quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
296s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (100) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/1420-1-0x0000000000AD0000-0x0000000000B3C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1084	Client.exe
4576	Client.exe
2984	Client.exe
4384	Client.exe
1216	Client.exe
2368	Client.exe
4724	Client.exe
3472	Client.exe
4944	Client.exe
1592	Client.exe
4692	Client.exe
5024	Client.exe
4332	Client.exe
3696	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	api.ipify.org
21	ip-api.com
23	ip-api.com
13	ip-api.com
25	ip-api.com
11	ip-api.com
15	ip-api.com
17	ip-api.com
19	ip-api.com
29	ip-api.com
2	ip-api.com
27	ip-api.com
31	ip-api.com
33	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1016	1084	WerFault.exe	Client.exe
1148	4576	WerFault.exe	Client.exe
4120	2984	WerFault.exe	Client.exe
816	4384	WerFault.exe	Client.exe
620	1216	WerFault.exe	Client.exe
3416	2368	WerFault.exe	Client.exe
3784	4724	WerFault.exe	Client.exe
816	3472	WerFault.exe	Client.exe
1188	4944	WerFault.exe	Client.exe
3092	1592	WerFault.exe	Client.exe
4972	4692	WerFault.exe	Client.exe
2520	5024	WerFault.exe	Client.exe
1656	4332	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exe

pid	process
1328	schtasks.exe
3724	schtasks.exe
408	schtasks.exe
4860	schtasks.exe
660	schtasks.exe
4724	schtasks.exe
4100	schtasks.exe
3096	schtasks.exe
3536	schtasks.exe
1004	schtasks.exe
1304	schtasks.exe
4688	schtasks.exe
2260	SCHTASKS.exe
2736	schtasks.exe
1140	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4828	PING.EXE
3628	PING.EXE
3344	PING.EXE
1100	PING.EXE
3784	PING.EXE
3704	PING.EXE
2912	PING.EXE
4984	PING.EXE
4572	PING.EXE
436	PING.EXE
3240	PING.EXE
2768	PING.EXE
848	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (100) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1420	Uni - Copy (100) - Copy - Copy.exe
Token: SeDebugPrivilege	1084	Client.exe
Token: SeDebugPrivilege	4576	Client.exe
Token: SeDebugPrivilege	2984	Client.exe
Token: SeDebugPrivilege	4384	Client.exe
Token: SeDebugPrivilege	1216	Client.exe
Token: SeDebugPrivilege	2368	Client.exe
Token: SeDebugPrivilege	4724	Client.exe
Token: SeDebugPrivilege	3472	Client.exe
Token: SeDebugPrivilege	4944	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	4692	Client.exe
Token: SeDebugPrivilege	5024	Client.exe
Token: SeDebugPrivilege	4332	Client.exe
Token: SeDebugPrivilege	3696	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1084	Client.exe
4576	Client.exe
2984	Client.exe
4384	Client.exe
1216	Client.exe
2368	Client.exe
4724	Client.exe
3472	Client.exe
4944	Client.exe
1592	Client.exe
4692	Client.exe
5024	Client.exe
4332	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (100) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 4688	1420	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 1420 wrote to memory of 4688	1420	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 1420 wrote to memory of 4688	1420	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 1420 wrote to memory of 1084	1420	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 1420 wrote to memory of 1084	1420	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 1420 wrote to memory of 1084	1420	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 1420 wrote to memory of 2260	1420	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 1420 wrote to memory of 2260	1420	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 1420 wrote to memory of 2260	1420	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 1084 wrote to memory of 2736	1084	Client.exe	schtasks.exe
PID 1084 wrote to memory of 2736	1084	Client.exe	schtasks.exe
PID 1084 wrote to memory of 2736	1084	Client.exe	schtasks.exe
PID 1084 wrote to memory of 1372	1084	Client.exe	cmd.exe
PID 1084 wrote to memory of 1372	1084	Client.exe	cmd.exe
PID 1084 wrote to memory of 1372	1084	Client.exe	cmd.exe
PID 1372 wrote to memory of 4632	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 4632	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 4632	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 1100	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 1100	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 1100	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 4576	1372	cmd.exe	Client.exe
PID 1372 wrote to memory of 4576	1372	cmd.exe	Client.exe
PID 1372 wrote to memory of 4576	1372	cmd.exe	Client.exe
PID 4576 wrote to memory of 3096	4576	Client.exe	schtasks.exe
PID 4576 wrote to memory of 3096	4576	Client.exe	schtasks.exe
PID 4576 wrote to memory of 3096	4576	Client.exe	schtasks.exe
PID 4576 wrote to memory of 1884	4576	Client.exe	cmd.exe
PID 4576 wrote to memory of 1884	4576	Client.exe	cmd.exe
PID 4576 wrote to memory of 1884	4576	Client.exe	cmd.exe
PID 1884 wrote to memory of 3252	1884	cmd.exe	chcp.com
PID 1884 wrote to memory of 3252	1884	cmd.exe	chcp.com
PID 1884 wrote to memory of 3252	1884	cmd.exe	chcp.com
PID 1884 wrote to memory of 2912	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 2912	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 2912	1884	cmd.exe	PING.EXE
PID 1884 wrote to memory of 2984	1884	cmd.exe	Client.exe
PID 1884 wrote to memory of 2984	1884	cmd.exe	Client.exe
PID 1884 wrote to memory of 2984	1884	cmd.exe	Client.exe
PID 2984 wrote to memory of 1328	2984	Client.exe	schtasks.exe
PID 2984 wrote to memory of 1328	2984	Client.exe	schtasks.exe
PID 2984 wrote to memory of 1328	2984	Client.exe	schtasks.exe
PID 2984 wrote to memory of 4424	2984	Client.exe	cmd.exe
PID 2984 wrote to memory of 4424	2984	Client.exe	cmd.exe
PID 2984 wrote to memory of 4424	2984	Client.exe	cmd.exe
PID 4424 wrote to memory of 4992	4424	cmd.exe	chcp.com
PID 4424 wrote to memory of 4992	4424	cmd.exe	chcp.com
PID 4424 wrote to memory of 4992	4424	cmd.exe	chcp.com
PID 4424 wrote to memory of 3784	4424	cmd.exe	PING.EXE
PID 4424 wrote to memory of 3784	4424	cmd.exe	PING.EXE
PID 4424 wrote to memory of 3784	4424	cmd.exe	PING.EXE
PID 4424 wrote to memory of 4384	4424	cmd.exe	Client.exe
PID 4424 wrote to memory of 4384	4424	cmd.exe	Client.exe
PID 4424 wrote to memory of 4384	4424	cmd.exe	Client.exe
PID 4384 wrote to memory of 3536	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 3536	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 3536	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 4952	4384	Client.exe	cmd.exe
PID 4384 wrote to memory of 4952	4384	Client.exe	cmd.exe
PID 4384 wrote to memory of 4952	4384	Client.exe	cmd.exe
PID 4952 wrote to memory of 1668	4952	cmd.exe	chcp.com
PID 4952 wrote to memory of 1668	4952	cmd.exe	chcp.com
PID 4952 wrote to memory of 1668	4952	cmd.exe	chcp.com
PID 4952 wrote to memory of 436	4952	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4688

