quasar | 018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loadervmp.exe
Size

409KB
MD5

14f056491baaed04872533c2d9648d46
SHA1

c48b08d0e9064f2d060f19474bb54cf3c5a25586
SHA256

018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae
SHA512

c109b1a9cf40049f8958beab9cff112cb326dd719c56f6dedafda4cf3a64d3faae3912f34cbcc1ee203a0316e40b8f7016624f05a1ad6c93bbaa0bdc9dc79b08
SSDEEP

6144:rMvlpdRJjGq/ldSTTIgiGwo9W0MFMJyb7+Ye0SmxalGcqwL6Ir4H9VI:EpbJjGu/STTIwJWIJgG0jFCRsH9VI

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
ZJpQQkxTrak9Zs9tUOQW
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

63 ip-api.com
99 ip-api.com
7 ip-api.com
2316 schtasks.exe

flow	ioc
63	ip-api.com
99	ip-api.com
7	ip-api.com
2316	schtasks.exe

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4524-1-0x0000000000430000-0x000000000049C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 11 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2912	Client.exe
1252	Client.exe
4068	Client.exe
1688	Client.exe
900	Client.exe
2372	Client.exe
2264	Client.exe
4676	Client.exe
3164	Client.exe
1680	Client.exe
4332	Client.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 ip-api.com
99 ip-api.com
7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
63	ip-api.com
99	ip-api.com
7	ip-api.com

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4732	2912	WerFault.exe	Client.exe
3516	1252	WerFault.exe	Client.exe
3500	4068	WerFault.exe	Client.exe
1916	1688	WerFault.exe	Client.exe
1492	900	WerFault.exe	Client.exe
4056	2372	WerFault.exe	Client.exe
2268	2264	WerFault.exe	Client.exe
3500	4676	WerFault.exe	Client.exe
1012	3164	WerFault.exe	Client.exe
2576	1680	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3896	SCHTASKS.exe
4888	schtasks.exe
3212	schtasks.exe
3140	schtasks.exe
2140	schtasks.exe
2932	schtasks.exe
2624	schtasks.exe
2912	schtasks.exe
3108	schtasks.exe
2276	schtasks.exe
2316	schtasks.exe
1976	schtasks.exe
3996	schtasks.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4612 PING.EXE
3532 PING.EXE
3432 PING.EXE
4624 PING.EXE
3216 PING.EXE
3220 PING.EXE
1916 PING.EXE
3432 PING.EXE
1564 PING.EXE
3092 PING.EXE

pid	process
4612	PING.EXE
3532	PING.EXE
3432	PING.EXE
4624	PING.EXE
3216	PING.EXE
3220	PING.EXE
1916	PING.EXE
3432	PING.EXE
1564	PING.EXE
3092	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

