quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
296s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4788-1-0x0000000000FC0000-0x000000000102C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2908	Client.exe
3720	Client.exe
2920	Client.exe
5104	Client.exe
2656	Client.exe
3240	Client.exe
376	Client.exe
656	Client.exe
1692	Client.exe
4072	Client.exe
1836	Client.exe
3680	Client.exe
1320	Client.exe
3148	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
18	ip-api.com
26	ip-api.com
30	ip-api.com
34	ip-api.com
36	ip-api.com
32	ip-api.com
11	api.ipify.org
14	ip-api.com
16	ip-api.com
20	ip-api.com
24	ip-api.com
3	ip-api.com
22	ip-api.com
28	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2988	2908	WerFault.exe	Client.exe
4796	3720	WerFault.exe	Client.exe
3936	2920	WerFault.exe	Client.exe
2700	5104	WerFault.exe	Client.exe
1084	2656	WerFault.exe	Client.exe
5056	3240	WerFault.exe	Client.exe
1800	376	WerFault.exe	Client.exe
1580	656	WerFault.exe	Client.exe
1448	1692	WerFault.exe	Client.exe
224	4072	WerFault.exe	Client.exe
3392	1836	WerFault.exe	Client.exe
5088	3680	WerFault.exe	Client.exe
604	1320	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2264	schtasks.exe
4576	schtasks.exe
1864	schtasks.exe
5060	schtasks.exe
1860	schtasks.exe
4932	SCHTASKS.exe
4440	schtasks.exe
5044	schtasks.exe
2992	schtasks.exe
232	schtasks.exe
2136	schtasks.exe
3340	schtasks.exe
4368	schtasks.exe
2848	schtasks.exe
3396	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4608	PING.EXE
2980	PING.EXE
3196	PING.EXE
2700	PING.EXE
2208	PING.EXE
1592	PING.EXE
540	PING.EXE
4544	PING.EXE
4572	PING.EXE
4400	PING.EXE
1948	PING.EXE
1496	PING.EXE
4636	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4788	Uni - Copy (10) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2908	Client.exe
Token: SeDebugPrivilege	3720	Client.exe
Token: SeDebugPrivilege	2920	Client.exe
Token: SeDebugPrivilege	5104	Client.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	3240	Client.exe
Token: SeDebugPrivilege	376	Client.exe
Token: SeDebugPrivilege	656	Client.exe
Token: SeDebugPrivilege	1692	Client.exe
Token: SeDebugPrivilege	4072	Client.exe
Token: SeDebugPrivilege	1836	Client.exe
Token: SeDebugPrivilege	3680	Client.exe
Token: SeDebugPrivilege	1320	Client.exe
Token: SeDebugPrivilege	3148	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2908	Client.exe
3720	Client.exe
2920	Client.exe
5104	Client.exe
2656	Client.exe
3240	Client.exe
376	Client.exe
656	Client.exe
1692	Client.exe
4072	Client.exe
1836	Client.exe
3680	Client.exe
1320	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4788 wrote to memory of 1860	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4788 wrote to memory of 1860	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4788 wrote to memory of 1860	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4788 wrote to memory of 2908	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4788 wrote to memory of 2908	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4788 wrote to memory of 2908	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4788 wrote to memory of 4932	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4788 wrote to memory of 4932	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4788 wrote to memory of 4932	4788	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2908 wrote to memory of 2264	2908	Client.exe	schtasks.exe
PID 2908 wrote to memory of 2264	2908	Client.exe	schtasks.exe
PID 2908 wrote to memory of 2264	2908	Client.exe	schtasks.exe
PID 2908 wrote to memory of 4324	2908	Client.exe	cmd.exe
PID 2908 wrote to memory of 4324	2908	Client.exe	cmd.exe
PID 2908 wrote to memory of 4324	2908	Client.exe	cmd.exe
PID 4324 wrote to memory of 4264	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4264	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4264	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 1948	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 1948	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 1948	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 3720	4324	cmd.exe	Client.exe
PID 4324 wrote to memory of 3720	4324	cmd.exe	Client.exe
PID 4324 wrote to memory of 3720	4324	cmd.exe	Client.exe
PID 3720 wrote to memory of 3340	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 3340	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 3340	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 3900	3720	Client.exe	cmd.exe
PID 3720 wrote to memory of 3900	3720	Client.exe	cmd.exe
PID 3720 wrote to memory of 3900	3720	Client.exe	cmd.exe
PID 3900 wrote to memory of 1564	3900	cmd.exe	chcp.com
PID 3900 wrote to memory of 1564	3900	cmd.exe	chcp.com
PID 3900 wrote to memory of 1564	3900	cmd.exe	chcp.com
PID 3900 wrote to memory of 4544	3900	cmd.exe	PING.EXE
PID 3900 wrote to memory of 4544	3900	cmd.exe	PING.EXE
PID 3900 wrote to memory of 4544	3900	cmd.exe	PING.EXE
PID 3900 wrote to memory of 2920	3900	cmd.exe	Client.exe
PID 3900 wrote to memory of 2920	3900	cmd.exe	Client.exe
PID 3900 wrote to memory of 2920	3900	cmd.exe	Client.exe
PID 2920 wrote to memory of 4368	2920	Client.exe	schtasks.exe
PID 2920 wrote to memory of 4368	2920	Client.exe	schtasks.exe
PID 2920 wrote to memory of 4368	2920	Client.exe	schtasks.exe
PID 2920 wrote to memory of 4812	2920	Client.exe	cmd.exe
PID 2920 wrote to memory of 4812	2920	Client.exe	cmd.exe
PID 2920 wrote to memory of 4812	2920	Client.exe	cmd.exe
PID 4812 wrote to memory of 1660	4812	cmd.exe	chcp.com
PID 4812 wrote to memory of 1660	4812	cmd.exe	chcp.com
PID 4812 wrote to memory of 1660	4812	cmd.exe	chcp.com
PID 4812 wrote to memory of 2208	4812	cmd.exe	PING.EXE
PID 4812 wrote to memory of 2208	4812	cmd.exe	PING.EXE
PID 4812 wrote to memory of 2208	4812	cmd.exe	PING.EXE
PID 4812 wrote to memory of 5104	4812	cmd.exe	Client.exe
PID 4812 wrote to memory of 5104	4812	cmd.exe	Client.exe
PID 4812 wrote to memory of 5104	4812	cmd.exe	Client.exe
PID 5104 wrote to memory of 4576	5104	Client.exe	schtasks.exe
PID 5104 wrote to memory of 4576	5104	Client.exe	schtasks.exe
PID 5104 wrote to memory of 4576	5104	Client.exe	schtasks.exe
PID 5104 wrote to memory of 2600	5104	Client.exe	cmd.exe
PID 5104 wrote to memory of 2600	5104	Client.exe	cmd.exe
PID 5104 wrote to memory of 2600	5104	Client.exe	cmd.exe
PID 2600 wrote to memory of 2892	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 2892	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 2892	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 4608	2600	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9YG6EniSkgZG.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4264

