x000007FEF2420000-0x000007FEF2DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-41-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2580-37-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2580-39-0x000007FEF2420000-0x000007FEF2DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-40-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2580-42-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2580-44-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2604-107-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-111-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2604-106-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2604-109-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2604-110-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-114-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-104-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/2604-113-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2604-105-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2752-43-0x000007FEEC480000-0x000007FEECA69000-memory.dmp

Filesize
5.9MB

Download
memory/3004-162-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3004-163-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/3004-165-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3004-166-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/3004-159-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/3004-168-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3004-170-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3004-172-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3004-174-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download