loadervmp.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4524	loadervmp.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	1252	Client.exe
Token: SeDebugPrivilege	4068	Client.exe
Token: SeDebugPrivilege	1688	Client.exe
Token: SeDebugPrivilege	900	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	2264	Client.exe
Token: SeDebugPrivilege	4676	Client.exe
Token: SeDebugPrivilege	3164	Client.exe
Token: SeDebugPrivilege	1680	Client.exe
Token: SeDebugPrivilege	4332	Client.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2912	Client.exe
1252	Client.exe
4068	Client.exe
1688	Client.exe
900	Client.exe
2372	Client.exe
2264	Client.exe
4676	Client.exe
3164	Client.exe
1680	Client.exe
4332	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loadervmp.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4524 wrote to memory of 2316	4524	loadervmp.exe	schtasks.exe
PID 4524 wrote to memory of 2316	4524	loadervmp.exe	schtasks.exe
PID 4524 wrote to memory of 2316	4524	loadervmp.exe	schtasks.exe
PID 4524 wrote to memory of 2912	4524	loadervmp.exe	Client.exe
PID 4524 wrote to memory of 2912	4524	loadervmp.exe	Client.exe
PID 4524 wrote to memory of 2912	4524	loadervmp.exe	Client.exe
PID 4524 wrote to memory of 3896	4524	loadervmp.exe	SCHTASKS.exe
PID 4524 wrote to memory of 3896	4524	loadervmp.exe	SCHTASKS.exe
PID 4524 wrote to memory of 3896	4524	loadervmp.exe	SCHTASKS.exe
PID 2912 wrote to memory of 1976	2912	Client.exe	schtasks.exe
PID 2912 wrote to memory of 1976	2912	Client.exe	schtasks.exe
PID 2912 wrote to memory of 1976	2912	Client.exe	schtasks.exe
PID 2912 wrote to memory of 4144	2912	Client.exe	cmd.exe
PID 2912 wrote to memory of 4144	2912	Client.exe	cmd.exe
PID 2912 wrote to memory of 4144	2912	Client.exe	cmd.exe
PID 4144 wrote to memory of 4968	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 4968	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 4968	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 1916	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 1916	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 1916	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 1252	4144	cmd.exe	Client.exe
PID 4144 wrote to memory of 1252	4144	cmd.exe	Client.exe
PID 4144 wrote to memory of 1252	4144	cmd.exe	Client.exe
PID 1252 wrote to memory of 2140	1252	Client.exe	schtasks.exe
PID 1252 wrote to memory of 2140	1252	Client.exe	schtasks.exe
PID 1252 wrote to memory of 2140	1252	Client.exe	schtasks.exe
PID 1252 wrote to memory of 3668	1252	Client.exe	cmd.exe
PID 1252 wrote to memory of 3668	1252	Client.exe	cmd.exe
PID 1252 wrote to memory of 3668	1252	Client.exe	cmd.exe
PID 3668 wrote to memory of 2400	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 2400	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 2400	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 4612	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 4612	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 4612	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 4068	3668	cmd.exe	Client.exe
PID 3668 wrote to memory of 4068	3668	cmd.exe	Client.exe
PID 3668 wrote to memory of 4068	3668	cmd.exe	Client.exe
PID 4068 wrote to memory of 2932	4068	Client.exe	schtasks.exe
PID 4068 wrote to memory of 2932	4068	Client.exe	schtasks.exe
PID 4068 wrote to memory of 2932	4068	Client.exe	schtasks.exe
PID 4068 wrote to memory of 3092	4068	Client.exe	cmd.exe
PID 4068 wrote to memory of 3092	4068	Client.exe	cmd.exe
PID 4068 wrote to memory of 3092	4068	Client.exe	cmd.exe
PID 3092 wrote to memory of 4316	3092	cmd.exe	chcp.com
PID 3092 wrote to memory of 4316	3092	cmd.exe	chcp.com
PID 3092 wrote to memory of 4316	3092	cmd.exe	chcp.com
PID 3092 wrote to memory of 3532	3092	cmd.exe	PING.EXE
PID 3092 wrote to memory of 3532	3092	cmd.exe	PING.EXE
PID 3092 wrote to memory of 3532	3092	cmd.exe	PING.EXE
PID 3092 wrote to memory of 1688	3092	cmd.exe	Client.exe
PID 3092 wrote to memory of 1688	3092	cmd.exe	Client.exe
PID 3092 wrote to memory of 1688	3092	cmd.exe	Client.exe
PID 1688 wrote to memory of 2912	1688	Client.exe	schtasks.exe
PID 1688 wrote to memory of 2912	1688	Client.exe	schtasks.exe
PID 1688 wrote to memory of 2912	1688	Client.exe	schtasks.exe
PID 1688 wrote to memory of 4748	1688	Client.exe	cmd.exe
PID 1688 wrote to memory of 4748	1688	Client.exe	cmd.exe
PID 1688 wrote to memory of 4748	1688	Client.exe	cmd.exe
PID 4748 wrote to memory of 3708	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 3708	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 3708	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 3432	4748	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\loadervmp.exe
"C:\Users\Admin\AppData\Local\Temp\loadervmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\loadervmp.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2316

