quasar | 018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loadervmp.exe
Size

409KB
MD5

14f056491baaed04872533c2d9648d46
SHA1

c48b08d0e9064f2d060f19474bb54cf3c5a25586
SHA256

018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae
SHA512

c109b1a9cf40049f8958beab9cff112cb326dd719c56f6dedafda4cf3a64d3faae3912f34cbcc1ee203a0316e40b8f7016624f05a1ad6c93bbaa0bdc9dc79b08
SSDEEP

6144:rMvlpdRJjGq/ldSTTIgiGwo9W0MFMJyb7+Ye0SmxalGcqwL6Ir4H9VI:EpbJjGu/STTIwJWIJgG0jFCRsH9VI

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
ZJpQQkxTrak9Zs9tUOQW
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

2256 schtasks.exe
11 ip-api.com
58 ip-api.com
91 ip-api.com

pid	process
2256	schtasks.exe
11	ip-api.com
58	ip-api.com
91	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4900-1-0x00000000001F0000-0x000000000025C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 11 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2436	Client.exe
2568	Client.exe
5016	Client.exe
1908	Client.exe
3644	Client.exe
2020	Client.exe
1332	Client.exe
4064	Client.exe
4484	Client.exe
4060	Client.exe
2944	Client.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

91 ip-api.com
11 ip-api.com
58 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
91	ip-api.com
11	ip-api.com
58	ip-api.com

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4440	2436	WerFault.exe	Client.exe
2372	2568	WerFault.exe	Client.exe
1660	5016	WerFault.exe	Client.exe
4632	1908	WerFault.exe	Client.exe
1788	3644	WerFault.exe	Client.exe
1848	2020	WerFault.exe	Client.exe
4708	1332	WerFault.exe	Client.exe
2932	4064	WerFault.exe	Client.exe
4012	4484	WerFault.exe	Client.exe
2080	4060	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1752	schtasks.exe
2404	schtasks.exe
1360	schtasks.exe
1252	schtasks.exe
2256	schtasks.exe
4500	schtasks.exe
1496	schtasks.exe
3956	schtasks.exe
1496	SCHTASKS.exe
1484	schtasks.exe
4064	schtasks.exe
4220	schtasks.exe
2600	schtasks.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1988 PING.EXE
1960 PING.EXE
5000 PING.EXE
3772 PING.EXE
4412 PING.EXE
712 PING.EXE
4928 PING.EXE
1840 PING.EXE
4904 PING.EXE
1216 PING.EXE

pid	process
1988	PING.EXE
1960	PING.EXE
5000	PING.EXE
3772	PING.EXE
4412	PING.EXE
712	PING.EXE
4928	PING.EXE
1840	PING.EXE
4904	PING.EXE
1216	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

loadervmp.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4900	loadervmp.exe
Token: SeDebugPrivilege	2436	Client.exe
Token: SeDebugPrivilege	2568	Client.exe
Token: SeDebugPrivilege	5016	Client.exe
Token: SeDebugPrivilege	1908	Client.exe
Token: SeDebugPrivilege	3644	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	1332	Client.exe
Token: SeDebugPrivilege	4064	Client.exe
Token: SeDebugPrivilege	4484	Client.exe
Token: SeDebugPrivilege	4060	Client.exe
Token: SeDebugPrivilege	2944	Client.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2436	Client.exe
2568	Client.exe
5016	Client.exe
1908	Client.exe
3644	Client.exe
2020	Client.exe
1332	Client.exe
4064	Client.exe
4484	Client.exe
4060	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loadervmp.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 2256	4900	loadervmp.exe	schtasks.exe
PID 4900 wrote to memory of 2256	4900	loadervmp.exe	schtasks.exe
PID 4900 wrote to memory of 2256	4900	loadervmp.exe	schtasks.exe
PID 4900 wrote to memory of 2436	4900	loadervmp.exe	Client.exe
PID 4900 wrote to memory of 2436	4900	loadervmp.exe	Client.exe
PID 4900 wrote to memory of 2436	4900	loadervmp.exe	Client.exe
PID 4900 wrote to memory of 1496	4900	loadervmp.exe	SCHTASKS.exe
PID 4900 wrote to memory of 1496	4900	loadervmp.exe	SCHTASKS.exe
PID 4900 wrote to memory of 1496	4900	loadervmp.exe	SCHTASKS.exe
PID 2436 wrote to memory of 2404	2436	Client.exe	schtasks.exe
PID 2436 wrote to memory of 2404	2436	Client.exe	schtasks.exe
PID 2436 wrote to memory of 2404	2436	Client.exe	schtasks.exe
PID 2436 wrote to memory of 3296	2436	Client.exe	cmd.exe
PID 2436 wrote to memory of 3296	2436	Client.exe	cmd.exe
PID 2436 wrote to memory of 3296	2436	Client.exe	cmd.exe
PID 3296 wrote to memory of 4980	3296	cmd.exe	chcp.com
PID 3296 wrote to memory of 4980	3296	cmd.exe	chcp.com
PID 3296 wrote to memory of 4980	3296	cmd.exe	chcp.com
PID 3296 wrote to memory of 5000	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 5000	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 5000	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 2568	3296	cmd.exe	Client.exe
PID 3296 wrote to memory of 2568	3296	cmd.exe	Client.exe
PID 3296 wrote to memory of 2568	3296	cmd.exe	Client.exe
PID 2568 wrote to memory of 4500	2568	Client.exe	schtasks.exe
PID 2568 wrote to memory of 4500	2568	Client.exe	schtasks.exe
PID 2568 wrote to memory of 4500	2568	Client.exe	schtasks.exe
PID 2568 wrote to memory of 4948	2568	Client.exe	cmd.exe
PID 2568 wrote to memory of 4948	2568	Client.exe	cmd.exe
PID 2568 wrote to memory of 4948	2568	Client.exe	cmd.exe
PID 4948 wrote to memory of 4684	4948	cmd.exe	chcp.com
PID 4948 wrote to memory of 4684	4948	cmd.exe	chcp.com
PID 4948 wrote to memory of 4684	4948	cmd.exe	chcp.com
PID 4948 wrote to memory of 4928	4948	cmd.exe	PING.EXE
PID 4948 wrote to memory of 4928	4948	cmd.exe	PING.EXE
PID 4948 wrote to memory of 4928	4948	cmd.exe	PING.EXE
PID 4948 wrote to memory of 5016	4948	cmd.exe	Client.exe
PID 4948 wrote to memory of 5016	4948	cmd.exe	Client.exe
PID 4948 wrote to memory of 5016	4948	cmd.exe	Client.exe
PID 5016 wrote to memory of 1484	5016	Client.exe	schtasks.exe
PID 5016 wrote to memory of 1484	5016	Client.exe	schtasks.exe
PID 5016 wrote to memory of 1484	5016	Client.exe	schtasks.exe
PID 5016 wrote to memory of 4692	5016	Client.exe	cmd.exe
PID 5016 wrote to memory of 4692	5016	Client.exe	cmd.exe
PID 5016 wrote to memory of 4692	5016	Client.exe	cmd.exe
PID 4692 wrote to memory of 1848	4692	cmd.exe	chcp.com
PID 4692 wrote to memory of 1848	4692	cmd.exe	chcp.com
PID 4692 wrote to memory of 1848	4692	cmd.exe	chcp.com
PID 4692 wrote to memory of 3772	4692	cmd.exe	PING.EXE
PID 4692 wrote to memory of 3772	4692	cmd.exe	PING.EXE
PID 4692 wrote to memory of 3772	4692	cmd.exe	PING.EXE
PID 4692 wrote to memory of 1908	4692	cmd.exe	Client.exe
PID 4692 wrote to memory of 1908	4692	cmd.exe	Client.exe
PID 4692 wrote to memory of 1908	4692	cmd.exe	Client.exe
PID 1908 wrote to memory of 1360	1908	Client.exe	schtasks.exe
PID 1908 wrote to memory of 1360	1908	Client.exe	schtasks.exe
PID 1908 wrote to memory of 1360	1908	Client.exe	schtasks.exe
PID 1908 wrote to memory of 4360	1908	Client.exe	cmd.exe
PID 1908 wrote to memory of 4360	1908	Client.exe	cmd.exe
PID 1908 wrote to memory of 4360	1908	Client.exe	cmd.exe
PID 4360 wrote to memory of 4076	4360	cmd.exe	chcp.com
PID 4360 wrote to memory of 4076	4360	cmd.exe	chcp.com
PID 4360 wrote to memory of 4076	4360	cmd.exe	chcp.com
PID 4360 wrote to memory of 1840	4360	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\loadervmp.exe
"C:\Users\Admin\AppData\Local\Temp\loadervmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\loadervmp.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2256

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ubka2fxihndu.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4980

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5000

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3aAnLiGERgA.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4684

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4928

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCoPzGVXFCq1.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXBdx6DDRbMA.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4076

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1840

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jHjQBfRH6d9C.bat" "
11⤵
PID:4180

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1256

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4412

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIean00MFL42.bat" "
13⤵
PID:3964

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jd1nmqi2RkaB.bat" "
15⤵
PID:2708

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:712

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\am3nlWfcxJRw.bat" "
17⤵
PID:3424

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rw5mjBbCTrHg.bat" "
19⤵
PID:3348

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2984

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1960

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat" "
21⤵
PID:228

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4440

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1696
21⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2472
19⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 2472
17⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1084
15⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2472
13⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 2440
11⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 2476
9⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 2476
7⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 2472
5⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 2464
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77loadervmp.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\loadervmp.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2436 -ip 2436
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2568 -ip 2568
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5016 -ip 5016
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1908 -ip 1908
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3644 -ip 3644
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2020 -ip 2020
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1332 -ip 1332
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4064 -ip 4064
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4484 -ip 4484
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4060 -ip 4060
1⤵
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXBdx6DDRbMA.bat
Filesize
207B

MD5
60a7aed55a051c50c2a4aa4e99fedf59

SHA1
b5eb6c70860ad30b4db8e08a71d22a4fb8bccc60

SHA256
b242f26b7ec63278f8e87722b708809570800d2fd8118fa2472c17c9b9d61cd0

SHA512
6252aaf5fbbcb8c66a10659f8c6cb5007467518fdca732fe4c09a29beb86d999d02d28cfcdfb2b9a02a8c56b09a6e3699ebe3c57b8e7831a28976e1588465281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jd1nmqi2RkaB.bat
Filesize
207B

MD5
3e4fc6eb905ad05c6ba38732324de460

SHA1
a13142b0649c5b0fd66e8789d56e0630b5058942

SHA256
9b0f89498135b7ff75b661d3a30739d650b5472da5d11aadc7f31aaddbbfc43b

SHA512
d6e314e791d1605d74339c943f2a6d1041702645dfe69515d12a848e212eb392234ae1cb4ad0e5fe9fff0ce29f9ba4b93c0ed63cfd924c042b98ddb5ca9b482e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat
Filesize
207B

MD5
b915e6912fca767229577885cedb224c

SHA1
6853470450174ca2754b18015f72dc426a10db37

SHA256
7d4a4ff56f732b4630a04866e12431984e8a2e0c922112b72479ce7c77f63b2a

SHA512
dcf6837f5b4ee221b365df553df890ccfb62564f35cae9ace1366ffc3d25d464920db2393cb8991575ae44006354659d2016ee3d268ea7490ceb33fefc0fdddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\P3aAnLiGERgA.bat
Filesize
207B

MD5
88dcdb84ee5ab25ea6063408c48d6f13

SHA1
eb8535804aa0471ba4b5d76dc8097ca6dab54913

SHA256
53db498bee10e50e55e49ee1351c826dadec726014648f36bb4f5ea8f8b6e9f5

SHA512
79c7c7d24240ebea1af57bf7809cb2a56ab12c2a564676396e20d8dd825dc3c531f6bc65045109d1a22cead2c74afc999ba3d7afc4d6293a61f77164efbf0a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubka2fxihndu.bat
Filesize
207B

MD5
c4e3aeb8117b617146ecf81eeeec4899

SHA1
60c0f3e5e3e184bedc8f27308fd12e939badec6d

SHA256
78fabcb1e331e407f3da9fa58719d728c9eb90fe9c35da1bc1a6788360f0cf23

SHA512
782bba4bc86917af9da5671748640aa8ac7b4b152212d319adae0eea52080e9de4878d3436020d5629024d3f544e15088699f5e2f2f754bb099a6dd19f995d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\am3nlWfcxJRw.bat
Filesize
207B

MD5
5be2cde195b8d8ba61a260edd1386448

SHA1
99d15d0f2fb149a18e50cdaf53ef880d4a11c877

SHA256
90c08884158f0342bc5aaef2b177c35a72b1ad7886148b68771ae4915704ba91

SHA512
5b4ac98b90ef25601943b1fc338ea3472c0f52a909c46a5ed3731e8e670feb504d3e6d37fb45ea2ee88d9bb4c1aedafe2c464802ab47578ec3df001c02ea0e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCoPzGVXFCq1.bat
Filesize
207B

MD5
14681941b8dfe7f864aead36d4718ec9

SHA1
ed00cc37d8f57bef5cb1d435eeba363e8e351969

SHA256
b6f7a057225dc5ec297a0313417b231cd5ea53097ca5c2d101b82f4da5de56a5

SHA512
c1bd86f9af735a9ee2530f29e5b9128b237f31e971d78dbba9c0f3a3fce1b1166554c93190786a4017112952a79a2bedc1c1e2b79e4f46078f023659993d8b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIean00MFL42.bat
Filesize
207B

MD5
d31440127e6b2c51f3414e0f299eda7e

SHA1
a2bc335465214d31ec955b89a4677ed75923eabc

SHA256
54d19f4415f2f84a447370a392252b389ac09b8a2d788c35cb55381676e673b9

SHA512
fc8f6082f0c220b3f19d91b08c08a857017bf9b008a8a286ce8f96133a15666be3d71360d8a1089aa80b44fa99acbcbfd0482c71324ba4724100b3891fe65df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jHjQBfRH6d9C.bat
Filesize
207B

MD5
19d249f06b45ca270e11aebf09202716

SHA1
ea594dea399923859d2230861facd8111cedcbc0

SHA256
85bb44a259c4244552b44922ca8d8887e1c6d37575707bd6bacb4bc56c9e5798

SHA512
bcae85db1ace87fe94d051ee6fe03f1844513f7cc08e27bee6c5cf970acf00b97e1c883f9362c7b1507efb7144c0dd380888a6bdff13fd563d3497fbc78fb69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rw5mjBbCTrHg.bat
Filesize
207B

MD5
2852f2656a9d214a75de10c98d5363a5

SHA1
7b6861208c78286c1d6ba74ae3ff62518c8d6bc9

SHA256
f47c8a4f1cb8a723353fafdebbfa381fe3bcab63652593e73d2c8e9e49d3073c

SHA512
e311ba2baa4010b08e2e15e0ef6c263c43a4a4f6b088a1323c34fbf4e9aee495a5cbd58d0b9b306195270e5b3f355fcf5aee7112288af50eba8afa400d95a498

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
bd4e83fe0134947699458309536f4136

SHA1
3d99e89709235d80b77991f483e988da98674191

SHA256
8daf05e3c12ed233d1b9542d5f39325730daa6e6fd3304368a81aacf986555d1

SHA512
433d27ec6abebb3ba590926e149bee34e1738035e035b18dd7b64a6954a66d8bf64cd020fbbb397d4d045462cbb02b094a345c30525433d46ec67930a88c6d7e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
fbf4b653df34359e00cf00b00e6585e8

SHA1
e831ec891483449cf3cab83d0c12798d2a24c838

SHA256
90ea323590342101e32e3d36d9fa68dfb0c639f2168766e6e7df3610fb7b4dc9

SHA512
3bba128f0e839ebaa79d70eb33bcaedf03d572b3eeb55f076909932b49e4a50d92a5deff6f408f8bd2d51e62a25d5e1ee762e1a344ea34ef81c06d4bbcaee4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
f414d19ce43af09f24232b8f298ecbd8

SHA1
57b001cbea51f06ab296a38d8c6d73815d0a7a74

SHA256
ba76501c9a6bff674e959421944165e1608f98bddd3912099e34a097f591ebca

SHA512
6973da2455b0d3b445f5fe09002d777c08f64fd29a22c30dd12a353f6efcfb9329f3a63d07f4f34f78c880a158592f4a64d0336cd6e07360131fff391f3812bb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
4f24aa27ca958c003200eb2a8f0e0862

SHA1
5dbccc223bce0b651ab85caf05294b90fef9fc73

SHA256
2e6afef22898d4c6d844a7cf1e3e464d881139587f624ee207cba1754be67c6e

SHA512
8fdfbdcd6f63d41f10a90bf260a98378546285b368523c3d272ed48cbb25f75012b51b43f10439345880c181978565ea7435322c0ed4d4a317d1d8e49abffa13

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
92cc994a7fbf78170614f6dbeba77ab5

SHA1
9762fe09eda8d40db62450ff9bd5339f4f016cc7

SHA256
86a9479571ed1d02305e6ee650783a57f91b29eabb01946686887be576fe69a4

SHA512
ae076e40785f21bc8166baa75850cade5921e2e0b67965390148cd21da85d01a35d67aacd4e24833f147460f6c1f5a14a4b7107b7eb81928a3c303866f8158f0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
93b67750a37f45923b560dfbe9d25d29

SHA1
3ae4411a5b7b444e58fe49babfa459813c737e25

SHA256
85ba689ca1680b8062256e06defc82837421e7bd96dcceb5875e283adb5b4304

SHA512
a61baa61eaa6977052063d599742bbbf96b05111febfd85e440d35f59eec2f0fd04fac97df310355193e9a235ab4004138a57091b728356330f8f8ffecc796c4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-31-2024
Filesize
224B

MD5
ff1a763240560363bb410e6fb90ec2fb

SHA1
a1795da3a1d6c26779c9eb512f6fdfc7946ca0f6

SHA256
af3065b9e44bc42c76b322f4d50005d688520e56e6dacc83c4f4f3b7443ced5b

SHA512
d4203e08494db9c985566ecf170bc3a2d2c824620820d4ad1bbdb8b77a234845711d7e54e98c012d6f23c38577efa7aad38058bea3750d907651908457475fcd

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
14f056491baaed04872533c2d9648d46

SHA1
c48b08d0e9064f2d060f19474bb54cf3c5a25586

SHA256
018f75f18b882044109f250f19da654c0b3bd90430b318fcb03348908a189aae

SHA512
c109b1a9cf40049f8958beab9cff112cb326dd719c56f6dedafda4cf3a64d3faae3912f34cbcc1ee203a0316e40b8f7016624f05a1ad6c93bbaa0bdc9dc79b08

Download Submit
memory/2436-23-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2436-18-0x0000000006450000-0x000000000645A000-memory.dmp

Filesize
40KB

Download
memory/2436-14-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2436-13-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4900-5-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/4900-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/4900-4-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4900-6-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/4900-3-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/4900-7-0x0000000005EC0000-0x0000000005EFC000-memory.dmp

Filesize
240KB

Download
memory/4900-2-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4900-16-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1-0x00000000001F0000-0x000000000025C000-memory.dmp

Filesize
432KB

Download