quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
299s
max time network
293s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (18) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

2 ip-api.com
9 api.ipify.org
2620 schtasks.exe

flow	ioc
2	ip-api.com
9	api.ipify.org
2620	schtasks.exe

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/1796-1-0x0000000000BD0000-0x0000000000C3C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral17/memory/2724-10-0x0000000000CD0000-0x0000000000D3C000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exergQRGAT6Tja5.exe

pid process

2724 Client.exe
2948 rgQRGAT6Tja5.exe
Loads dropped DLL 2 IoCs

Processes:

Uni - Copy (18) - Copy.exeClient.exe

pid process

1796 Uni - Copy (18) - Copy.exe
2724 Client.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
9 api.ipify.org
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exeschtasks.exeSCHTASKS.exeschtasks.exe

pid process

2636 SCHTASKS.exe
2524 schtasks.exe
2404 SCHTASKS.exe
2620 schtasks.exe

pid	process
1796	Uni - Copy (18) - Copy.exe
2724	Client.exe

flow	ioc
2	ip-api.com
9	api.ipify.org

pid	process
2636	SCHTASKS.exe
2524	schtasks.exe
2404	SCHTASKS.exe
2620	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423471423"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000eae544b448c19842eadf836c013708acd5a8065704d936192da9ddf62558fbf1000000000e80000000020000200000009d6730be63bdd909c81e96ace3914ff66a0dfc10f686898aac4e8867aba03d5e900000007d4bbc3c3d1ea2d58f134fa058536fa747113fc0d8fb2e9b74c39ff8a86270ad34e2347e8c7e50196f2b2de560144aab1e4f5475410dd1a9141cb2327a711f4474c68fd25974732d0674f9ae4b412d207ca42502a1320f7d56e18371b6a5486526dbc4c55faee50b92de5b8fa9c7b8822eb0d9ecb53d547431baf893d3e75f41fc9e3a6c71ba84d84967f697af4c07484000000060bde6d98564661be4495d41cf8db04d3654af6129512f4eb4d037af28c9238a0052cb1caa8afe42473ec799b457f99db558c1c741363e9706b21a0ed665f09e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F7B44DB1-20A8-11EF-906B-FA9381F5F0AB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000453e7b160e84eb13469900b3d280013427b3b38db08887016a1b2a645714f870000000000e8000000002000020000000ff556b6739247884421bb665e90772034f1174fc0939385dbe88f6a97e625b7f200000000b3457fb3791296d00cfc8507a7bbafeee5a7b75f830ec5d3bba8687ac1c397040000000a0b92c76b5847a7226a49038818884b26aac92ae9831000772c50c889d1b2b26acbd59d87a05d939823db65ac4edcb81c7a8bc02ad158c9fa7f0082584a2f7bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b994ccb5b4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "100000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Uni - Copy (18) - Copy.exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1796	Uni - Copy (18) - Copy.exe
Token: SeDebugPrivilege	2724	Client.exe
Token: 33	2464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2464	AUDIODG.EXE
Token: 33	2464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2464	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

796 iexplore.exe
796 iexplore.exe

pid	process
796	iexplore.exe
796	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Client.exergQRGAT6Tja5.exeiexplore.exeIEXPLORE.EXE

pid	process
2724	Client.exe
2948	rgQRGAT6Tja5.exe
796	iexplore.exe
796	iexplore.exe
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Uni - Copy (18) - Copy.exeClient.exeiexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 2620	1796	Uni - Copy (18) - Copy.exe	schtasks.exe
PID 1796 wrote to memory of 2620	1796	Uni - Copy (18) - Copy.exe	schtasks.exe
PID 1796 wrote to memory of 2620	1796	Uni - Copy (18) - Copy.exe	schtasks.exe
PID 1796 wrote to memory of 2620	1796	Uni - Copy (18) - Copy.exe	schtasks.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2724	1796	Uni - Copy (18) - Copy.exe	Client.exe
PID 1796 wrote to memory of 2636	1796	Uni - Copy (18) - Copy.exe	SCHTASKS.exe
PID 1796 wrote to memory of 2636	1796	Uni - Copy (18) - Copy.exe	SCHTASKS.exe
PID 1796 wrote to memory of 2636	1796	Uni - Copy (18) - Copy.exe	SCHTASKS.exe
PID 1796 wrote to memory of 2636	1796	Uni - Copy (18) - Copy.exe	SCHTASKS.exe
PID 2724 wrote to memory of 2524	2724	Client.exe	schtasks.exe
PID 2724 wrote to memory of 2524	2724	Client.exe	schtasks.exe
PID 2724 wrote to memory of 2524	2724	Client.exe	schtasks.exe
PID 2724 wrote to memory of 2524	2724	Client.exe	schtasks.exe
PID 2724 wrote to memory of 2948	2724	Client.exe	rgQRGAT6Tja5.exe
PID 2724 wrote to memory of 2948	2724	Client.exe	rgQRGAT6Tja5.exe
PID 2724 wrote to memory of 2948	2724	Client.exe	rgQRGAT6Tja5.exe
PID 2724 wrote to memory of 2948	2724	Client.exe	rgQRGAT6Tja5.exe
PID 796 wrote to memory of 700	796	iexplore.exe	IEXPLORE.EXE
PID 796 wrote to memory of 700	796	iexplore.exe	IEXPLORE.EXE
PID 796 wrote to memory of 700	796	iexplore.exe	IEXPLORE.EXE
PID 796 wrote to memory of 700	796	iexplore.exe	IEXPLORE.EXE
PID 2724 wrote to memory of 2404	2724	Client.exe	SCHTASKS.exe
PID 2724 wrote to memory of 2404	2724	Client.exe	SCHTASKS.exe
PID 2724 wrote to memory of 2404	2724	Client.exe	SCHTASKS.exe
PID 2724 wrote to memory of 2404	2724	Client.exe	SCHTASKS.exe
PID 796 wrote to memory of 784	796	iexplore.exe	iexplore.exe
PID 796 wrote to memory of 784	796	iexplore.exe	iexplore.exe
PID 796 wrote to memory of 784	796	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2620

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2524

C:\Users\Admin\AppData\Local\Temp\rgQRGAT6Tja5.exe
"C:\Users\Admin\AppData\Local\Temp\rgQRGAT6Tja5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (18) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReceiveTrace.mhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:796 CREDAT:537642 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1bac5171681629526dd593e2488de5dc

SHA1
2137120d24addef8d2219d36b1a948d6d4667ed0

SHA256
bf6c3ecf3b6fad60d1cac14cd4e81f086ad40898bfc1156a0f0f2269387c2bb5

SHA512
7ba266cda0864bef50d0ea93df7a726f6c257dda3da6fba0d90d959173601beba4fb1c92050bb540c45bed42c373991249e0a264811a496b95f729211d407427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4b7a3de32774861e4a27081a2909612b

SHA1
b078ae8a3c177fe9f408d75b318c5095a48cc7e7

SHA256
aaf9a4c75608eb9e080676088c996bc7e83e13b1c5b8f8521a877ef53db8ce61

SHA512
b7113803e326536086cc49cc427cd5cc74aeb9f4c302c01881267f961912de1cea32f8e9b77b62e790437e9b899eea35c5e02436f0eef4c48414a489f36e0770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5141a06202a2a11f8e518c68dbfabbbf

SHA1
abd88aeedd79702c836c8cbb18c6728b0e6e5fbc

SHA256
91c1223b92cca17092178678449ffe4a3235d92b3f04978b3a06cb4659a38b33

SHA512
86359a23e7ead5bd5b68db39025ccaac6b20ff8e48563c41607ad399bb36ec71c1ed4a8f27caf375b72914d4108d2cb9ec16f4fb6dfac982e26dbc80df7bfdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b13aee00ed7468e777c22f40e49efd6

SHA1
a5c5edf6952bd6121428fd81e4c01e7d89022f45

SHA256
81a154574652281aba0956da0decad034750f69ec686120391e075b7d4b3a5f8

SHA512
bbeb025c58a2ac6ab5abd6b821e73e3d3507c08ce009c8865fde18381182dbe1a3fdea4b072b2e44f4d6306d08c4af24e5e6ae40ad53231b951ea403961f0862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2066d8ebc4557541aef98161a4707f6b

SHA1
98f98d4dd6bc515a0cb994060ee09603bc86b753

SHA256
68820da222ea6b9c43da17153ac4772aef734598a95dab6c37b82b65adadd953

SHA512
e489b5df57cab7fc7d3ce93f9ec2065f325bd94eb9a193bee14efbc5d9cc3e868a86d21f03c8f72ebfed8a3ad0d2a81cd0d6b73596c6695143e8a4e09ab976be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f06dd1826986aa4b29c6378dd3c3edec

SHA1
a1b08114173f1664c296fc8d0175534119abc5ff

SHA256
9d0d668794c1d7ff9c35ab6c814c81c47c3396fd413398933e7e60cbd2b9241b

SHA512
5b9ceb0844b14269f124101277a14c64ecc5506878dc2d5692894e77674d465d6d9ab6f970898ef06341120816c0ab50cd9a3f1463d667070d7caaabf0e35c6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
99240619d5545e5807b9596fd100b178

SHA1
e8e043beecb2e10fd2df2185de935eb5aedba372

SHA256
5d4fa266c27510e372cdf6c2b2d2d93fbaa56e67445d2b80d85dad38f4826c21

SHA512
6b55867211ad9010845e4555abbb726ab369536e4ea6f5d38d2ff55dfcd185295dd4c43a1f9ae0ac3311d8ac09d5d83e441a83adaad82925e694f5e546b4c0ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f67c6e3d8024dd21b5084aead8d9e3da

SHA1
1fbcc36432080b28ac76d0043ca76d0c6457203a

SHA256
414b9f7e8f9d3e3fabc3a41e90428b536a97470653bce7b6317bcf49c3cbf970

SHA512
e4f98725d7f843158a674e88cbd60d5cc9779fe33e3f99d1b9b939e17db8674fc226a26ba45d2e4c4308f05d2edcbae8cba66b9a90da516db2f2f5a7219d7fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
337be73d717e40906857b93161e64670

SHA1
e5b9583c9a25afe8a167222624c51a5dfeab2b9e

SHA256
ccdfc0cae790430f275dbaf0acbfc92d2d14402abc7ed5d16ba0899cd564d9d7

SHA512
73b82e7e25548a8e50ac6fecbe3932cb700f68f8d30b081da9bc5e92a75186e0bc5b6f83acd2b08d1c52ac109a76a729e35fe3077769a4aef3add66f183146a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
46170a2f6a947fc43157a50ef0be992b

SHA1
250fb1827ae73bc1e063419e3d084331aad4e659

SHA256
db3210d9b6104969c44b582653003d3f181158ca723f63cb76a3408e59031fb7

SHA512
cb50b57ef118835155b39657daefa96220c69bb1ad4269d5c51239a0212a8866983ea11aac113fd796b2a0e9f900b166f488715ed77ec45904fcfb9967cbc97b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8dec9d50c547d6f878247e5e4676d1fd

SHA1
5f45f15cd2bc042a81c7d7f35115e2c3bec71412

SHA256
146a190b5434d36c8315e1a443032b05d3e6642b5ba27ee8587b7b53e7c8cc8d

SHA512
ab0713bbc9931aa4123b27cfa40c24d82469b2f091c4b3683e6251a148d1b36452485c8daeee4b8b0a63c60a79525e3e799cc90a7305886775694b9c3a0f3583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
62524435d10b1711288c0b0fa2bc5182

SHA1
f80bf3530828881f72821af36152c70ae80a3e78

SHA256
cab6ab6b77d471fefa2d1649e3950ea86abe0f517f604e0184bdd468f42a1b9f

SHA512
e7a76c433e757802a7cd0f6dabd1b35c2a16d595ae47a03ed0441305435c5e37de0dc004a7e36dbbd3158ac212e5020d6a1d8b5c68ebaee1e42d4e5e86b98084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d63f8a8accecc0d9b26ee710dd4c0ffd