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1948

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSdFpiJ8lZEl.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1564

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4544

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1660

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G48T7SlCKt2h.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4608

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dthKY39Y7MdZ.bat" "
11⤵
PID:4680

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2880

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7IxEQoe3XUUq.bat" "
13⤵
PID:2168

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:852

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztZNIkwfcU1V.bat" "
15⤵
PID:216

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1672

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4572

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQQ1HUsVIasb.bat" "
17⤵
PID:4640

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3196

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbjEaZHH0Fee.bat" "
19⤵
PID:3908

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1260

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:540

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dBWdelOZaQUP.bat" "
21⤵
PID:4108

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4408

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1496

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgSAWcncqzBs.bat" "
23⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2872

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k4uLbc8okJKE.bat" "
25⤵
PID:2884

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2036

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2700

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MY29gjMYU4Kn.bat" "
27⤵
PID:3276

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 2240
27⤵
- Program crash
PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1096
25⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1092
23⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2220
21⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1092
19⤵
- Program crash
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1096
17⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 2224
15⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1672
13⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1092
11⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2224
9⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1088
7⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1648
5⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1452
3⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2908 -ip 2908
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 3720
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2920 -ip 2920
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2656 -ip 2656
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 3240
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 376 -ip 376
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 656 -ip 656
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1692 -ip 1692
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4072 -ip 4072
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1836 -ip 1836
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3680 -ip 3680
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1320 -ip 1320
1⤵
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7IxEQoe3XUUq.bat
Filesize
207B