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6GDPrZnMG9e.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1100

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JbGXZppQQMFA.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4992

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9lLmzzMVC31j.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:436

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zrn75j22b5fT.bat" "
11⤵
PID:2736

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2032

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3240

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSPGwfKeh5C8.bat" "
13⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1792

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2768

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RNdjNMbYKzdD.bat" "
15⤵
PID:3140

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4708

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4984

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V4uUEOliFP05.bat" "
17⤵
PID:4720

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3964

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:848

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tbSd9BsPGvqH.bat" "
19⤵
PID:2556

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1100

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4572

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6OA11HSWUXj.bat" "
21⤵
PID:3312

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4828

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vio2fhiO7HlJ.bat" "
23⤵
PID:452

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJPBXe0zDHHy.bat" "
25⤵
PID:2480

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4940

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3628

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TxkBIDziEcgA.bat" "
27⤵
PID:2104

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3800

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3344

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1672
27⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2248
25⤵
- Program crash
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1092
23⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1668
21⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 932
19⤵
- Program crash
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1092
17⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 2232
15⤵
- Program crash
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1092
13⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1720
11⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2248
9⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2252
7⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1640
5⤵
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1932
3⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1084 -ip 1084
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4576 -ip 4576
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2984 -ip 2984
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4384 -ip 4384
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 1216
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4724 -ip 4724
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3472 -ip 3472
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4944 -ip 4944
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1592 -ip 1592
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4692 -ip 4692
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5024 -ip 5024
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4332 -ip 4332
1⤵
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9lLmzzMVC31j.bat
Filesize
207B

