quasar | hxxps://github[.]com/BPLogger/BPLogger

Analysis

max time kernel
110s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/BPLogger/BPLogger

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00040000000162a6-305.dat	family_quasar
behavioral1/memory/5896-313-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 5 IoCs

Processes:

BPLogger.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

pid	Process
5896	BPLogger.exe
6068	Bootstrapper.exe
5200	Bootstrapper.exe
2268	Bootstrapper.exe
6028	Bootstrapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4788	PING.EXE
5372	PING.EXE
372	PING.EXE
4844	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exe7zFM.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
5480	notepad.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4788	PING.EXE
5372	PING.EXE
372	PING.EXE
4844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
6004	schtasks.exe
6112	schtasks.exe
1868	schtasks.exe
4772	schtasks.exe
6136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe7zFM.exe

pid	Process
2612	msedge.exe
2612	msedge.exe
1704	msedge.exe
1704	msedge.exe
3888	identity_helper.exe
3888	identity_helper.exe
4972	msedge.exe
4972	msedge.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
5144	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zFM.exeBPLogger.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

description	pid	Process
Token: SeRestorePrivilege	5144	7zFM.exe
Token: 35	5144	7zFM.exe
Token: SeSecurityPrivilege	5144	7zFM.exe
Token: SeSecurityPrivilege	5144	7zFM.exe
Token: SeSecurityPrivilege	5144	7zFM.exe
Token: SeDebugPrivilege	5896	BPLogger.exe
Token: SeDebugPrivilege	6068	Bootstrapper.exe
Token: SeDebugPrivilege	5200	Bootstrapper.exe
Token: SeDebugPrivilege	2268	Bootstrapper.exe
Token: SeSecurityPrivilege	5144	7zFM.exe
Token: SeSecurityPrivilege	5144	7zFM.exe
Token: SeDebugPrivilege	6028	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

msedge.exe7zFM.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
6068	Bootstrapper.exe
5200	Bootstrapper.exe
2268	Bootstrapper.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
5144	7zFM.exe
6028	Bootstrapper.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
6068	Bootstrapper.exe
5200	Bootstrapper.exe
2268	Bootstrapper.exe
6028	Bootstrapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid	Process
5996	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1704 wrote to memory of 4340	1704	msedge.exe	84
PID 1704 wrote to memory of 4340	1704	msedge.exe	84
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2484	1704	msedge.exe	85
PID 1704 wrote to memory of 2612	1704	msedge.exe	86
PID 1704 wrote to memory of 2612	1704	msedge.exe	86
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87
PID 1704 wrote to memory of 3048	1704	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/BPLogger/BPLogger
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e48d46f8,0x7ff9e48d4708,0x7ff9e48d4718
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,10711288458792643270,7437198145951594401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2404

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BPLogger.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5144
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO814133F8\x64.dll"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5480
- C:\Users\Admin\AppData\Local\Temp\7zO81482DB8\BPLogger.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO81482DB8\BPLogger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5896
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6004
- - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
    "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z8bGA66a0lTd.bat" "
      4⤵
      PID:2180
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3704
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4788
    - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5200
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6WHxXE9Svq71.bat" "
        6⤵
        
        PID:5332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5372
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBZKZ3qNyem8.bat" "
        8⤵
        
        PID:5432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:372
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mj1vafKKFsGB.bat" "
        10⤵
        
        PID:6124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:6072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
41517c492146f3869aa2704910a8194b

SHA1
ee1da8839cf8c9c0faf44a129d8178a54e9b4670

SHA256
d3b4739235f4e21dd0c2750971654d1dc0ca0820e5cd4990216a34e3bca019ae

SHA512
dbb774938e630683a37eab514891d3a48090a80b5c0c56d169e0a6a03ec1a96e3afd3c59e5ae20e407283b1cbd9fe0bfd3ba4514d1af910fe9dfd77e9a6fce27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
b518a3421569335bd9029bdcdc002437

SHA1
17753daf447bb68af0a27a8b01dd15c9cf91052c

SHA256
48dbfd20edbbccf9b3c2e85c427819f67dbaf74e658b4a86fcd937fee6f1caf8

SHA512
92b564896a371880653da62524d8543bdd744a091acd6cf0ba40240021ac19f71dd68ee736ddc743e530e9789506f58a3d98c92bdfd0f4156ba182ca9c0a91f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2674cca7bf3296883f3c426d92999e6

SHA1
cf449404883cf3b2a91f94c4ed70604976969d6c

SHA256
c68de88414b7fd8845927ff67128de55d9bc7e8fc18b15b46aaaf1079d0310b5

SHA512
900b360f202d0b1e172e3f183517acd3d0a71af98ae0e85386f7a968ceafdb13984b347adfabfe83c425e466e3269fa355931ed279e4b3365966a7da8d9703e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d88ef9e7a48e573643d10878c199c64

SHA1
127f26c8b3865efe0551515dbf89561e29681a94

SHA256
789e2f63917729f13141cc0b13806f023e3e96a1f23ab2109e7256c2e2b84fde

SHA512
a08e14cd0af333eda47aa89e248df4237e912c2dca19ade2051809b47de59396daa25416a201d4ec814cc2edcd2f82a0315333abb11620ba8c9a24813a7ba1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4fe0cbfb8bd6250609f33c02a8b524e

SHA1
fe927e7553a11e7e95b36dddee405bd5aafbb003

SHA256
ad8ada0e003e5f84670dd4ce93f31ab86bc1ec094d2c7a026a03fed07556879b

SHA512
bff124d88ce163ae38cde5366de97fceae4fc68f8f12a7a8284a8eb19ed724fded980db66646fe0123779156605710030b0398e47a4ce2f620a6ab6436478af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4864ee27e9a9e2633dd99a7d1b428a84

SHA1
189e14d75fdd9ba3c0a0e2427fa96996422b52fb

SHA256
83a01df947f2f05bf34c329f4b7a41292d39c406bb446f4d879b4115f069e9e8

SHA512
1643753aabf69d9b323d3e01384b5b8929de1c152b4512d41498456bf17576d711cf13ec860ae4685b1d046e824a545359ce3d12ef8348f4d083dd1bde47a071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5826dc.TMP

Filesize
1KB

MD5
1f1f0b070319390fa2593c5b04ca0324

SHA1
262416d41fa74810f079ade11e96d60eef2ab965

SHA256
3cb6406efe3b0ecc592ff76755e99578731851225e0fc780799328b32030d00a

SHA512
5402eeadd1328e8ffed9931dae5d44ff4a802f2c445af22d464abdcc949ecc7345bbd3e9f4cfed0dad6a1eec684b7f9ab17381ccd64f542b27ab88c1accb7ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d393703d52760f56bf123e9f44ae8749

SHA1
f1c2658e97abf3f5ee5ad5f735fbf64243cf15ff

SHA256
185c852d39bd0130e13dea420fb15b5215fd7001aaae3f342daab1c6c7d99238

SHA512
d16506971b65126cbe64940ea8c02c03c778b80e866541e64d07d6ee6ab0712ecd16cc91226558ac8b4aa39d0dec95240a1fc434c7f65335002d7c98140759e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c574af86707e4941013255e0f6279b10

SHA1
30a29fe7214e6fa0ee1bae6884d413810050d5b9

SHA256
eb6d3e615aff9d94d0c572c527c44a2c3569f5f0fa3820a2cb6b72d67b294e62

SHA512
77fd3380693b6bb2451d2a99257751e9370d282a36e7897d9654a1ce45fa13c3aba1e0972fe5f9e10a6e7a46229ddd65b0585fc82e68bedf313dcf6c72502d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6WHxXE9Svq71.bat

Filesize
215B

MD5
d8bc2289f3acd4ffb21b84e72aee235c

SHA1
bea299a88b3ab8abc36533b914e2d1b4dd90d11f

SHA256
4e1cd7d41e15698c99e590300a407a53e8eba73752d6d6247b135db18db02c83

SHA512
c1f56c0953e5093849d18d56d6b6c96b8151366f149881748fc7d1e69699b37665e06eaeb5fbf71dc273b07cabe4359d885113256c0a1cd4f2c55d7f2b392892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO814133F8\x64.dll

Filesize
490KB

MD5
35a353e99e306e9c0f46209a91d29518

SHA1
f94a0ee734645eb655e886af7424a2642dbd7fe9

SHA256
5c51c9116bcb31a5c59c55504947abeba1c4ad40e55a138a8fa27a2fc0a16fc2

SHA512
6a1b0ff58f06a54d4d1582905f1335de01680b5a7bb5434f841cb42096f61de0efda371db3645375fb464e15f1894e66c39e187949b9ebaf5ce5310bdbf0105e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO81482DB8\BPLogger.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBZKZ3qNyem8.bat

Filesize
215B

MD5
08821c536f36908aecf844739c77b128

SHA1
ef8e8485272b00325761f7efdcde33443a84f545

SHA256
7c1d984c58513b455c23a5992caa5a0f75c504d76a25ee800a6713243610cf8c

SHA512
160bf2ca7f4e8eb7ac546ecc7f2a6b5183f11b87a760a0a2c7d67ae1de57b15ce93661fb79bd68f677639ab7caa15c77189e617d0fc682b32f58fcae0675e41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8bGA66a0lTd.bat

Filesize
215B

MD5
3339ed4004b033cdeee7093167614210

SHA1
64548e3673d496ca7563220bff260c83e0de2b6a

SHA256
782f7855d9e34352e2736727165200e0ab6252e606c311eebdaa983c5dd815fd

SHA512
150644fe39878b0e6c88b6772c60c6bb2fb94e1fbebad3a4ab2db40e20dea986ebce2890a4d12251f00a899f65c0671007e281140e8e84c0a0649dbe17145f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj1vafKKFsGB.bat

Filesize
215B

MD5
a02d96a94ff8f83672010a79e59dd3e7

SHA1
f6374cf1affe592a87ad4653737fc156a9a21587

SHA256
b474128c6a66f1156be53824a071d5156f0818e3985d0bc2e87ab45b4ede592d

SHA512
af3738ee81e1f56421787988f522bb1df6aa217f5effb26e65af765697a06b3385fb2051476e3d60ca7e499d05021be8a3d9cff60afe2b0b88720f380d63a149

Download Submit
C:\Users\Admin\Downloads\BPLogger.rar

Filesize
1.2MB

MD5
02f7e1af9b8e6814a2ef3ebdd35dd908

SHA1
2b34deb211e851aad0e4978e6311b01a79a7a9be

SHA256
03894b7e34b167b23dbde4b660087d3bc0aef490097c8fe8dda1e7e5903d70f8

SHA512
a2ac2d110a36c99d790c4b54d7282e62e51a799a059716972022b5f59efb0f461f3c6e0ff5b8cc48a4ffc238577020248a22a35460f7218bbc046e431440b93c

Download Submit
\??\pipe\LOCAL\crashpad_1704_FDACMUFRBOBWWLZI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5896-313-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/6068-319-0x000000001C830000-0x000000001C880000-memory.dmp

Filesize
320KB

Download
memory/6068-320-0x000000001C940000-0x000000001C9F2000-memory.dmp

Filesize
712KB

Download