MD5
4090355629511d111213c605eaf5057a

SHA1
eb44431192743689d3de8a92d3b03fe1d6d57236

SHA256
b36a4f22fe6457a47701ee679b08ceabf44a840231067e19c0bef72664703b0b

SHA512
a3c58d20e83eb33ac8814025fbcde8cb144e6286622a5675aa4de2d7c23a014e9a8fddb4fb62d73654905cece900cdb466a7f5a5c0bf3c03cbd1ee4a5d67b8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9YG6EniSkgZG.bat
Filesize
207B

MD5
4143ce56e9f7cce71596c335b7b117f9

SHA1
015931310ee44823bbba6a20969cfed6b084e5da

SHA256
3de92ca8cca4172f773ae8c07869f149000682c6e03a2458403be1534764f98e

SHA512
074607339cca6f43e29511e0fd75780840147d7b4b6b23c0d0de25a0c54eb09d3e9521144c167dab12f8f52e0669a4d5d5c6604fc927dd15706eb0ae168106fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\G48T7SlCKt2h.bat
Filesize
207B

MD5
8135509423c1e13ee6fa0fac2781dca9

SHA1
c0e2f7e11de727570b5bc2d042ce8f041c900007

SHA256
60b48be2af95f98b4c24863e98b1d1e666fae2a1e85821d8c73d74309ee81f5e

SHA512
150b107142c6f8972a0bea71d25ae2afbc376c6f1f6a905a44d084ad1ddcb3e0715c25276c451866962dab336acb3da2729ab843d73760c7001a62c9312d51f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgSAWcncqzBs.bat
Filesize
207B

MD5
3e006c765c1c75a975298b28c9e52936

SHA1
ed7db0713374b3629e12d95395c48b85d31fceda

SHA256
991eefb1be4bd32fa9d2beec6015fc70fc6099cd567c751f9ab0f6c6e41bf603

SHA512
ea2cc9fc445853d3d7d1f0d0de39ea72b1d7a6b54d27b38958556715e9a26c5aeef0d626aba6acaef3c3f60c634f45d3e41532f944b0d1e1eeb3e074df355498

Download Submit
C:\Users\Admin\AppData\Local\Temp\MY29gjMYU4Kn.bat
Filesize
207B

MD5
4369ca9bdbf2188c7297f1c66cebc8ee

SHA1
0da259d0b8caaff402e9901cd61193ade79c47fb

SHA256
8bc3e1f8fbe3d25462fd963fbccf1cbe7f1ef057f70a053d224afbadee77a654

SHA512
07e90dadaf206f746a9202c3612dc5ddab0f2a8b45bf27ddd43cf46c6130b1e1ef831859c1c64dd810d2ef0d23e6769d92e166652d25a2d633e3765bc658db6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSdFpiJ8lZEl.bat
Filesize
207B

MD5
76cdc415210cd74890f9105f7c36a418

SHA1
b21578be8d1abfb0b1e42deff7768af3fc4677d4

SHA256
700ea86cf4d7f974f7b987acdb3c0360df7738d2a11186f46475064312778eac

SHA512
86d9ff15bc13d750fc14c9d1141b3cbbd21ef446d0da2ac1e67cf59ae963a524fa79add69d3452701f15143e938a563c946f54512efbd834f8b86efd774c6ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dBWdelOZaQUP.bat
Filesize
207B

MD5
1cc927975ba8838921e0af30f3a3ed8e

SHA1
77c94500c8f60dda900d84641f8aa28271eec473

SHA256
f0502a29970fa9b91a310c257799779b5acce7d136d56bd66c63868cbb4a4441

SHA512
3ca5dc50ee509429860f426a7d0eecd4b6255a17b464d4ecc7f819f0f9c21480634dd6a0b8e72586ce9276abb52999edc0065171c7f28f0a9cb8f8445a927cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dthKY39Y7MdZ.bat
Filesize
207B

MD5
6aec1fe43659b0a242cb46cb4b07096f

SHA1
60aa63358933e3d2d26970917c7ad66b750ea86e

SHA256
6610c0e6b6f73285741d5b1b9221f24ccfde7efcddf103a8025968299f1a5836

SHA512
1ebe6fe635ee75ddad664aa5bd15ebcfef75a1f954c861df73409eaeda043b8cc408f6e302e5d75fd72022ac86f8e32e7ec3e422420d13a4c7f9168ba79a43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4uLbc8okJKE.bat
Filesize
207B