MD5
c7c7f2dd1d5d870f2293f742f91f710a

SHA1
d121a353cc27bcaf6b71b2074ee3409d8bc8fb22

SHA256
b684e0252e6e4b9b672b256fdb53cbbb945e0d7f730b24dcbe00e69b957baef8

SHA512
1f161b31f3d483445151c6de8024d38082cc7ea4f19f3cc38cfc5be55d75ec4b1737d20fe045cb9ae99da0ef83ded27c15c1ea910a9d889f01ed4030c2e0619b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JbGXZppQQMFA.bat
Filesize
207B

MD5
e0ae9ac29fd2ceebc5a37c277a6bd191

SHA1
9c5ac24b28bba1dc1b0be2671d9ea53b394cc715

SHA256
b3e477a983fc8851bb96bb8a6abdb543286df1762a0f063fa881c55f39a1b5c5

SHA512
639af3aa4a532228793e379d5d6e22c3c2d5efc3d6142c768270e316535cc2dc25a38f69c94050db731d4bd39d8e69a2d6f67d0816a1075b3f1a18012d4e5a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJPBXe0zDHHy.bat
Filesize
207B

MD5
4da537a182e4eb5c483597358e291004

SHA1
13caf834a9c4f3796acbd58a3827224fef375167

SHA256
6845b3adbe892e01f168566d5bbe7b00b235b48ab5ffc0bacb7d8a8804989c25

SHA512
77972fe94e02eee74d0b475de9f799f3408fc2104cfb1e83561de6ffcddfac4949b0e963e626fbfc89f1a4f2847c6af8c64cba575a5eae722325d97fde315ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNdjNMbYKzdD.bat
Filesize
207B

MD5
ba924285308e2f55154e20836d899c2b

SHA1
31c94f5b4add154c6725dedf4baa4ed6edb73fcc

SHA256
98173837bf0082cb83f9ba62b2f90d0e30881b301987ee25c7eeb2f93507e8e5

SHA512
12f55b64e53438512e9413ead0a35a34ee4c8eae73aa74913d10f38cbb0925e00ca347a3e02bf845e3f68650466e2b23e39ce55f7bba02cc4afb962c55e67bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TxkBIDziEcgA.bat
Filesize
207B

MD5
e3e4eccbde3a230773958157a3a3865e

SHA1
8f97e21ba46511d50b7ba969b666c53d7eaa45b6

SHA256
a0e14be9bbc7f896079a568ac571104aee9d3a491d9d1f2c144f1582426e07f7

SHA512
601ab5036906f7d4152f57375b03d9d2917e6aa8d2760d322734f9c8cef7ecc6d4e568c001d3a1e50a469f1fe8f7b4125b7290cdf0a91a8c33230e8f6d2e3e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\V4uUEOliFP05.bat
Filesize
207B

MD5
a68d9ffa1a856eaf3a20a33159b9e7fd

SHA1
c8bd2a850ecf3de04c85653d06ade32051126f5f

SHA256
51c9d666ce886d1110339e2fcad7a96cc2bdc6701ef96529e6901b8276359d57

SHA512
dcbdffa6bb6b1ad6a10c76760bfebb532ccd0d121339d5b1992ec5b10247b80b63df77e914c404279fde5144a7fb69b0479212eca24965af2fb9de87c0b688b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vio2fhiO7HlJ.bat
Filesize
207B

MD5
0c07aab2d579520d4cc150f621b17392

SHA1
546b2cf232ca66f8369f9213beace8c0522cf56a

SHA256
45b87288415080a3a152d75d554937374b383b03f2547e4103d32f463f8fbe42

SHA512
2c2d844b3e4195fca453971abe5ff7d416fd692df4b572ba59ae8d0f984d5ec4bdb2f33a319d08405c84d1f750b4db7067c8f3797117513611482eebef4aea4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6GDPrZnMG9e.bat
Filesize
207B

MD5
b1f5c6dd33110476f17cf17c594defd8

SHA1
19036788ae5a0c3388d7dd1d455962876b8209be

SHA256
e8c51bdbb43d345739927a144c33d21e720ffe61f0442996fd7808001f09a023

SHA512
728e962ae9e340d07715e36cdbae7bedec80f96dfe73fae794ac3a3ef57ba924902e7c26c35b95607be9b7c4407ad00c1373ee4a1d1e546047d677b87f9a6d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6OA11HSWUXj.bat
Filesize
207B

MD5
670baeab3b7bedf15425ac64a5f43f0f

SHA1
54876d2952b9c4161c0c0694fdd3d6663dffdc29

SHA256
3dac443e1ec600c31f97da457eb646951467d53a4707dde3e9c0e125abb4e751

SHA512
4b59b1cb2eb3f4285f963bfa4e8bd07efe76737ad8284813bac271159b2ac85ef4c1cdf640a4d8046067e5b5f7ff9e207de92069901f16c0cc34854d8033efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSPGwfKeh5C8.bat
Filesize
207B

