Malware Analysis Report

2024-08-06 11:21

Sample ID 240616-ezenhszaqc
Target svchost1.exe
SHA256 49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23
Tags
quasar seroxen | v3.1.5 | spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23

Threat Level: Known bad

The file svchost1.exe was found to be: Known bad.

Malicious Activity Summary

quasar seroxen | v3.1.5 | spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Program crash

Runs ping.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 04:22

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 04:22

Reported

2024-06-16 04:27

Platform

win10v2004-20240508-en

Max time kernel

296s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1352 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1352 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1352 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1352 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1352 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1352 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 1352 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 1352 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 1524 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2300 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2300 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2300 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2300 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2300 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2300 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2300 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2300 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2732 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2732 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2732 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2732 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3640 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3640 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3640 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3640 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3640 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3640 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2464 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3116 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3116 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3116 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3116 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3116 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3116 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3116 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3116 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4628 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4200 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4200 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4200 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\svchost1.exe

"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost1.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77svchost1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost1.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaF2iLhA1Wo3.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1916

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LlWfzOa2eyWR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2732 -ip 2732

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 2156

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQv71e4yyN8j.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2464 -ip 2464

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N7CssgF8toUa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4628 -ip 4628

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VpHNWSacL2YM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6GCpdswt7Bc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3988 -ip 3988

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1728

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBz8mfOIjshq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2140 -ip 2140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 2220

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\It4dQRilA6lb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L5BaWHHrOZFZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4072 -ip 4072

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwGXiYuOqWG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4540 -ip 4540

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1632

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rDv5qtqExv8V.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3440 -ip 3440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Utv838YV1ll.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1692 -ip 1692

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4488 -ip 4488

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 nexosmith1231-54169.portmap.host udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/1352-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/1352-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1352-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/1352-3-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/1352-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1352-5-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/1352-6-0x00000000062E0000-0x00000000062F2000-memory.dmp

memory/1352-7-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/1352-8-0x00000000746E0000-0x0000000074E90000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 b80b8c569a390b124cb7aaae003c8a82
SHA1 c38fc46e835ccbb538f4df122e501d07562553c4
SHA256 49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23
SHA512 75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47

memory/1524-15-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1352-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1524-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1524-19-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QaF2iLhA1Wo3.bat

MD5 236e4d46918d26257c689b2fc1918956
SHA1 9d1cee0822a138aaff4bd01dd3234abee29507c9
SHA256 08851c55ae6f0485848df798a34e51c9a563a20229185bc581b17e407c6e11b9
SHA512 55d8a9f7a2f449659687d07b43c923094c88217421f9fd4550a2d8915afe35115e7389dadeee7fdf347f80af71f366df1e421c1c49a010fa2892a68f23364e66

memory/1524-24-0x00000000746E0000-0x0000000074E90000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 b07ab7573d4295bba8b1ee4aa5484bda
SHA1 66f86c07ff0c61d214c5ea8d1f6cf09a6c167073
SHA256 db9f841b86fc64d26caca276bcc862b1cc2f708d6cd95780507d03e94ef650a0
SHA512 503c3d7e08566e3b18ade15a7217438e544b1345ed522719c342a6d58a81df3109e3210ec2dcefa7ff3aba39b7eca329ae6dbf6a0ad7c03cc956158e8cc43788

C:\Users\Admin\AppData\Local\Temp\LlWfzOa2eyWR.bat

MD5 1cdb37916a33008a4d183440a7059a71
SHA1 ba0fcddb009c5a270d6110ef40517c53f75212de
SHA256 05a6813858aa04caeb31c340facd37f8e935356dbef990748e841bdc5d84f2ab
SHA512 c6cc3033de8327082046cc613e3bef28a979201238d8c49177242673ddc5d0fd97efef07fb3d19829d8bc4d73290569568a979b009af3b1c3f2fcfcc6318847f

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 e8589fba5e3cce2aa84da18783d62d23
SHA1 fddca99dd73e4437dd293ccfa2badf190eb3c10c
SHA256 ff64078fcd73a919df48025da6a8d60ea0a81100121a0c39161ab5de5cd62cc0
SHA512 75a3c37f5965d5179ecab1c9974f770f0c5e5a7ec513402e85456505cd05dd6773a27d98da00efef1e1cf26391d987ebb13bc44f914528caa254ed313ab97e3a

C:\Users\Admin\AppData\Local\Temp\JQv71e4yyN8j.bat

MD5 fc3046d5aab7a3a46fa6f1bf53cdd4aa
SHA1 bbe5e8dfd10c3525b24c99dd1c7ee084a2fa02ef
SHA256 e36157b14d2fa3c4d92790603cefb722002a0193e1f28e86fa8441179e3434da
SHA512 c9df8c8950f11f32431e8f709730a7f362fe5f71e975a872a92f8c84a530de00777133d097c83bff4703c2bb98ffa71b8351f7868705af297467699b55c1b166