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZFXsratbgOw.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4968

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niGWrWWT8EEg.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4612

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gE3sifTTayGc.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3532

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmZ3TR8ax4A4.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3708

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3432

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yPdUt9ImHqQ0.bat" "
11⤵
PID:3972

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYqk5452HbZq.bat" "
13⤵
PID:4608

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3532

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VC2YqwdhU7IV.bat" "
15⤵
PID:2800

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3432

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yRj9phSpq6zS.bat" "
17⤵
PID:3192

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4624

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64zqSfThe4YU.bat" "
19⤵
PID:1828

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzNcxc8h8kLv.bat" "
21⤵
PID:2108

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:5040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3220

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1076
21⤵
- Program crash
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2456
19⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 2472
17⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1092
15⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1684
13⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 2460
11⤵
- Program crash
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1092
9⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 2472
7⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2436
5⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2492
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77loadervmp.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\loadervmp.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 2912
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1252 -ip 1252
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4068 -ip 4068
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1688 -ip 1688
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 900 -ip 900
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2372 -ip 2372
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2264 -ip 2264
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3164 -ip 3164
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1680 -ip 1680
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64zqSfThe4YU.bat

Filesize
207B

MD5
fd410be6e1599ebab76021112b7c6dd0

SHA1
d9a8072fbd88da21d92dfe00ebe6cfec6fb067d6

SHA256
272484ffa0aaa1e524a26603d1de1416057b69806cdf865046b98310882d2f7e

SHA512
af9810082abd5f005063c9273651b2e37e29588a0202cb1fc1f113413127fb9ac731b39bd0806e2a75f5c543c90bfd04915679422e464ab335fd7554a5ccd8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYqk5452HbZq.bat

Filesize
207B

MD5
856fd0444e56c563672338438c6040fa

SHA1
e8e3a809069a6f803b680df5d4a282921cec2f52

SHA256
3a404d58fe704c9689a7623418c3ccdaa0d5d6bbac2899f98e4d11c928ca00df

SHA512
8ce567af5f005c38b8db534b5de1722311ea277760964ee3e32a856bd4f8c689c62cd316a8c52688dc61cfade64705dc9b790c00fc013d4bb7d03b99a61b1b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzNcxc8h8kLv.bat

Filesize
207B

MD5
6af1dd16146628cda212dbb10b507cdb

SHA1
39ee75c21c60a987dc2bdeeaedadc3f9b98704eb

SHA256
dbcf622bf7f7b0fcf27d192f488302b91810bee54ca89bce3536b30cc602b172

SHA512
43701eddc22a43c62df25779fbac5ae98ab7c0fc72c369d314b9cf17707a6a4a83e46e14603225c2ac09dd220ae8c76f54f586c154858e979278ac83b5c67d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VC2YqwdhU7IV.bat

Filesize
207B

MD5
0223a1434fcf53686fa76caad14547b2

SHA1
6a4d961081585a541e7c88980f6b16f3346dce38

SHA256
354c8c7583cfbfea695f3ec7f4e6ee1a49806111d02a2b4eca093e17d86118fc

SHA512
94eba1ccbe344bf462eedd2c22ecf900b24388f5bf3337de21cf2d4d9689be388dace9e358a5cbda8c9dbc0e53d31229a1c85051c8e2685f8c501ca503e7ae5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZFXsratbgOw.bat

Filesize
207B

MD5
4e84fb3aadcfd74881314ee2ff2bac3d

SHA1
8dc7d8f89a1cceb6276e0591ed00412dd48c44fe

SHA256
d2242f2c2ddbc39ff30aa2b622d004608e7287bc26dd712f4a855d6c1b00f7ae

SHA512
61b9306efda68bd62f7fc1664c89cb117c19ab3b7ffe35583341cdc65378bcfd8c49bd08ac74a35e5de4a3e5785539ce4a308ac0a6816d2c4d4f2b5ee2d456f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gE3sifTTayGc.bat

Filesize
207B

MD5
34b1b8c84259d599b6b4f56367b20eca

SHA1
37b7f0482c28a9a15427b55f5b5bb58ee16ef143

SHA256
901ae8919d59f9691be31f57142a03389b4fbde1e5e4f8280e9443540fbb4e55

SHA512
69b8532082a46c34ca635ae559ea81e4101739d17fdb494d70601fcefc48806b51f22977f7ee470256577f4a5e7d034e4ace750f328fa78c28490130493135d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmZ3TR8ax4A4.bat

Filesize
207B

MD5
8422c1ed7bcb1821e1e862c33bb0564b

SHA1
da3e3c50d77174df04d11d8299e12c99468625da

SHA256
839a2f25f337032c8f0c4b3f06e1443d6b336b864c9b2eae747f1fc5d7802b18

SHA512
91bf64bdd2163b6a832076da9f963281815da3fc67b8812f5bcc241343441c558904d9a284235a7c98fc2a3b6b0a8ec6bb5f73961ccbed8d8d09de94587170e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\niGWrWWT8EEg.bat

Filesize
207B

MD5
72e9a42c5b63ac4364bb3570884336ba

SHA1
7d3068b24454c58e2387a1c14e9f160898b0ea06

SHA256
cee3923f884bd7348ec116d998ac9290e213a5e171a4982e9b59816fb13977d8

SHA512
d02a0030344176bcf2d10e6cf8b7c44dc6c34a853b472b47e4883e0a1925514e859e26db2d7c9b17badc1928578050e913d64169182a7986102a264d2b4f5482

Download Submit
C:\Users\Admin\AppData\Local\Temp\yPdUt9ImHqQ0.bat

Filesize
207B

MD5
1704c17350af11d223805cd523767704

SHA1
dd57c49a864049bc7e2987095fd42630b05b119e

SHA256
4dd99e8df30983966eb0a979a151cccec54b53990adbea6543c1ce0376aba4f7

SHA512
c4f759f23b6b619c8eb940e8378c501985c642c8722ca87856f97174e9dcc31d83028c72da1d7f80383ce3d2b783d3c0e52afff4cc8e2d8997141a097411ee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRj9phSpq6zS.bat

Filesize
207B

MD5
27962f4ec19f314b8c42b93f583c4cd0

SHA1
3551cfa7d410109bcd5cd930160ae458d7b37a25

SHA256
186e2d1ef273266e76d2f63c1ff3a724db22983a715ed6126d8d648e61b38c07

SHA512
05d563c1fa9719b6a81b70356d35e35d50de03d1f19ba25d3e46ba80ed3e3a76314ac1c58f74b028e6c850ad48e7e07db11ec840448c543842dc560c8bbef390

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
e692c021a90a525001a7a5494adced80

SHA1
801cd3521a8e8a345efd9d5c8e21fbcf3d26bfe3

SHA256
a87cfb2d9a6089b210f9d5f5e629c93b83260e216e96afd8e8cb03c74d26eeea

SHA512
2d0b149a62a1205ab486f3ff18404d659133bc8921d0bdb897feea23d3f418b1025a2913f83cb02b0b789f4e282f01c3b90d55d848918f325fcd68d55089c452

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
38e257827f29cd8d19c038c96b1600b8

SHA1
8cef243fe99e42051493e195f98e6f8a8ab21424

SHA256
b540d5630bfac809e8ed0b8fbf7650d905a04acc1da0f2a7e8c11a7ec1ce9c3e

SHA512
13bf585ab1f1619659e9ba5bb6039131f4d5a3a302296ee6e07121c4b52365dfe76770197b5afa7f86ecc80e0c523176b1cdb1817370521514c4b118111d0437

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
21a43c4cf1e5d54844a09af0b810579c

SHA1
680d1d02168aa5aeef1677c1c36af8515680161f

SHA256
561a7f2a36721a0a57a9467ab1faed5ae045c8083ec475397e7bd7da2682f5f1

SHA512
8d60b9f6214195a34432e7e2781ea56b9fa1a213b31ec327c7b19de788cd0d6b8f792bf73a0952cfc8e00671c0b1e807cccbaefb1ea3d7f4c97646d501eb3d98

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
eead46e4f7c61143858921532fb8d016

SHA1
5411e6954f8a61be90b3c5e6f6bb259c6555eee8

SHA256
8d044f98cc065d88e2ce612e224317a211371e0ba2e9348b7b0e999c5e4b6fcb

SHA512
08cffb8f06ed3d5a24654490906f6a709d4d52401b6c81791f1993aace7d12d003d5ff352674b23dab889b442766f0294dfde26c8945d52138514c811ed7ff07

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
8219014a31ea908b1eff0a95ab4b6ad9

SHA1
a2ae348e33f57554169f354f3e136c01f2744ec8

SHA256
b923771f85e61aac8385c80dbdfe974496567cb37bf5f2e317cab9de4e7234cf

SHA512
179b3dcbbe3d40ae79caf97cd0a50ff6fa2587ae7f8c650eca755fb26400b2350590febc10f06c0439f884260def8c9707801684d8ec5e77e7a0ffe3819b1659

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
5cb5911f9464b26ce58ac157fa033284

SHA1
5adfcc27dcd1a47899548af4854db402190d2d70

SHA256
b9e47ad3397a95b597c952d65f6f3f15eebdffbc6a835f93fc1d6b984acd11d7

SHA512
c7a996370ca46d9daf2bb7c4ae7aeb418555573a49f8a905abf1707b94ad31a735b17511a40bcae62f501cc378b969741916af6fd2e3b4a9cba5d782e95434c7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
185aa80999bfdf395921d862162f5e4f

SHA1
97a889d161dedfdba0266c9cd75c54799d7f3152

SHA256
4512abc2d3d748939c73419173b1868dcbbd584968c5a6c92da164438871f4b4

SHA512
a7070fffd414e0d910d41167073e226b42d0dd76582464ff98723049164cbc20e40d425bcccf9f98f9a3515e03b199246152d37db617dd87f774f3006095dfc7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
aee5bdaba0fede1a56f6b93eb3b78595

SHA1
42c55db699e7e859f8cce5122cdb2704be9b5ab6

SHA256
3f002aa750ca050a183677051e1ace7c05c9f6bdd5e5f382f092c0c46b55d2ed

SHA512
744a034b1c867595f6d79d33d88f4020f9005a6b8f91903f0edbb99a2503e164d4d3adb83992d34af6511d87eeba8d2c3b8c23df8809d2c6b284fed292599a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024

Filesize
224B

MD5
04051c50463bf29f06a197ff6086310a

SHA1
da15472a1201d2d9739cdcc06c8e3674e41aa0e7

SHA256
745b4ad90893193750d575dbff5d5c5b2b4146284fde8f12dabfe1933bcf01c9

SHA512
90f609b6970bd889283cc048d8d85784a4053bb3158217b699e8ebcd7ac19b1ad7a9569509720ec7316e50be53bbf9f9836934f3ec27cb0963f3d2b714f10eae

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
14f056491baaed04872533c2d9648d46

SHA1
c48b08d0e9064f2d060f19474bb54cf3c5a25586

SHA256
018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae

SHA512
c109b1a9cf40049f8958beab9cff112cb326dd719c56f6dedafda4cf3a64d3faae3912f34cbcc1ee203a0316e40b8f7016624f05a1ad6c93bbaa0bdc9dc79b08

Download Submit
memory/2912-18-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/2912-14-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2912-13-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2912-23-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/4524-5-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/4524-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/4524-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/4524-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/4524-6-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/4524-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/4524-7-0x0000000006100000-0x000000000613C000-memory.dmp

Filesize
240KB

Download
memory/4524-1-0x0000000000430000-0x000000000049C000-memory.dmp

Filesize
432KB

Download
memory/4524-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download