MD5
0f1f9875bc329f4c17a6634f93f38de7

SHA1
7dfae9e9a6ddff4b185fb746be20e5a79fab379a

SHA256
cc28bbb08c54852cd1e6de6d061720c97e576fcd2e3d866869576bde57f35676

SHA512
a105b6991b8b2950ef4c9176ecef697a28dd62b1a4044f46b4aefbfa70684e82f1efc47ac1429d60cb39a01484284b4e2de8d6b901ceb7e4886fea44b6fa16b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat
Filesize
207B

MD5
5af7dace40a5a8d93ceab1bca292cd22

SHA1
ebc6c34dc49d833dba81a58b85f0a1c1b1d0aeb9

SHA256
abecebc8de93689be5d98aabf4dda79c9e53a0ac37c394bcea3ca4d2358cbb0a

SHA512
79207077c8f2c4609c00f12b1efa14fa37e321cc3f261fa8aadceaa97a191a493a68028b48cac8a49c334e76d68091377efcbd228c3f6a7c3eb0b7b1c3372d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbjEaZHH0Fee.bat
Filesize
207B

MD5
7904005b55d0103b10c6dcb9344aa4cb

SHA1
1a4e81da28c9ae6373a5591678e69b5d64ba94fb

SHA256
b7fac4474933133814a7578518728d4558404427d3ed872aada72cb4ae812f5d

SHA512
cc1493748464ff63131b0acdefee205371b6012241f300b0155507441fc8dc192b9cc00b7c4f9e178939e572372bbd53ca1f4b84da6b5a88780080882c7639db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQQ1HUsVIasb.bat
Filesize
207B

MD5
f4543a84cc1d1456e3b218d6b60d71a2

SHA1
e359efc5fb5f7289d0ef39faf00f3141e4eef3bf

SHA256
a88caf92fce47bd660af949fb696415a1ef18a88ecacb7a8439938cfd2fa16f9

SHA512
bddb19df1eb92813a4fc02faeae0624cde60cbdd5b94067767f88ac31caddb9b6a98b7fd396568e27c4126cd054809a9c64a62e4f0253f46831fd70af78a3ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztZNIkwfcU1V.bat
Filesize
207B

MD5
6930812ec4c23ad1f180c4f983e059b4

SHA1
fe4b27790c8262889707db8416c09ad827a0907e

SHA256
1f2cb70f0739abe61037eb65a0caa7d562676032b2fdc15415a62c4f514a01eb

SHA512
7f6fb967933ce5bcf9a3db957f5b37f785a92e3d1206ea81edd480eccb4f4adbe34c8ed06bf6935ec0cd2d5346c404068f0af0dd2872c6e60697f5b7573fd13f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
171671f3f3d762be0c11b7ec7b8e26a0

SHA1
8f7a3d3a55af21ac63f8d608b39645a29c75f0b9

SHA256
3742a07083b16e52d7135fe9a7eca3fd1de89f799cd6c1f609f603f29ab94979

SHA512
6c16e8bc865b02b9604a7364158a01a27ae393fcfef29b395479b893aac9073baa6c0c6c59fc9cdf7116587e6907b5dd40213230352c8605a2ec4d1ba1733889

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1897267d9cca018881fe158125f18e07

SHA1
97b46b754217c51ffd024040b58add260251acac

SHA256
3f30b51ba8adab932c5fdd0b5dc40c96ea3e2ec5a6b1ab7dc82d4d48a5349746

SHA512
2cda87bb5de7205d4d22ec1902c7cda79233fd2e04e1ce8c7ea497d0edcbd2ccb3bc83cbb5d7b1d322a439f43dfc3eced0c4d069cd4ab518c7f1da1839499fa2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
bcd14e6f4f1fd586c4bc0fc18fe74406

SHA1
95fa0a334cfed3b37fe690b5344859647cb2b98b

SHA256
7a427e3b175024231c59f7d94dca1f2efc707fa5fd8ccd1bf1153a1609050bef

SHA512
b8d24735f30d88f8f893537b76266cf7bcf56623ede3570dd4970c59dc297b52b421d48824a647bce091689d65df81dfa11e559c83edbbe7f80d15293204ecf7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2908-19-0x0000000005F10000-0x0000000005F1A000-memory.dmp

Filesize
40KB

Download
memory/2908-16-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-24-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-15-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-7-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4788-8-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-17-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-6-0x0000000006750000-0x0000000006762000-memory.dmp

Filesize
72KB

Download
memory/4788-5-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/4788-4-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-3-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/4788-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4788-2-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/4788-1-0x0000000000FC0000-0x000000000102C000-memory.dmp

Filesize
432KB

Download