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 2202420e062a372980eee3fa80768b94
SHA1 5f4de0343a49760820e753fdb5c5f8edbec65771
SHA256 6e41d8fb35ed28c19a6d3b4009ae91b75fa7643f4fde67145e3870afe2914156
SHA512 3c7164e4df7d512cb571169c83e6d1ece0d91b62f9fb22d716c582357e40aec1cf28e7906c43f3616d3783a6748ad97ee58dd79b68598ca1b5704d4f8162c848

C:\Users\Admin\AppData\Local\Temp\N7CssgF8toUa.bat

MD5 98678d8a91eeb7fefd8566e49c7e88f9
SHA1 6f05ef8218068231374bb371aef1c4746a86438b
SHA256 e608551f4025c445431dc17b50dfdbe7efd25ad75137bd8d20756549ee70c026
SHA512 a82df09394fa353bc208951dce012b34b44a08b6e875051067e054608922c19175667741deee0ceae011551b61f84041ff2de3083c553c6035fbc194a099fc06

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 cae1934fa65fc3800b7ef35279817bc3
SHA1 ec3b88f5ebff31d307ce0da9bddb49417ac034bb
SHA256 06c4ec3e3991cf2bfe7a22b1a39b7d4723eb49ef1c12f73b4e380956b34e7157
SHA512 e1df230ce6f371097615b77c35c529e7352de1c1d5f1241dbfd48641ca256120a41d68252252f3f8e4eb4bf88ccfb109bd8fbe8e02921badc69eff0d2301f920

C:\Users\Admin\AppData\Local\Temp\VpHNWSacL2YM.bat

MD5 180be726b9205bfe7683365d8c6f513b
SHA1 3030a05bd4617ee042c46fb6efccebad10651fdf
SHA256 b558e33bc8e0b4e412a07bf70920b107be2d7532538661fc5dfaf0eb7d80eb0a
SHA512 0284dcde08d12f3a31c6739117e982391d69c60e5e5a5b6f129c32ce5d00a8b8a985b71ca4a3cadc58188b3b51ddfad74ad5c4cb9fa21d3035bc52a8510e6596

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\g6GCpdswt7Bc.bat

MD5 35b23680dd3b466436a38dfa914fe6a9
SHA1 beb355904e2129f96ee86b2e06167d5c2a4c3631
SHA256 a43c81cbeff37a2ab3e79091b9a74697cf44721d47432f337119534ef3f12e7f
SHA512 dc4003788a6eec1cb17278eaddd4d7d602885c28db0f9ca79f5f1ee7e4265316e7c34e6ed7ae38842b222a59cba11b8d4a7ffeb2dab4548143f8f2c4c2f5d571

C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat

MD5 ac82440ab2e9a27df7b3d83dadc24192
SHA1 eeaa564ffb68549e8fafac498f8bc476c49a0794
SHA256 ed49d8dface059853fb90761f32cc32cfe2acb8e152e4b79e003ab442bcb07d1
SHA512 ee92cb0d1ec8a76135bdf9da4afef8040130bc8403a7aed1420dc5e08ba1c888010705ad12a1a61d62d8727b2ae362cf40beed7ed3bf2ec8d0ee43c7921c6c1f

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 1b003b277d9b133f2d442bd93e4fe5dd
SHA1 f020744ecd4d1506ac3277cf556529268312c2e2
SHA256 28108a2a4facbb9af9c1a6a93c69ebe4ddbb9d442ffe81fe86c8cb6bd02a5989
SHA512 9f023c20c81844fdb567910a6e9998edd77a7c8fe5bd89bf378250b18efbfcf32172034a104fe81f6df38ea951a38c0e43ead3c2e8ee9d6549caa735964666d9

C:\Users\Admin\AppData\Local\Temp\BBz8mfOIjshq.bat

MD5 fa05bbc25b524b825f4bee29fe51185c
SHA1 2e7e7bad3ec8464329a800550767906c6a5c5261
SHA256 b13cf615488859041763f8b4c2faeb96209f0fed7c612337957051e6bd5de0d5
SHA512 4afa9aba4bd839cf732f0be0e8050f421430e871d7f0e689c0b2f5d8b9d6b6665b9bfc0d0fe05c9075ad544e8e7e9ac5e7308469a3337b29aa8308a1ab0c281c

C:\Users\Admin\AppData\Local\Temp\It4dQRilA6lb.bat

MD5 d656257addd91061a4f8e62151230324
SHA1 6a871a47db26029b6bc11c877d9d5251370fc963
SHA256 63abbeabc667a6c8e6a5d3010f59ea42a5d9260cec90dbfbab98dee3be00048b
SHA512 6f772f899da884a99071585b7b5e0e9d0c3cefe5fcbab7c4ae28ff6d6b5bbe0bcb0bd70628b21824cb4381094f64b18d935605c8b8d802626c71429813ff1d36

