quasar | 5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59

General

Target

4942e9c13479bc1a62bdb07b23474e3c.exe
Size

639KB
MD5

4942e9c13479bc1a62bdb07b23474e3c
SHA1

d7a7283939a2fa4506b47fa809431b9cc4d2559e
SHA256

5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59
SHA512

8c8edd299922fcfa100e3e725d1b09259a86e41546361273c386177a3e2a765ffc76169a5b9d142efb4c5335bee3805c1f908c7f4edae0f0a33f2631a037eb59
SSDEEP

12288:66bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58WgxWM:6kJhngpn9kNsMwbMgkK58WgQM

Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2300-17-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2300-15-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2300-13-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2300-10-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2300-9-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4942e9c13479bc1a62bdb07b23474e3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4942e9c13479bc1a62bdb07b23474e3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4942e9c13479bc1a62bdb07b23474e3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4942e9c13479bc1a62bdb07b23474e3c.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-17-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2300-15-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2300-13-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2300-10-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2300-9-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 2 IoCs

Processes:

Windows Security.exeWindows Security.exe

pid process

2876 Windows Security.exe
2632 Windows Security.exe
Loads dropped DLL 2 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exeWindows Security.exe

pid process

2300 4942e9c13479bc1a62bdb07b23474e3c.exe
2876 Windows Security.exe

pid	process
2876	Windows Security.exe
2632	Windows Security.exe

pid	process
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2876	Windows Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	4942e9c13479bc1a62bdb07b23474e3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4942e9c13479bc1a62bdb07b23474e3c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jEWDfCdAGM = "C:\\Users\\Admin\\AppData\\Roaming\\EcGASfXzFi\\SgBSNdRiPF.exe"	4942e9c13479bc1a62bdb07b23474e3c.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exeWindows Security.exe

description	pid	process	target process
PID 2128 set thread context of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2876 set thread context of 2632	2876	Windows Security.exe	Windows Security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2928 schtasks.exe
1692 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

324 PING.EXE

pid	process
2928	schtasks.exe
1692	schtasks.exe

pid	process
324	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exe4942e9c13479bc1a62bdb07b23474e3c.exe4942e9c13479bc1a62bdb07b23474e3c.exe

pid	process
2708	powershell.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
2300	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe
1632	4942e9c13479bc1a62bdb07b23474e3c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exepowershell.exeWindows Security.exe4942e9c13479bc1a62bdb07b23474e3c.exe

description	pid	process
Token: SeDebugPrivilege	2300	4942e9c13479bc1a62bdb07b23474e3c.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2632	Windows Security.exe
Token: SeDebugPrivilege	2632	Windows Security.exe
Token: SeDebugPrivilege	1632	4942e9c13479bc1a62bdb07b23474e3c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Security.exe

pid process

2632 Windows Security.exe

pid	process
2632	Windows Security.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe4942e9c13479bc1a62bdb07b23474e3c.exeWindows Security.exeWindows Security.execmd.execmd.exe4942e9c13479bc1a62bdb07b23474e3c.exe

