Overview

overview

10

Static

static

10

713e742f73...4b.exe

windows7-x64

10

713e742f73...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    713e742f7314ca8d684137f996540b4b.exe

  • Size

    6.7MB

  • MD5

    713e742f7314ca8d684137f996540b4b

  • SHA1

    1d88ed5170efab2d32d83341be56e1b9f6720d7c

  • SHA256

    41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5

  • SHA512

    df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4

  • SSDEEP

    98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B

Score
10/10
asyncratdcratquasarxwormdefaultoffice04discoveryevasionexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

thing-wine.gl.at.ply.gg:55280

Mutex

EFhpy3TPM7sR

Attributes
  • delay

    3

  • install

    true

  • install_file

    Ass.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

businesses-eric.gl.at.ply.gg:55282

Mutex

ebfbd873-38ee-4f7b-bfe9-2b77cdff1c45

Attributes
  • encryption_key

    361A99FCBAEDCD5C706B5E52C37C90BFB4E13FB2

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

projects-pf.gl.at.ply.gg:55284

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Xworm Payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 25 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 40 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\713e742f7314ca8d684137f996540b4b.exe
    "C:\Users\Admin\AppData\Local\Temp\713e742f7314ca8d684137f996540b4b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe
      "C:\Users\Admin\AppData\Local\Temp\AsyncStub.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Ass" /tr '"C:\Users\Admin\AppData\Local\Temp\Ass.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp.bat""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2708
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2724
        • C:\Users\Admin\AppData\Local\Temp\Ass.exe
          "C:\Users\Admin\AppData\Local\Temp\Ass.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2296
    • C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatStub.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\ChainPortsessionbroker\Fontsession.exe
            "C:\ChainPortsessionbroker\Fontsession.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
            • C:\Program Files (x86)\Windows Photo Viewer\lsass.exe
              "C:\Program Files (x86)\Windows Photo Viewer\lsass.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:904
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2372
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ChainPortsessionbroker\file.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe
      "C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2584
      • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2880
    • C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe
      "C:\Users\Admin\AppData\Local\Temp\QuasarStub.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1976
      • C:\Windows\system32\SubDir\Client.exe
        "C:\Windows\system32\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1772
    • C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWormStub.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWormStub.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizWormStub.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWormStub" /tr "C:\ProgramData\WizWormStub.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2648
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ChainPortsessionbroker\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ChainPortsessionbroker\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\ChainPortsessionbroker\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\ChainPortsessionbroker\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\ChainPortsessionbroker\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wscript.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wscript.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wscript.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\en-US\Client.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Client" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\Client.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\en-US\Client.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\wscript.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\wscript.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\wscript.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1684
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {56389878-05C9-4DA9-9A69-7F547A0A5B77} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
    1⤵
      PID:2612
      • C:\ProgramData\WizWormStub.exe
        C:\ProgramData\WizWormStub.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\ProgramData\WizWormStub.exe
        C:\ProgramData\WizWormStub.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:880

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ChainPortsessionbroker\Fontsession.exe
      Filesize

      2.3MB

      MD5

      e68c730d5e9eea130b20f99f8380e644

      SHA1

      d5387728b7aa9724e5f49d9ebe871c4bcc447c01

      SHA256

      44a30d53788ccbbef510a68b894c40a093ecc4a934b6a7c91037d3180987bf71

      SHA512

      4389361097a762576b0ed8da4ebec4d4189af80decbe0b4e2e7c12a6b2f206107ad0597be557690cac73f0e5875057e48a7338a52403288527329e276cbc6041

      Download Submit

    • C:\ChainPortsessionbroker\G0RgA51UzNSlvJ.bat
      Filesize

      166B

      MD5

      eff3710eb6f094ac204ff6b4d7d7107e

      SHA1

      2ec3eebb2037ee862dfd7984101bbec687c7ad7b

      SHA256

      5a27f828660d67faae0e0c7c9d201c543f9e16db4ef1cb5f0883899b86e321d7

      SHA512

      19becb062d3cf759b820fb45170e9aab11e6179475c0090f9306ca2e722f24b74274263fbb4783096ceb10d311dc8f1f3261ef9f44ee0235a70aa0f004cb508c

      Download Submit

    • C:\ChainPortsessionbroker\QV4mcYA2Sc8KOpCoQlEXh.vbe
      Filesize

      224B

      MD5

      55733945e00baace8cd6236206f9acf6

      SHA1

      61a590cb6acb3e6bfaac1fc5752162fc60647ce5

      SHA256

      d7f4a58ae89de59a45958e9a78eb6d3e83ff45d9843747850fc4f4974f24e3e3

      SHA512

      58ac06c815cc508dc6281cae24a78ac98fce1bd310809f0311a4613adf2f103e92ccd65e073787ef682d9a37adc3ef6fd1c81f7eebdc5f7a0f7b28636caa76c8

      Download Submit

    • C:\ChainPortsessionbroker\file.vbs
      Filesize

      34B

      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.InstallLog
      Filesize

      596B

      MD5

      cb1bafcb3fb3195881c7c67e4261f503

      SHA1

      e7246d89642cd7205a745e55062123dd67a85394

      SHA256

      6440aac0367e1bae8944a650f73ca775ed4a0f3810576adce09d6c4f6d10f6ae

      SHA512

      2da4d8bf1142ccd20fa3190fd7670d67f1b48bfbbfe55a71fc8cb1570cc69f3128892bb2b02309fc0353d0b928168f3810d0b2938bd08f6b01b31910929dacf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\OrcusStub.exe
      Filesize

      841KB

      MD5

      3de8bb77473e360e1b15d2f80f489248

      SHA1

      507f0223797e077f25775908d911dbbdc64e04a9

      SHA256

      be6c566ca9e0f0c620ccbd0581b48ba0cdf616135195dc4f5b9236f985b3172f

      SHA512

      4addcce355f43e392b30b78195372ae8618fdf42f976a6bc88c369708efa3ce2c1222f7f1e20cc49491cc475c970c687445062c51c026d0bf7ecdea3fb26017c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp.bat
      Filesize

      150B

      MD5

      105e15e9f9218f8dd3de02cff29cb44e

      SHA1

      1695cf1ffde4da9356748046f1270b1c2cd44543

      SHA256

      f6a7c4f218faaa9add00a01cf07ce1c22138f9a5c459fd8579bf11fb9b837794

      SHA512

      3d574aecad5a78b25e118f6cacc66e6d42cbdc599be5ab9d1fc235b71c1dfe796a6b6213be3145d1b4227d2741f1e0083abeb24606341e750725dbb8a8eca74d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      5e6b4ac3280c815811d2b44d8d5ffd8e

      SHA1

      49354e4f5330d29d188c96cf1c662cd13bfab6cb

      SHA256

      dc4ae0ec682871e953c392d36b0a85cbb9d646d1a47a0e388d3e0bb167530d8a

      SHA512

      435c49e285527bcdc14676d989bf1e71d4b69d9348a020cf74c4bbb788e8e4a038c9a793782e3265cc1f26d79ad8fb3ef1bad8b712f44ff9a247f35bdc5f8bb2

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.InstallLog
      Filesize

      224B

      MD5

      e469dda91ae810a1f94c96060f3f8a65

      SHA1

      0b4b3b0f6f937016b1e045ce5313ee2a65a38630

      SHA256

      d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

      SHA512

      2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.InstallLog
      Filesize

      597B

      MD5

      c2291863df7c2d3038ce3c22fa276506

      SHA1

      7b7d2bc07a6c35523807342c747c9b6a19f3184e

      SHA256

      14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

      SHA512

      00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e854a4636afc652b320e12e50ba4080e

      SHA1

      8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

      SHA256

      94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

      SHA512

      30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AsyncStub.exe
      Filesize

      47KB

      MD5

      2498d43b33fdf705d23a044d0704271b

      SHA1

      79b2ee6e706d561533936cde87a46830fbfeec9b

      SHA256

      d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226

      SHA512

      79b0ff8be1762e31c20ae5b5440958bbe652b11f219a5542d9cd2fa789c90dd5898b14be2245ae03f49c5ada54db0547df5eacc7d143f9c0ea608fb4600b4690

      Download Submit

    • \Users\Admin\AppData\Local\Temp\DCRatStub.exe
      Filesize

      2.6MB

      MD5

      9d479998ab307798514e77b13fa5a38a

      SHA1

      2cdd52a5496e45d74a8acce3b19456ef5241130b

      SHA256

      b83e03ed28f61bcfa07e3a06b73d7e0a3b6e8469fe8d8137549cc12ae3911b08

      SHA512

      122bf95d3e56c366db4e1a1af4c2c44d980a54a7a2dca3ef7376587d8e5bcf32d0e06b2bf6465f164763c5f8954302704ead062a9de0729aa4e6e6161051a6f4

      Download Submit

    • \Users\Admin\AppData\Local\Temp\QuasarStub.exe
      Filesize

      3.1MB

      MD5

      6940c38a8661b0b8713afd4c63b12456

      SHA1

      cc78ac6b4974bb3352890b8e89d038ddc4c4eae4

      SHA256

      42a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1

      SHA512

      df2e75e842f22802a43e155c0667147933d17f8902df880d3738d29a5bcaae5ae199c759642bf2414c10a1eca4721966b3d7759e06ddeca5b69c698689e71b05

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WizWormStub.exe
      Filesize

      81KB

      MD5

      cdff2cee70c00c73f066e1c9a7515a95

      SHA1

      f8bfe41193a917830dc13450c2665d862fea08d1

      SHA256

      f52798a690f661a2b30e2fb3a3689a0aa09fcc0f7ea4efe669e265670742254e

      SHA512

      747a63e7bc184d7fd09f842c176090bc37c88166155b4429faf430760cd8af182c853cc173c62a25ce3c94ccd74b66106b145f80bf5bb151e6b9bb865f23a939

      Download Submit

    • memory/904-176-0x00000000009E0000-0x0000000000C32000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/904-178-0x00000000003E0000-0x00000000003F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/904-177-0x00000000005D0000-0x0000000000626000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1440-103-0x0000000000860000-0x0000000000B84000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1708-129-0x0000000001E50000-0x0000000001E58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1708-128-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2076-136-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2076-135-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2216-88-0x0000000001230000-0x000000000127E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2216-23-0x0000000001290000-0x0000000001368000-memory.dmp

      Filesize

      864KB

      Download

    • memory/2216-49-0x00000000002F0000-0x00000000002FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2216-52-0x0000000000360000-0x00000000003AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2216-54-0x0000000000440000-0x000000000044C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2216-53-0x0000000000340000-0x0000000000348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2296-184-0x00000000008D0000-0x00000000008E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-14-0x0000000000B10000-0x0000000000B22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2352-46-0x0000000000400000-0x0000000000AB3000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2364-112-0x00000000001A0000-0x00000000001AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2364-113-0x0000000000440000-0x0000000000448000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2364-114-0x0000000000630000-0x0000000000638000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2364-111-0x0000000000160000-0x0000000000172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2364-110-0x00000000005D0000-0x0000000000626000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2364-109-0x0000000000180000-0x0000000000196000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2364-108-0x0000000000140000-0x000000000015C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2364-94-0x0000000000E20000-0x0000000001072000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2448-194-0x0000000001250000-0x000000000126A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2736-51-0x0000000000E10000-0x0000000001134000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2756-50-0x0000000001030000-0x000000000104A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2880-117-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-107-0x0000000000CC0000-0x0000000000D98000-memory.dmp

      Filesize

      864KB

      Download