MD5
b8f288e1449ad03077573cf4fb0ee12d

SHA1
f0cedfee5fbacfd3f1a446aafc8e1459bee564e0

SHA256
54334848d374592a584fb7068a1683e6066621adbf2860e2fce4f40d25cfcb3c

SHA512
f74c3f287f5efbca954cc8a3fa5020638686433ada48afd1fbfd125e7ab8661a1e6ddd51bcf64a9320de6f0b77e31fb858a2cfe163232bb74b108c5a67cb2912

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbSd9BsPGvqH.bat
Filesize
207B

MD5
409e3793abb4cd7435599e6629f096a0

SHA1
6d121a7ee60e28cc8175e69d3cb958a9c31bbb27

SHA256
4918944c6dc4511685b233e6e6f5c608a29204058451765847ae8056d12ce971

SHA512
77f744d72f94551086d3c052ce84a8055346a3a2994e590f372fc5127d4bf50d2937dfb429777bc1942235e79dc9e7f3338533e9e926644c3e0b8189f275a7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat
Filesize
207B

MD5
c7f9e8567737d45fb578ad3a45c2b51e

SHA1
5dd683c13bd551171a288efd2b1323c4094857af

SHA256
0108b6f51350aba320b2928bea91b0bc0f3581f2786913877fc2ba238b415ce4

SHA512
4ce3c13d4f9c791860c88b148bfe388f871f1a20966150fba5aba966377d51666a1131e6f5ea2737e90505c136067147befcaec62c5d37fcb5a93a72907c5ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrn75j22b5fT.bat
Filesize
207B

MD5
7e959b1d6048fabf12e5d8c7cb8bf05d

SHA1
08e2b0b9bde27c397f6a5f57ecbdf853dbcea665

SHA256
8158429643285a557d8b1988ab9218cd16a2746e5ae542000365476b04f914ea

SHA512
32c0d2bb28522dbbcc7b2c65623655e72464efc68576b91dc4e87c93451203335496d44d4f1bba708d30ae3adba8be9d479d40f481d653e702139c604a283bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a7bdfad765822cf3f98ddd05a7004d4b

SHA1
7661fb98fea801ca32430b85cf9ff7b407920583

SHA256
70b05e3b2387b68f9116a73edbc215b386a45f5bfa9a4c8ef5ba0e7d4639fc7d

SHA512
e8394ea55d49a3591931096cf870d0ea7ef2306de033d8857f21c1684c5d826e598394e9efd03a6b4e5235e6fa0152fbc7224477f293cdca37641d3991920302

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0e29f81d904552dc1a4d693a9a9f0eab

SHA1
0520544896571b6acda5d3ccc10c278687ba4155

SHA256
1bd6c690a8b507adb577e7cbb81297d4373d102123ffc38cfd8374eb21843bc3

SHA512
11efc6b698da6202484879a90123fa0516600be3609ac294d929f2244bd8e94bdbd85ca077636a8706c5a679b965f6726bdf4b54dcf2d7d277a246dbb814d2d8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2c952c2b77352c4bc113c56600f85172

SHA1
61f8f6e8134a9d38226818382a603c2c8b56594d

SHA256
9774ea02fee9bf0e3f4d75d9001b9d5e6e99b7289e6414c4abeb43dd14e79efc

SHA512
454e0002050cf635f7fe9009d94e5da93fec9a588480d7390a416e6936d8b5b3461a5cec1601a83949e337023d951010667bf55215d373d697258da6d0d52d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
65070af4a805a2499a3a50f2a8cb8464

SHA1
623e4a166ca629d3479a70c02455e7626487a8eb

SHA256
fed85c3c62a1d6fcc2370e25be33781b08d71d86fe2ef028c24cff9b75904650

SHA512
86099727f67c9c7ef73dc5bef99170a4014b72b4087e3b1b2103a1a37b92a757ce221fcd166354cf5a566332692fa6e46e8f82772b9e74376a912095a85d5d18

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1084-16-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1084-24-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1084-14-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1084-19-0x0000000006440000-0x000000000644A000-memory.dmp

Filesize
40KB

Download
memory/1420-7-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1420-8-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1420-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1420-6-0x0000000005600000-0x0000000005612000-memory.dmp

Filesize
72KB

Download
memory/1420-5-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1420-4-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1420-17-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1420-3-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/1420-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1420-1-0x0000000000AD0000-0x0000000000B3C000-memory.dmp

Filesize
432KB

Download