Analysis Overview
SHA256
5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797
Threat Level: Known bad
The file SeroXenLauncher.bat was found to be: Known bad.
Malicious Activity Summary
Quasar family
Umbral
Quasar RAT
Quasar payload
Detect Umbral payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of SetWindowsHookEx
Detects videocard installed
Scheduled Task/Job: Scheduled Task
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 00:58
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 00:58
Reported
2024-07-02 01:01
Platform
win7-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77SeroXenLauncher.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe'" /sc onlogon /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe
"C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
"C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$778OHR20XSEmaa.bat" /tr "'C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | browser-julia.gl.at.ply.gg | udp |
| US | 147.185.221.20:54488 | browser-julia.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/2424-0-0x000000007449E000-0x000000007449F000-memory.dmp
memory/2424-1-0x0000000001380000-0x00000000013EC000-memory.dmp
memory/2424-2-0x0000000074490000-0x0000000074B7E000-memory.dmp
\Windows\SysWOW64\SubDir\Client.exe
| MD5 | 54d920888e6066870191f44fe0b27206 |
| SHA1 | 87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e |
| SHA256 | 5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797 |
| SHA512 | 4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d |
memory/2668-9-0x0000000074490000-0x0000000074B7E000-memory.dmp
memory/2668-10-0x0000000000CE0000-0x0000000000D4C000-memory.dmp
memory/2668-11-0x0000000074490000-0x0000000074B7E000-memory.dmp
memory/2424-13-0x0000000074490000-0x0000000074B7E000-memory.dmp
memory/2668-14-0x0000000074490000-0x0000000074B7E000-memory.dmp
memory/2668-15-0x0000000074490000-0x0000000074B7E000-memory.dmp
\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe
| MD5 | ba3e0c4b34603ac162dd8e405edf8e0c |
| SHA1 | 5c313bcebdf01c4f7338e60a9c45f9ec71eddc35 |
| SHA256 | 706b970e2f91391d7a3b270cefdd350c8c195afb5ee774cd74a06bda2e1e0b60 |
| SHA512 | a62c8219ab1cf49474375b02ce7827488ac9512dac91d6d2c32112260ad33315c88fc25f62570d09e7662e2e660e37b23bef57b5d55ac1abd5d1f685e76ea695 |
memory/3016-24-0x0000000000370000-0x00000000003B0000-memory.dmp
memory/1656-29-0x000000001B4A0000-0x000000001B782000-memory.dmp
memory/1656-30-0x0000000002810000-0x0000000002818000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b14e2d8721da545b5d5835c197c8aaa8 |
| SHA1 | 44b119a88c631a9d1f6310b193dbb930e43060a1 |
| SHA256 | 2eb6fb48fb16c0d6d5b0a4e7c4e3493bbacac3f1cdffbbd411e2c890af231860 |
| SHA512 | 516ec12918ad13e50dc2e47f693deeb3a11ddbc32d027f2895ddb4f5e63858bfcc3fa6dd33e6e5a98d1f92e0d2203adfcfdc483c6486a0a4fa97e9db3f16b747 |
memory/824-36-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/824-37-0x00000000028E0000-0x00000000028E8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
| MD5 | 0c7336131c6cab639709f528d0a918b3 |
| SHA1 | acf92382d5318d0b09192b9c16127dd45c33ab5f |
| SHA256 | d5c029dffe5e9c71677a20dc7850c0f3e9f63c26e9f1f34d6460c43b86d3ce5e |
| SHA512 | 4c608f57f79aa766b7998bdb452b8da6f6cf49c7c5eedf70b56c25f0e5a3a9d4cdc7f65776f0497c8e3be19071bc59220073ca13f3a3932e5f41eba72ac688cd |
\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
| MD5 | fc51dabe5c87dd05143a263355e3886d |
| SHA1 | 1e40305ea3d0a6230ddd475e38be53d9129381c8 |
| SHA256 | f60075eaa6a46c80a5a3b6bdb669cd4a3b05ec58767bca6a5121dc4f50b178cd |
| SHA512 | c2f963b86147bb28773293709dd04b40c1e37bd014ad2f1544aec924f22b27dc1feca90d34b656afd49356f1610c1d3bd5a2116cd53b1e47a5e11e50127ee904 |
memory/2456-83-0x0000000001090000-0x00000000010FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 00:58
Reported
2024-07-02 01:01
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77SeroXenLauncher.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser-julia.gl.at.ply.gg | udp |
| US | 147.185.221.20:54488 | browser-julia.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2164-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/2164-1-0x0000000000460000-0x00000000004CC000-memory.dmp
memory/2164-2-0x00000000053C0000-0x0000000005964000-memory.dmp
memory/2164-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp
memory/2164-4-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2164-5-0x0000000004E10000-0x0000000004E76000-memory.dmp
memory/2164-6-0x0000000005350000-0x0000000005362000-memory.dmp
memory/2164-7-0x0000000006150000-0x000000000618C000-memory.dmp
C:\Windows\SysWOW64\SubDir\Client.exe
| MD5 | 54d920888e6066870191f44fe0b27206 |
| SHA1 | 87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e |
| SHA256 | 5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797 |
| SHA512 | 4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d |
memory/3412-12-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3412-13-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2164-15-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3412-17-0x0000000006DD0000-0x0000000006DDA000-memory.dmp
memory/3412-18-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3412-19-0x00000000749C0000-0x0000000075170000-memory.dmp