description	pid	process	target process
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2128 wrote to memory of 2300	2128	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2300 wrote to memory of 2928	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	schtasks.exe
PID 2300 wrote to memory of 2928	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	schtasks.exe
PID 2300 wrote to memory of 2928	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	schtasks.exe
PID 2300 wrote to memory of 2928	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	schtasks.exe
PID 2300 wrote to memory of 2876	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	Windows Security.exe
PID 2300 wrote to memory of 2876	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	Windows Security.exe
PID 2300 wrote to memory of 2876	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	Windows Security.exe
PID 2300 wrote to memory of 2876	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	Windows Security.exe
PID 2300 wrote to memory of 2708	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	powershell.exe
PID 2300 wrote to memory of 2708	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	powershell.exe
PID 2300 wrote to memory of 2708	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	powershell.exe
PID 2300 wrote to memory of 2708	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	powershell.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2876 wrote to memory of 2632	2876	Windows Security.exe	Windows Security.exe
PID 2632 wrote to memory of 1692	2632	Windows Security.exe	schtasks.exe
PID 2632 wrote to memory of 1692	2632	Windows Security.exe	schtasks.exe
PID 2632 wrote to memory of 1692	2632	Windows Security.exe	schtasks.exe
PID 2632 wrote to memory of 1692	2632	Windows Security.exe	schtasks.exe
PID 2300 wrote to memory of 2668	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2668	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2668	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2668	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2668 wrote to memory of 2296	2668	cmd.exe	cmd.exe
PID 2668 wrote to memory of 2296	2668	cmd.exe	cmd.exe
PID 2668 wrote to memory of 2296	2668	cmd.exe	cmd.exe
PID 2668 wrote to memory of 2296	2668	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2752	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2752	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2752	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2300 wrote to memory of 2752	2300	4942e9c13479bc1a62bdb07b23474e3c.exe	cmd.exe
PID 2752 wrote to memory of 2268	2752	cmd.exe	chcp.com
PID 2752 wrote to memory of 2268	2752	cmd.exe	chcp.com
PID 2752 wrote to memory of 2268	2752	cmd.exe	chcp.com
PID 2752 wrote to memory of 2268	2752	cmd.exe	chcp.com
PID 2752 wrote to memory of 324	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 324	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 324	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 324	2752	cmd.exe	PING.EXE
PID 2752 wrote to memory of 1632	2752	cmd.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 560	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 560	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 560	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 560	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 844	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1632 wrote to memory of 844	1632	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
  "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYBkfR5mTgJm.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
      "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668

C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
1⤵
PID:2296

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:324

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4397.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYBkfR5mTgJm.bat

Filesize
229B

MD5
d44b07e33c2286868964b63090640dd3

SHA1
a00ed7a650998a10a183b168cfbd2a7e98ad08aa

SHA256
b9e9ebcc3222a76d9d8695d54fefb4b7c53b7424decd88b57db61d6bf65e3369

SHA512
0d7ed908a23ce09fd1d7eb1e953b70c6d9e51f9cc5a3f4921506096afec57b4017d0beb9092b3751ea82ca05dae76b804c9baebe7970242584f3918eb4090ea8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
639KB

MD5
4942e9c13479bc1a62bdb07b23474e3c

SHA1
d7a7283939a2fa4506b47fa809431b9cc4d2559e

SHA256
5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59

SHA512
8c8edd299922fcfa100e3e725d1b09259a86e41546361273c386177a3e2a765ffc76169a5b9d142efb4c5335bee3805c1f908c7f4edae0f0a33f2631a037eb59

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
92KB

MD5
c97b20f1cc3a8ab3e76529906f8f388d

SHA1
343c673821211d822fcedd194e960a5b11107867

SHA256
6363ca8ceb755a223c5fc4b38a33a1259bcf7c8f1d4ac18a5eecaa88581a0184

SHA512
470dee73a6869330dcd346c9d4dbdbb37b755f5094ca62b2e3c66af4afc0b7d8a1532cfbc8b74f376cb3ddcf839d1a1f9c2ae6270aac26ec654e94af0891ff42

Download Submit
memory/1632-120-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1632-118-0x0000000000220000-0x00000000002C6000-memory.dmp

Filesize
664KB

Download
memory/1632-119-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/1632-121-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-18-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x00000000008B0000-0x0000000000956000-memory.dmp

Filesize
664KB

Download
memory/2128-4-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2128-1-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-2-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2300-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-19-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-5-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-20-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2300-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-116-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2300-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2632-50-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2632-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-123-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2632-122-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-49-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-54-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-51-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2708-48-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2708-47-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-53-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-52-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2876-28-0x0000000000100000-0x00000000001A6000-memory.dmp

Filesize
664KB

Download
memory/2876-30-0x00000000022D0000-0x0000000002310000-memory.dmp

Filesize
256KB

Download
memory/2876-43-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-29-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads