Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 19:10
Behavioral task
behavioral1
Sample
yolo.exe
Resource
win7-20240708-en
General
-
Target
yolo.exe
-
Size
5.7MB
-
MD5
275231b1dc6cd9a37e767687257e655d
-
SHA1
433ce42bf76994b259cf95acd70ddd9a91421ce7
-
SHA256
3b3fd08f825e24a763ed8abd79dcec933dfd2e3e104f21e5a2bb4a7aa3d3c244
-
SHA512
5c5837ae8cd4db50d42434071ff4b01d62c276a0f350481ee2ead1f2bfc560bd1edf9cebc37a57a2cd160c65909242473b4c3d2c6cd1b99159cd8b1b2825dbb8
-
SSDEEP
98304:WXzhW148Pd+Tf1mpcOldJQ3/Vxvk22SsaNYfdPBldt6+dBcjHnj5X9F:WFK4s0TfLOdo/rJ7jVX9F
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.174:4782
1ddaef8c-bff6-41cf-ab7c-88ced4b0af76
-
encryption_key
D5F1E515D26F03AD6621A5237F6E935EF48F2FD8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\yolo.exe family_quasar behavioral2/memory/1744-11-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ yolo.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yolo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yolo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe -
Executes dropped EXE 6 IoCs
Processes:
yolo.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1744 yolo.exe 2268 icsys.icn.exe 1188 explorer.exe 2168 spoolsv.exe 2364 svchost.exe 1820 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/1388-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\icsys.icn.exe themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/1188-26-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/2168-35-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/2364-44-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1820-53-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2168-56-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2268-57-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1388-58-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2364-61-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1188-60-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2364-66-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2364-70-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1188-100-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
spoolsv.exeyolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yolo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1388 yolo.exe 2268 icsys.icn.exe 1188 explorer.exe 2168 spoolsv.exe 2364 svchost.exe 1820 spoolsv.exe -
Drops file in Windows directory 5 IoCs
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe yolo.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
yolo.exeicsys.icn.exepid process 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 1388 yolo.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 2268 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1188 explorer.exe 2364 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
yolo.exe chrome.exedescription pid process Token: SeDebugPrivilege 1744 yolo.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe Token: SeCreatePagefilePrivilege 3248 chrome.exe Token: SeShutdownPrivilege 3248 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
yolo.exe chrome.exepid process 1744 yolo.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
yolo.exe chrome.exepid process 1744 yolo.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe 3248 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1388 yolo.exe 1388 yolo.exe 2268 icsys.icn.exe 2268 icsys.icn.exe 1188 explorer.exe 1188 explorer.exe 2168 spoolsv.exe 2168 spoolsv.exe 2364 svchost.exe 2364 svchost.exe 1820 spoolsv.exe 1820 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
yolo.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exechrome.exedescription pid process target process PID 1388 wrote to memory of 1744 1388 yolo.exe yolo.exe PID 1388 wrote to memory of 1744 1388 yolo.exe yolo.exe PID 1388 wrote to memory of 2268 1388 yolo.exe icsys.icn.exe PID 1388 wrote to memory of 2268 1388 yolo.exe icsys.icn.exe PID 1388 wrote to memory of 2268 1388 yolo.exe icsys.icn.exe PID 2268 wrote to memory of 1188 2268 icsys.icn.exe explorer.exe PID 2268 wrote to memory of 1188 2268 icsys.icn.exe explorer.exe PID 2268 wrote to memory of 1188 2268 icsys.icn.exe explorer.exe PID 1188 wrote to memory of 2168 1188 explorer.exe spoolsv.exe PID 1188 wrote to memory of 2168 1188 explorer.exe spoolsv.exe PID 1188 wrote to memory of 2168 1188 explorer.exe spoolsv.exe PID 2168 wrote to memory of 2364 2168 spoolsv.exe svchost.exe PID 2168 wrote to memory of 2364 2168 spoolsv.exe svchost.exe PID 2168 wrote to memory of 2364 2168 spoolsv.exe svchost.exe PID 2364 wrote to memory of 1820 2364 svchost.exe spoolsv.exe PID 2364 wrote to memory of 1820 2364 svchost.exe spoolsv.exe PID 2364 wrote to memory of 1820 2364 svchost.exe spoolsv.exe PID 3248 wrote to memory of 4344 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4344 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 4144 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3604 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3604 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe PID 3248 wrote to memory of 3348 3248 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\yolo.exe"C:\Users\Admin\AppData\Local\Temp\yolo.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\users\admin\appdata\local\temp\yolo.exec:\users\admin\appdata\local\temp\yolo.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa98aacc40,0x7ffa98aacc4c,0x7ffa98aacc582⤵PID:4344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:4144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:32⤵PID:3604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:82⤵PID:3348
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:2284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:2548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4072,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4560 /prefetch:12⤵PID:1804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:2504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,6863119100921603548,2536652537248049785,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:82⤵PID:1604
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2480
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD514382329fd76b49b0dd6c10fc68023d1
SHA131bd90c3dfe6fac305ea3e772d97b5e36d51041a
SHA256c58075677410d03436c53bae9d7d21534e5649a7afb325869f7e802835586b88
SHA5128d5f9095a2dc8a66551f4600d207243e7c5e04a0d4ce00010f487a5ece476652ae32fc33a7116901d3f724ea567d8145087bdd16e0455680d90aa9c4a1e07c6d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5838f7bcd9abec9b6a458f3812d1ea7ec
SHA1336b2347b50c4855d3c07ab2c5acfd414519259e
SHA2562f0508462cf72b6c5fa299f82ee088477964d40657253d315c5184da1172914b
SHA5127a7df954bd8f5fe5ff8832192488ff7ee513270e1c0f28178d4cb73384289bc1e14f4a8fd411be426a81c547907acfc3ccce3f1c83c3e2272c94842490165b7e
-
Filesize
7KB
MD51cb1803f41fecaf7a70eb54f8d7679d1
SHA12003a9402baa30c851e868c05956cc704cd54a70
SHA256db3d3a2bad5eeaa79f7a0667e7c2e3d24e8f85d0c72a05fb0b5ce652e1fb3451
SHA512c102a91b92268655bc886b829edf18d8870466cef17922bf37017bd14b21731658e1514a4c1e77a6470cbd8811af3809e93685d977cbeefb6a9a13adc43ff0a4
-
Filesize
8KB
MD54cf045735ba29afdd1b7f2f1f165a689
SHA1b88d495b659eabd1d4a1df79a69b49a73fa5f7b7
SHA256ba79ec650f0d923019941b9b575331126412d1b9e5f6d7e79b143dfaa26fcd69
SHA5127845b97b9c170eca511a9d0567a836c458ad53391dc20bfd52266782b231497524467db887c49e0754f8799d973feb7c39324a9bd66d120a2d154ef65c419ae1
-
Filesize
7KB
MD512e292951d5df4abcb5a3fb4d5ed5e28
SHA1d91e7655404a43dc65cda78928f10953d7573e4e
SHA2564c304bf6176f211ab4486e7de3545013c8acd6a277a6c67ab6aeb643757530d8
SHA5123df6b5976643a5aba76e0b36e0813d7a55708b571950724730220a6c53ccde42fc61638a462d5df73fa69aeacb57b84b441aea5ea63823efebd55becb8fdea3d
-
Filesize
8KB
MD5d74f544d58664e6f2e2aefd5d6666ec5
SHA1893ec8be76a881836e3c9b729ab37dbb24e8878c
SHA256def880417759a09d48242ed045bd2b6dd5863a80adafe5e559614bf840182a5c
SHA512d8b59eb553bef3d50f5381668efe5c4b8b3f4a575f4d564690610502feccd15ee84be663d7468a59851f9eb241becddfcfe2530f22d7f893747472426bc2ed66
-
Filesize
8KB
MD596d6c22494f9eef7c113b5934c14f34f
SHA145d44736200d4883240a1ed1c18be5abbe5ae64a
SHA256f2be7a8c5e8a85fccd112bb1712dfac0ab795f0bf0df1df840f87b1bc7e73cd4
SHA51225ee769671b8ede91e94a92612acb06875b2d51a8365775cd0368dcfc1d127e7c53426a02bfc0d4dbe546d9b1f0250f9c8aeafef3308e72d3aeedda5479f5c38
-
Filesize
8KB
MD5a58fd5a6319d2c977aa3e146310bd87c
SHA12b6e48cec1e6d278c3d5877c5c813a22e65da904
SHA2566ceae124070ce194aaeedf3d8f92fa8c698b1b584253bed9db519fc61b03e24f
SHA512aa055e337d6cab1dc5771db11931e0a193b1c519fbcd1284b31d781cdeffc3b124cc8c3fdad7e150b617398a2818b8c490d7a1204a03e115f9c65eeba8eca5cd
-
Filesize
195KB
MD5b85352abe7b424011c08dfa705cadcef
SHA1e4daef152648303fdf1699da8418bf65e9bf0af6
SHA25674f297391e3ff787ecc458db64701cda46794d705bf45b11bdd38b0b7c53ad9c
SHA5120d1eeb8988c4d205abe7d1e1e9488bf430b2f0de02841191b80c1b7271543d7683529a49498c0d9af99a465997ba556d4f9dd5ad7c0cb8c7397d23e0e2449640
-
Filesize
195KB
MD5d6239009c5e4939ae0777d467901d265
SHA1c692a980f34e6363ef282309b0efcf78d40e792b
SHA256aad4c6390a4fddc507fbd7eaf231de32a357ded69e24739c40702c34b799256d
SHA512b5fd2cd7bcc1466debe578f4267fb006851c6118033ed88427cc7ccff158e7e7cc5fca05ded557d930d626d2b20532db7731ad1e232faac51a94a2c92b4281ca
-
Filesize
3.1MB
MD5e3029e333df0359a166560a9fe160b9b
SHA1230e9d6e0fc7545f486af1cb1e4843b3ab75ef54
SHA256490d0fa62c63a60a0ff149623221126351a547933c8a2b3d61cbf9dcdff14dee
SHA51228f0647106a63a61a9f8edb84336512a684c994aedd5f74c028aa4a5b87d0842f720976459cb3ba1e1a8130a41bb363ca65aaee1fca1a3b776433547f2c8f4c7
-
Filesize
2.6MB
MD5709ef6da8ce9aecdaa03ea68ce52ef8f
SHA11784bfdf620eebc5b88f9048c9fb513cdefe433d
SHA256ab88476e35b80bb351530437b3059230f44e4f90c0adfee07fa090655f2d7064
SHA512c52f8d2807da102dd906f6c0cd6683afe429c1e21045c5e04da942185e9e0c204c247ac166f914554887b26d8bf214b06acd94c8d5902cd01a212d7256d7459c
-
Filesize
2.6MB
MD55fc67792e22f5258314ff634bfe90657
SHA16f50438d45a3923f3cf7a7bbc1c73ded443a2aa3
SHA2560080690a22eb34bd46d9e6ae9acdf9edf46e1a2c77fc838b9647bd8fcc20aa84
SHA512a0539c823ed16c96560cec21281bcdb11dc733f541bc97472bf5044a26303fa7d4714e1c75998112fafb94142ba97dcb7e05b4472972513e5786575d12ce7e33
-
Filesize
2.6MB
MD5800c707b475b2dfdcc145cce81a1a101
SHA1d12b5cfb2c1bb4d21bfce4ee10ff69e28ba48ca9
SHA25649b371cedbb4fb19ca2b0bc4612f3d1c06572bc4c2c3486b93cb85023440ea6b
SHA512a12703f639955f683042173671b9c9cdf8e4cfd54c4192e5682fd58b59578fca581dffd00699c5353d6ee17e2a1cd262d04efa04c67c841d14225bbcd75e3fb1
-
Filesize
2.6MB
MD59549d70365cf6ead7ef4d741a714fe35
SHA1cc8979ff5ddb366174cc5f6b7e0defacd34718ba
SHA256f6b9b08731f137d3beb1bad363108ce81afe51e58646c921cd1ac8a00581ea8f
SHA5122bc8ad84ba06075a58dd01766a1fc4105b3b5e5161a31b7eae038c29c7cc77c1df62f57247b25a71ef5696ae79595432c5ba8936796db40155778c1d5a784dc8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e