quasar | e2e708e09031d7fa512f31ca4d6b10d0e48df7aff2a5b889477e792c6847a90c

Analysis

max time kernel
360s
max time network
371s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-09-2024 18:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AuroraALPHABUILD.0-6 - Copy (2).exe
Size

231.7MB
MD5

3cda647a8948f3ac4df14abf6f1d62c1
SHA1

f4da28914a3938e7de76546bcf911f539672459a
SHA256

c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
SHA512

77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
SSDEEP

6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc

Score

10^/10

quasar gimp1 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

gimp1

193.42.33.210:4444

gimpdns.ddns.net:4444

Mutex

QSR_MUTEX_XwuUSTCgYhmnf6vJ1L

Attributes

encryption_key
lRzFKjYQKUKzh6RyUYYQ
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

AuroraALPHABUILD.0-6 - Copy (2).exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AuroraALPHABUILD.0-6 - Copy (2).exe
1 ip-api.com
3 ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (2).exe
1	ip-api.com
3	ip-api.com

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/5064-1-0x0000000000910000-0x000000000096E000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4872 svchost.exe
3000 svchost.exe
3128 svchost.exe

pid	process
4872	svchost.exe
3000	svchost.exe
3128	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AuroraALPHABUILD.0-6 - Copy (2).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AuroraALPHABUILD.0-6 - Copy (2).exe\""	AuroraALPHABUILD.0-6 - Copy (2).exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	ip-api.com
3	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeschtasks.exeAuroraALPHABUILD.0-6 - Copy (5).exechcp.comPING.EXEsvchost.exeAuroraALPHABUILD.0-6 - Copy (2).exeAuroraALPHABUILD.0-6 - Copy (3).exeAuroraALPHABUILD.0-6 - Copy (5).exesvchost.exeAuroraALPHABUILD.0-6 - Copy (2).execmd.exesvchost.exechcp.comAuroraALPHABUILD.0-6 - Copy (3).exeAuroraALPHABUILD.0-6 - Copy (2).exeAuroraALPHABUILD.0-6 - Copy (4).exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exePING.EXEAuroraALPHABUILD.0-6 - Copy (4).execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuroraALPHABUILD.0-6 - Copy (4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXE

pid process

4412 PING.EXE
3652 PING.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4412 PING.EXE
3652 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3388 schtasks.exe
480 schtasks.exe
3880 schtasks.exe
5012 schtasks.exe
3056 schtasks.exe
3724 schtasks.exe

pid	process
4412	PING.EXE
3652	PING.EXE

pid	process
4412	PING.EXE
3652	PING.EXE

pid	process
3388	schtasks.exe
480	schtasks.exe
3880	schtasks.exe
5012	schtasks.exe
3056	schtasks.exe
3724	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AuroraALPHABUILD.0-6 - Copy (2).exesvchost.exeAuroraALPHABUILD.0-6 - Copy (2).exeAuroraALPHABUILD.0-6 - Copy (4).exesvchost.exeAuroraALPHABUILD.0-6 - Copy (5).exe

description	pid	process
Token: SeDebugPrivilege	5064	AuroraALPHABUILD.0-6 - Copy (2).exe
Token: SeDebugPrivilege	4872	svchost.exe
Token: SeDebugPrivilege	4044	AuroraALPHABUILD.0-6 - Copy (2).exe
Token: SeDebugPrivilege	1244	AuroraALPHABUILD.0-6 - Copy (4).exe
Token: SeDebugPrivilege	3128	svchost.exe
Token: SeDebugPrivilege	3344	AuroraALPHABUILD.0-6 - Copy (5).exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4872 svchost.exe
3128 svchost.exe

pid	process
4872	svchost.exe
3128	svchost.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

AuroraALPHABUILD.0-6 - Copy (2).exesvchost.execmd.exeAuroraALPHABUILD.0-6 - Copy (2).exeAuroraALPHABUILD.0-6 - Copy (4).exesvchost.execmd.exeAuroraALPHABUILD.0-6 - Copy (5).exe

description	pid	process	target process
PID 5064 wrote to memory of 3388	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 5064 wrote to memory of 3388	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 5064 wrote to memory of 3388	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 5064 wrote to memory of 4872	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 5064 wrote to memory of 4872	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 5064 wrote to memory of 4872	5064	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 4872 wrote to memory of 480	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 480	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 480	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 1164	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 1164	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 1164	4872	svchost.exe	schtasks.exe
PID 4872 wrote to memory of 4332	4872	svchost.exe	cmd.exe
PID 4872 wrote to memory of 4332	4872	svchost.exe	cmd.exe
PID 4872 wrote to memory of 4332	4872	svchost.exe	cmd.exe
PID 4332 wrote to memory of 1804	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 1804	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 1804	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 4412	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4412	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4412	4332	cmd.exe	PING.EXE
PID 4044 wrote to memory of 3880	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 4044 wrote to memory of 3880	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 4044 wrote to memory of 3880	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	schtasks.exe
PID 4044 wrote to memory of 3000	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 4044 wrote to memory of 3000	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 4044 wrote to memory of 3000	4044	AuroraALPHABUILD.0-6 - Copy (2).exe	svchost.exe
PID 1244 wrote to memory of 5012	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	schtasks.exe
PID 1244 wrote to memory of 5012	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	schtasks.exe
PID 1244 wrote to memory of 5012	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	schtasks.exe
PID 1244 wrote to memory of 3128	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	svchost.exe
PID 1244 wrote to memory of 3128	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	svchost.exe
PID 1244 wrote to memory of 3128	1244	AuroraALPHABUILD.0-6 - Copy (4).exe	svchost.exe
PID 3128 wrote to memory of 3056	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 3056	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 3056	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 2480	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 2480	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 2480	3128	svchost.exe	schtasks.exe
PID 3128 wrote to memory of 1864	3128	svchost.exe	cmd.exe
PID 3128 wrote to memory of 1864	3128	svchost.exe	cmd.exe
PID 3128 wrote to memory of 1864	3128	svchost.exe	cmd.exe
PID 1864 wrote to memory of 1044	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 1044	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 1044	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 3652	1864	cmd.exe	PING.EXE
PID 1864 wrote to memory of 3652	1864	cmd.exe	PING.EXE
PID 1864 wrote to memory of 3652	1864	cmd.exe	PING.EXE
PID 3344 wrote to memory of 3724	3344	AuroraALPHABUILD.0-6 - Copy (5).exe	schtasks.exe
PID 3344 wrote to memory of 3724	3344	AuroraALPHABUILD.0-6 - Copy (5).exe	schtasks.exe
PID 3344 wrote to memory of 3724	3344	AuroraALPHABUILD.0-6 - Copy (5).exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe" /rl HIGHEST /f
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "svchost" /f
3⤵
- System Location Discovery: System Language Discovery
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWU0zW6K2FgE.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
- System Location Discovery: System Language Discovery
PID:1804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe" /rl HIGHEST /f
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4556

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe" /rl HIGHEST /f
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "svchost" /f
3⤵
- System Location Discovery: System Language Discovery
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaVjGoTf4mDs.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
- System Location Discovery: System Language Discovery
PID:1044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3652

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2688

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:224

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4320

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1884

C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe"
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AuroraALPHABUILD.0-6 - Copy (2).exe.log

Filesize
1KB

MD5
0d57fc33826cdd8ab7f1fd188829748d

SHA1
40fab51cd74493d07e0c37af6bfee896e9d0cef6

SHA256
4ff6a3eca1a0964fa036fcc54b2fa2137de9ade61e8140cee7e3136352445c41

SHA512
dd02119b787943e580156d89ea75ad38eff863bf560d4ec33fa4e52202f0b6252e928322f73e3a3e11685fb0cff204af4d67c6818bdf9812d7b458c362965aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AuroraALPHABUILD.0-6 - Copy (4).exe.log

Filesize
701B

MD5
a0c99cab2d0348a3d06a8ed2ac281be9

SHA1
abe85b62a3e758c71585a0be2ca133f4928d8242

SHA256
ed6940279bac21a6da297553ce2fc88d123c45428326418531c922d3c8bd4959

SHA512
19d2d3004fba1debe3ef7df8c7705fe50ef7174f64d1899464005b34840c95f1a9d02b8de3cf7f0a3ee8a303182a1b4a0186e69252c6a133ba7c355235ecd46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
d5cf39e4865acb8cd1af44027be63ecd

SHA1
bef4b1ab9975adb9624ab2a988079c05f8c83307

SHA256
978d60c61bf59758166a44a3720eef108221b3243e88b1d9cdf4f5c79452578b

SHA512
8736ea1515b8958251f6b91971d0bb4f88a83e233e2c192164924d75eb6015519ca0223f971e2336371445b117ba3858ba88b8bb132617dae1f7c8b13c36ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaVjGoTf4mDs.bat

Filesize
263B

MD5
173dc19daf4009d06ad045a91325467d

SHA1
7603bf06b004e23d451b2387ce553563dc22cad3

SHA256
d8e000cdcfa4c2be286483cf28988b78e0f6772d22661be3e86814cca657b4cb

SHA512
d4ab1f02526122f5578a60bcc1d9ac13381d5495161708f5ef3f7334808e7767bfb8cb9ca2fde7e92ac00da7d8eeecf4f8c94f2a4715b7020fa3d7277d51e157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWU0zW6K2FgE.bat

Filesize
263B

MD5
eecb2431db0504b174ce7ee5f044cdea

SHA1
8077fd1dfb76e7f9b7d07ef2f67df007705173ba

SHA256
c07a31b4cb69567958ee69355cbe140e99d95b88bb5963b47ff2490538bb4f72

SHA512
dab3727264f32792f04f3e69e2b1170361c7c31c769caac5529eeb02122c3aa1eea0d85a9ca863193e01af842ffe3cb1942e9877bbe28ca35e89b69f72b8f5da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\09-13-~1

Filesize
224B

MD5
f5f0e4d3877c2592f37c27e1bd7c10af

SHA1
71e89750dc7a38e9998bf5cf7d6e4d3ab4cdeb56

SHA256
87d5e45248743d7e5d582c11fc0e7d139868f55f60fa9203b4dbc85c3b474e1b

SHA512
2212fd2b42948572873310f189aeb6db1d660d92d8fd47fae956b73584aa207925de880f0f76464ce5bcf1ec7bf0db1d8878838316d3a87a2be415ec89020b3f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\09-13-~1

Filesize
224B

MD5
9240377831cf50e9c24f233a623df76e

SHA1
d1c845ae07b3f0c206f57700af08aeed49c8d18e

SHA256
96411d37a775f92dd1838ecda76a2903334d20b86caadc1e3d0de33db4d2662b

SHA512
9130d70d1c0d3115de3c3a02db7dc6394999ca9afb3c370bb2aa473d0a0a69fad2d20bf24cf4ead9fe08f1043113244e93306e0d49a5a8596a6e7f178b356b52

Download Submit
memory/4872-17-0x0000000007150000-0x000000000715A000-memory.dmp

Filesize
40KB

Download
memory/4872-14-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4872-18-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4872-24-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/5064-15-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/5064-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/5064-7-0x00000000067C0000-0x00000000067FC000-memory.dmp

Filesize
240KB

Download
memory/5064-6-0x0000000006290000-0x00000000062A2000-memory.dmp

Filesize
72KB

Download
memory/5064-5-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/5064-4-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/5064-3-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/5064-2-0x0000000005A60000-0x0000000006006000-memory.dmp

Filesize
5.6MB

Download
memory/5064-1-0x0000000000910000-0x000000000096E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads