Malware Analysis Report

2024-10-23 21:29

Sample ID 240409-2k2aasag6y
Target 579ebb1309ad953fa0cb52c33b190baa
SHA256 54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781

Threat Level: Known bad

The file 579ebb1309ad953fa0cb52c33b190baa was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar payload

Quasar RAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 22:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 22:39

Reported

2024-04-09 22:44

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2356 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 2816 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2816 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2816 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2816 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1936 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AA0.tmp"

C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68F0.tmp"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp

Files

memory/2356-0-0x0000000000F50000-0x000000000101A000-memory.dmp

memory/2356-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2356-2-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/2356-3-0x0000000000450000-0x000000000046A000-memory.dmp

memory/2356-4-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/2356-5-0x0000000005300000-0x000000000539E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3AA0.tmp

MD5 6c530173ae54625f912a357f67f673ff
SHA1 c48fb4cce1c31569c53be05783d8f73ee7655dff
SHA256 50be067c08cc7588dffbed76b98feb820fb78edbd75b1a7c17258228dd46e797
SHA512 1b663466560d74b4e43ac3151ac52dda4b0110694aa8ad76922a84b303300f4519b109361dccf886ffbc83890e2b7b0c1242e8b2de3f3836af891a75f3b2dcfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZU59CYVRCZ1ESQDX8VQ0.temp

MD5 94edd14bd440682f0117bb5838309694
SHA1 0a68f58ee79bb7b75330780f62d79f36fec4a78b
SHA256 28a2f0d9696a750b0da53d6e279bac952ac7742e8e663902aa0d0372f222a0c6
SHA512 b40fdb6f16f4b16eb5fee1535e1879b0f2698d258c784f1104fc16123625f65c493f7355bbbb485bcc4e22f9021a613f5a09b0a1b59b1863a31da020b79e9b47

memory/2816-18-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-20-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-21-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-23-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-27-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-29-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2816-31-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2356-32-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2300-33-0x000000006E570000-0x000000006EB1B000-memory.dmp

memory/2604-34-0x000000006E570000-0x000000006EB1B000-memory.dmp

memory/2604-36-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2300-35-0x0000000002C50000-0x0000000002C90000-memory.dmp

memory/2300-37-0x000000006E570000-0x000000006EB1B000-memory.dmp

memory/2604-39-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2300-38-0x0000000002C50000-0x0000000002C90000-memory.dmp

memory/2604-41-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2816-40-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2604-43-0x000000006E570000-0x000000006EB1B000-memory.dmp

memory/2300-42-0x000000006E570000-0x000000006EB1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 579ebb1309ad953fa0cb52c33b190baa
SHA1 70ccb8c950d96a7e6c32d09c307227f271a627ba
SHA256 54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
SHA512 2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4

memory/1936-52-0x0000000000AE0000-0x0000000000BAA000-memory.dmp

memory/2816-51-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/1936-50-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/1936-53-0x0000000002240000-0x0000000002280000-memory.dmp

memory/1952-60-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1952-66-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/1952-68-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/1952-67-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1368-69-0x0000000002600000-0x0000000002640000-memory.dmp

memory/1368-70-0x0000000002600000-0x0000000002640000-memory.dmp

memory/1368-71-0x0000000002600000-0x0000000002640000-memory.dmp

memory/1916-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1368-73-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1368-85-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1936-87-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/1952-90-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1916-91-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/1916-92-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/1368-93-0x000000006EFD0000-0x000000006F57B000-memory.dmp

memory/1916-95-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/1916-96-0x00000000003C0000-0x0000000000400000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 22:39

Reported

2024-04-09 22:44

Platform

win10v2004-20240226-en

Max time kernel

128s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3132 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 3132 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 3132 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Windows\SysWOW64\schtasks.exe
PID 3132 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3132 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe
PID 3988 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3988 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3988 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6561.tmp"

C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe

"C:\Users\Admin\AppData\Local\Temp\579ebb1309ad953fa0cb52c33b190baa.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YXiUvROAyTyYWN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YXiUvROAyTyYWN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBD.tmp"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 83.147.53.145:3700 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 83.147.53.145:3700 tcp
US 83.147.53.145:3700 tcp

Files

memory/3132-0-0x00000000008A0000-0x000000000096A000-memory.dmp

memory/3132-1-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3132-2-0x0000000005830000-0x0000000005DD4000-memory.dmp

memory/3132-3-0x0000000005280000-0x0000000005312000-memory.dmp

memory/3132-4-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/3132-5-0x0000000005220000-0x000000000522A000-memory.dmp

memory/3132-6-0x0000000006860000-0x000000000687A000-memory.dmp

memory/3132-7-0x0000000006400000-0x000000000640C000-memory.dmp

memory/3132-8-0x0000000006670000-0x000000000670E000-memory.dmp

memory/3132-9-0x0000000008F80000-0x000000000901C000-memory.dmp

memory/3964-14-0x00000000049E0000-0x0000000004A16000-memory.dmp

memory/3964-16-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3964-15-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3964-17-0x0000000005050000-0x0000000005678000-memory.dmp

memory/3964-18-0x0000000002630000-0x0000000002640000-memory.dmp

memory/5012-19-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3132-20-0x00000000748A0000-0x0000000075050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6561.tmp

MD5 03ed54d29052e596b4598f41cacbe969
SHA1 0cf8a0e23862e6905ba6d71c82748846d267a9b4
SHA256 fefdc4e55a41f64c28ce0f2a206d7967130198dabc2066abe042cf52f17b5637
SHA512 a04892a880d2cf3a805065e2857f8fbf3af1dd8a9f06ac5d247193c24953420de24bab1f24ef23516ca7ae9646cc8441f7522cb1a2b8575891a554fd420d29c2

memory/3964-23-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/5012-24-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/5012-21-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/3964-25-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/3964-26-0x0000000005950000-0x00000000059B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avvdzaap.n5z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5012-45-0x0000000005DB0000-0x0000000006104000-memory.dmp

memory/3988-46-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3988-48-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3132-49-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3988-50-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/3964-51-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/3964-52-0x0000000006030000-0x000000000607C000-memory.dmp

memory/3988-53-0x0000000005CF0000-0x0000000005D02000-memory.dmp

memory/5012-54-0x0000000007200000-0x0000000007232000-memory.dmp

memory/5012-56-0x0000000075150000-0x000000007519C000-memory.dmp

memory/5012-55-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

memory/5012-66-0x00000000071E0000-0x00000000071FE000-memory.dmp

memory/3988-67-0x0000000006370000-0x00000000063AC000-memory.dmp

memory/5012-68-0x0000000004DF0000-0x0000000004E00000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 579ebb1309ad953fa0cb52c33b190baa
SHA1 70ccb8c950d96a7e6c32d09c307227f271a627ba
SHA256 54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
SHA512 2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4

memory/3964-70-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\579ebb1309ad953fa0cb52c33b190baa.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3988-87-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3964-86-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3964-73-0x0000000075150000-0x000000007519C000-memory.dmp

memory/5012-69-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/3964-88-0x0000000002630000-0x0000000002640000-memory.dmp

memory/216-89-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/216-90-0x0000000005620000-0x0000000005630000-memory.dmp

memory/5012-91-0x0000000007BF0000-0x000000000826A000-memory.dmp

memory/5012-92-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/5012-93-0x0000000007620000-0x000000000762A000-memory.dmp

memory/3964-94-0x0000000007530000-0x00000000075C6000-memory.dmp

memory/5012-95-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/3964-96-0x00000000074E0000-0x00000000074EE000-memory.dmp

memory/5012-97-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/5012-99-0x00000000078D0000-0x00000000078D8000-memory.dmp

memory/5012-98-0x00000000078F0000-0x000000000790A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd48552ac250ebfe93447bc75ccfe442
SHA1 03b5823247ec794a61580a8115ee74fec241f28f
SHA256 c0281e0db8d67007e1e51e94a391c2f7a3f746e94ef2646a05d0160bf9196fbc
SHA512 a57d0f1b26d53ce67ad6fdcd683b8f2e4d4e1abfd455a33f765d1a18af77f0d47b1af37b8405e2d5b9658b706984587ded79e94172178f8fe279b0d9cdfe4295

memory/3964-105-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/5012-106-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4748-108-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4748-109-0x00000000045F0000-0x0000000004600000-memory.dmp

memory/4748-110-0x00000000045F0000-0x0000000004600000-memory.dmp

memory/4748-112-0x00000000054B0000-0x0000000005804000-memory.dmp

memory/4624-113-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4624-123-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/1976-136-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/216-137-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/4748-139-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/4748-140-0x000000007F800000-0x000000007F810000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8dc1f6fa23f660eab56064627925ae5
SHA1 1f68e86745fe006912ac9a76ec10bfd251dcccc9
SHA256 e8354eb3d3ca747f53a7ed832fa4a7810413a93c379c25d6b4ddf9aeb6cafe87
SHA512 ef049cbce2294b4cdab535245e7f9ec1d4e69b04736e9197bfeeb6179b13653bbf32bed29b1f2c3a9dc12e708e6b6041a60d4f3d41e5dc62d667bf6dd4eb1559