SHA1
253bfd68231a930aa04d882c645977f22c7c2019

SHA256
34c35f47da8c045794510ab5a7c8e91a9cc3e4fdd787f15bc93c7c4fc7a5e5e5

SHA512
c5bfa5afc324de2dbb98a7dd4405403cbfe0e9a73e41db521de601c9bb3d0cdb892d7f8012b03746d974d0dde0f38421a01a0b4e3fd4a9e9d9b09a07174bde7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dd3e6f25e73c556a643109f349b7ad88

SHA1
4a63fc0dfc2a681cfe0dedb9146280f193697ca6

SHA256
c6002b0da2940d399f190caf601c1d4dfe59caf99c49688efca14111a070dcef

SHA512
99d51e46c7d5914f2644dcc2c6f5fb0c732fabba56ab39a6aeb60100d4a5f0bc1637b8f3531564d511c06b993b3f3e8459441635a5158fc708393bf9ec4129a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4076f789eb4a31f39ce9bad1ed36dbfb

SHA1
c32f2759e063dfac8edcff3ce7acf52121f4e89c

SHA256
102dd522baac2956d6c03ee81d6c80098800819f768d4b698673daf10c71e277

SHA512
f0d8d332a93eac0b10b9c9141d2d179603dc65e1d103f8759d5d34638df3c077c3fe733d00693b90886f15adfee3f92f1a7220f668e1b12e0c3cc37e830ba38d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6eaaf6cd05ae3e9dd3b9d953b7e361b8

SHA1
6490b917e4ab10a63387182064aa3b86adcb7e00

SHA256
bb1939aac45f5f3d2e123b73006faf399da85593e03fe3d3b9bbdd6c321aaa56

SHA512
9a468f60b61902a6a6a07242b34f712671ebfb48f2120f45b61bb3e907cad5aa37ceaddeddc2366ee1bbc7eb3b33e4b6dc7f3982c54e7c61b06819ae751a9773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e9dc6d1f3ca20d1c6f2095d5b6536fd5

SHA1
ccf6e75bc71a388e51adfebb75ff959399c0372a

SHA256
d82d1322b720be20c890d762428f3f0b8b021840e6b8511b3fa5f8c98abb249d

SHA512
8f9cfbd5b1872d9a1d733bc1b4dce0cfc64aa72c7bba7d7ee9b658dcd9bed23171902d9a4aef46048800c94583cdb0a1a6cd88c5242c68b2e457497609377ba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
27fe035809c421452e0330d7116d9ce4

SHA1
7b986ef1f7323539a22ceceefa9fbfc601226fa3

SHA256
eafc92d373f6c707fec80683cc4cb53ee2e09f954434638a893ffc774d556619

SHA512
7bfdcd989cee7d1bbcc40aaf6a1baf363eeb93cc5cde94ac26b4a886493e4ff8a5a39968612af7c4e89dc8d8be8420361b0d065e65b86d34b2736728f9817cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d46ce6e6779decfa55bfdc65f661d21c

SHA1
9166df9f1e331fc17f88f8d56385745455db04ff

SHA256
16e5a5d7568e9c18e53313cff47ad9fce271042a652bcbf669b1bee3ce444852

SHA512
39a0e6490465065e4cbbd85ea4c93912ccf13862607d36fa8165565d819690249a49679cce2e0762fe836bb677bffe557e8c39df2fb02565e7455ac6be096dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\C__Users_Admin_Desktop_ReceiveTrace[1]
Filesize
303KB

MD5
a5bffe8c31340882cdcd974f0c0ca315

SHA1
a99d627f4009359db516f782903c326c7b86338b

SHA256
e5cfcf75f81a34357c4333a2e824cbb48f2e9917e599bd624b6c390334d9cad0

SHA512
94ffaf3370f5cb2357e736e1f002f498c56e5b9f2b659168ef3420516f2c264d11d77ac678d27f6b8870f4f423f0858a64908ce67d7b84b1a43b0bed2656d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB28.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBD8.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQRGAT6Tja5.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1796-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/1796-13-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-2-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/1796-1-0x0000000000BD0000-0x0000000000C3C000-memory.dmp

Filesize
432KB

Download
memory/2724-15-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-506-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-16-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-12-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-11-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-10-0x0000000000CD0000-0x0000000000D3C000-memory.dmp

Filesize
432KB

Download