quasar | 6910d498de78f23410fb3bbf160a2050f3f1289cdad6140deae600c0bb9cebcf

Analysis

max time kernel
123s
max time network
141s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Size

725KB
MD5

5db47cc0eb5dae97ad8ea7d3ccbf3f8c
SHA1

444f8028c412c7661c3204e82da703ffdc607291
SHA256

d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4
SHA512

ab5ae0c399fb4b475d85cf0c07d7c2d4aeae7ac7c2b53b8c6b26afc3eb007dfe3fdde03e695a78f0f8d1dd6648c7378d5f5063732b74bbe0d2579040a59d76d2
SSDEEP

12288:d3IU8S6eUd/rqMtJwy8cpe/8pg3P20aweKkKfncC8AHLG0JlB99e78:FItSAdzltJwKpyuokK/cC8o9Bl

Score

10^/10

quasar zgrat evasion persistence ransomware rat spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2740-13-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2740-15-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2740-17-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2740-10-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2740-9-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/1580-44-0x00000000047B0000-0x00000000047F0000-memory.dmp	disable_win_def
behavioral1/memory/2020-81-0x00000000048D0000-0x0000000004910000-memory.dmp	disable_win_def

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2300-3-0x00000000004B0000-0x00000000004C8000-memory.dmp	family_zgrat_v1

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Verek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	Verek.exe

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	6	ip-api.com	Process not Found
File opened for modification		C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
	10	ip-api.com	Process not Found

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2740-13-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2740-15-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2740-17-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2740-10-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2740-9-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/1580-44-0x00000000047B0000-0x00000000047F0000-memory.dmp	family_quasar
behavioral1/memory/2020-81-0x00000000048D0000-0x0000000004910000-memory.dmp	family_quasar

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Verek.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1580	Verek.exe
2020	Verek.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Verek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe\""	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gres\\Verek.exe\""	Verek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gres\\Verek.exe\""	Verek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IlemetryLogtek = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe\""	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
4	pastebin.com
5	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
10	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 1580 set thread context of 2020	1580	Verek.exe	40

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2428	schtasks.exe
764	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1564	vssadmin.exe
696	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	powershell.exe
1184	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Token: SeBackupPrivilege	884	vssvc.exe
Token: SeRestorePrivilege	884	vssvc.exe
Token: SeAuditPrivilege	884	vssvc.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2020	Verek.exe
Token: SeDebugPrivilege	1184	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	Verek.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2300 wrote to memory of 2740	2300	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	28
PID 2740 wrote to memory of 2428	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	30
PID 2740 wrote to memory of 2428	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	30
PID 2740 wrote to memory of 2428	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	30
PID 2740 wrote to memory of 2428	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	30
PID 2740 wrote to memory of 2824	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	32
PID 2740 wrote to memory of 2824	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	32
PID 2740 wrote to memory of 2824	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	32
PID 2740 wrote to memory of 2824	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	32
PID 2740 wrote to memory of 1564	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	34
PID 2740 wrote to memory of 1564	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	34
PID 2740 wrote to memory of 1564	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	34
PID 2740 wrote to memory of 1564	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	34
PID 2740 wrote to memory of 2668	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	37
PID 2740 wrote to memory of 2668	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	37
PID 2740 wrote to memory of 2668	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	37
PID 2740 wrote to memory of 2668	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	37
PID 2740 wrote to memory of 1580	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	39
PID 2740 wrote to memory of 1580	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	39
PID 2740 wrote to memory of 1580	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	39
PID 2740 wrote to memory of 1580	2740	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe	39
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 1580 wrote to memory of 2020	1580	Verek.exe	40
PID 2020 wrote to memory of 764	2020	Verek.exe	41
PID 2020 wrote to memory of 764	2020	Verek.exe	41
PID 2020 wrote to memory of 764	2020	Verek.exe	41
PID 2020 wrote to memory of 764	2020	Verek.exe	41
PID 2020 wrote to memory of 356	2020	Verek.exe	43
PID 2020 wrote to memory of 356	2020	Verek.exe	43
PID 2020 wrote to memory of 356	2020	Verek.exe	43
PID 2020 wrote to memory of 356	2020	Verek.exe	43
PID 2020 wrote to memory of 696	2020	Verek.exe	45
PID 2020 wrote to memory of 696	2020	Verek.exe	45
PID 2020 wrote to memory of 696	2020	Verek.exe	45
PID 2020 wrote to memory of 696	2020	Verek.exe	45
PID 2020 wrote to memory of 1184	2020	Verek.exe	47
PID 2020 wrote to memory of 1184	2020	Verek.exe	47
PID 2020 wrote to memory of 1184	2020	Verek.exe	47
PID 2020 wrote to memory of 1184	2020	Verek.exe	47

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Verek.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Verek.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
"C:\Users\Admin\AppData\Local\Temp\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe"
1⤵
- Quasar RAT
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies security service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "\Microsoft\Windows\System\Pev44\Files\IlemetryLogtek" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2428
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /delete /tn "IlemetryLogtek" /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Users\Admin\AppData\Roaming\Gres\Verek.exe
    "C:\Users\Admin\AppData\Roaming\Gres\Verek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Roaming\Gres\Verek.exe
      "C:\Users\Admin\AppData\Roaming\Gres\Verek.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Modifies security service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "\Microsoft\Windows\System\Pev44\Files\IlemetryLogtek" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Gres\Verek.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /delete /tn "IlemetryLogtek" /f
        5⤵
        
        PID:356
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        "vssadmin" delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gres\Verek.exe

Filesize
725KB

MD5
5db47cc0eb5dae97ad8ea7d3ccbf3f8c

SHA1
444f8028c412c7661c3204e82da703ffdc607291

SHA256
d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4

SHA512
ab5ae0c399fb4b475d85cf0c07d7c2d4aeae7ac7c2b53b8c6b26afc3eb007dfe3fdde03e695a78f0f8d1dd6648c7378d5f5063732b74bbe0d2579040a59d76d2

Download Submit
C:\Users\Admin\AppData\Roaming\Gres\settings.xml

Filesize
64B

MD5
cf4d033219f987c0a057da5f64d74fae

SHA1
a5605c0ea0193022cd71190e2dc794381f416d94

SHA256
127a80bd33231ee856a83eddfeaabb22a202a369fe429c8ff5430038fd132876

SHA512
601cf72b779711e420ae0e0292bd3834e8ccc34661f930db5cdc94a2d788147404447cc4ead19a5c74a930fd3a11a415dabe882b0033d167546f395f59383008

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3d07a781d9e35e766b8a16bd04267baf

SHA1
560d956454b1aace9e87474fa56f710d85cfdf26

SHA256
d5f3c85b6bcf51b9f739f1180a1a790b3915b876a3c294dd82d535139a8b3c50

SHA512
1f9c041f78a7c6dce94f967ba9d7de6f217e6a1e74b124564d3fdee42f7c25e05ecd3f4924244e77dfe1e49f7c62a5cc621c645cfc1a83cf1db514c0227c046f

Download Submit
memory/1184-78-0x000000006EF30000-0x000000006F4DB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-73-0x000000006EF30000-0x000000006F4DB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-74-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/1184-75-0x000000006EF30000-0x000000006F4DB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-76-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/1184-77-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/1580-61-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/1580-42-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/1580-43-0x00000000008A0000-0x000000000095C000-memory.dmp

Filesize
752KB

Download
memory/1580-44-0x00000000047B0000-0x00000000047F0000-memory.dmp

Filesize
256KB

Download
memory/2020-81-0x00000000048D0000-0x0000000004910000-memory.dmp

Filesize
256KB

Download
memory/2020-80-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-62-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-18-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-2-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/2300-3-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/2300-0-0x0000000000990000-0x0000000000A4C000-memory.dmp

Filesize
752KB

Download
memory/2300-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2300-5-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2300-1-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-6-0x0000000000310000-0x00000000003A4000-memory.dmp

Filesize
592KB

Download
memory/2668-32-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2668-29-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-33-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-31-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-30-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2740-20-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2740-19-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-41-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-10-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-7-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download