C:\Users\Admin\AppData\Local\Temp\L5BaWHHrOZFZ.bat

MD5 7ab17a0eb651524bb33d1e965a8d6797
SHA1 62aeeb91d2ac8baecab8c06aad0471d82ca08213
SHA256 3d5c793ea2d8d51d1d3579f1fc5afa94de56bd44472eefdbad646e5186712a8a
SHA512 71563bae695feb4ba4ec2a4675780c9e0a76bcc5eae0d95220a818761839cdc7eb52ea024e8ffe45eda5e599cb60ba129a29728bcfa1da16685d0ef0d82a01f7

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 09f9512b965b7286a006fd3236f0ab98
SHA1 b55b4bb249fcd68222d5d890e303312e1b39ab97
SHA256 5fef0872f2ee165a0e4921946b3738d7178c35898ab610f57ff108e6287718b8
SHA512 ef64d03984a9414e227110b9b563e8cbcaee65f21c4240f25449687cf4b1cc63e73bc5bf26a29889219d6b6398708794fd807ebdb5956c0440eb4bda1bf5321c

C:\Users\Admin\AppData\Local\Temp\hwwGXiYuOqWG.bat

MD5 85546b9585e83be7f9e390d9e4ef3d85
SHA1 09788e6d1ddcc2bd246536bc021dabb96c0da089
SHA256 76e2d7504410f332f387cf17e3c0890c46db879349b4a02dd5d6b4f0cd1393d1
SHA512 caef300ac556137993ff1fb3994ffc5f17ba41e4128118bb6f59e36f432307395b093032f90a833f70e059c752ae920b34d7d8bd2cc0f01a571faf6c9def0306

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 35d69b506f6a4fe3981d40946f5543c4
SHA1 cabfdf4a876015cb43b7a13efa21bd08750e303f
SHA256 67d1782772e76f01683d8d0140121947b7a40629d70694ee2e5595575ea0e615
SHA512 8c49aada8dcda3ebe876fefd63b9d04229fe3d2af7f3a66d4d6e90b848489433b9a4e1ebbfca20fcdb8ea947e18050d86f10b1d4bbc2db408c2d31a6453333cc

C:\Users\Admin\AppData\Local\Temp\rDv5qtqExv8V.bat

MD5 b82bdc70ea44592b31edd80d23fa1a91
SHA1 a02fa34f5b8e33278a89e4d1a7c60e0ecd941281
SHA256 2f5346dd88118976cc443f489adf9287a73b43a503dc9b584d6d426aa7dd009d
SHA512 7c9d843581e9c6322078247f5076032bcc22752a444702a4532b9e4014b16d3d4b52d41bd439ad42aafd65fdc787d0ff02ae6beb3b62d11932742931c4750dc1

C:\Users\Admin\AppData\Local\Temp\2Utv838YV1ll.bat

MD5 a340467eb75a98cfd0ed0777a07c2538
SHA1 98a2ab36cd63f541f9858fbed44165fd03931482
SHA256 a4128e52e8b9de14e270e3e3c47d01fde078e67033b067987d563fb4558d254b
SHA512 97221791e80a738f360b0944b0cbe483d538acbd2d721d706649310ff1a049dcc49050947f5b0d19c8c205508330cac9f9c2eda925d371c5482156cda411e028

C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat

MD5 e33fbb43c8e1097175ff901dc271e815
SHA1 17174bec2de14906def12b578b2983ea313c5a34
SHA256 e60d5acc21863ccdf950d7f7128f58aad194d9bc43550f9beffaa6d307d044d4
SHA512 392bf5ff3ad1f19412b340c4160a190cef24fdaf7aeef5c7fe6fd3495419127218316a40988d361813376669e1d41d8cf7544a15385fee3756322678c65f73c0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 04:22

Reported

2024-06-16 04:27

Platform

win7-20240220-en

Max time kernel

295s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2040 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2040 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2040 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\svchost1.exe C:\Windows\SysWOW64\SCHTASKS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost1.exe

"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost1.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77svchost1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost1.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 nexosmith1231-54169.portmap.host udp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp
DE 193.161.193.99:4782 nexosmith1231-54169.portmap.host tcp

Files

memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/2040-1-0x0000000000120000-0x000000000018C000-memory.dmp

memory/2040-2-0x0000000074920000-0x000000007500E000-memory.dmp

\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 b80b8c569a390b124cb7aaae003c8a82
SHA1 c38fc46e835ccbb538f4df122e501d07562553c4
SHA256 49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23
SHA512 75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47

memory/3008-10-0x0000000074920000-0x000000007500E000-memory.dmp

memory/3008-11-0x00000000010F0000-0x000000000115C000-memory.dmp

memory/3008-12-0x0000000074920000-0x000000007500E000-memory.dmp

memory/2040-14-0x0000000074920000-0x000000007500E000-memory.dmp

memory/3008-15-0x0000000074920000-0x000000007500E000-memory.dmp