quasar | 244aa65cbea1df3f173fc068e3a56944516640d1cd3d3f682cce74f6b2cdd523

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atikmdag-patcher-1.4.14/atikmdag-patcher.exe
Size

3.2MB
MD5

36e0f5e0bba981934ec616510c7bca1c
SHA1

c8887798854f8a081968ab4d68654cd2c38813d5
SHA256

fc789c6f5ae68957b419d81717f00714c1708e9025b29b4112045c667c74e138
SHA512

58975ef79f4ac2ef82e0c7e1034ace9dc0bc8df71708cde7a710ca322ee9486b1c7261d3e49b4861886ced390efcca5fd857fc902013cbdc0ba9bcb2159e9578
SSDEEP

49152:1dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQ9333cW7:rJYVM+LtVt3P/KuG2ONG9iqLRQ9333c8

Score

10^/10

quasar redline newwwss office discovery infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

newwwss

94.156.67.162:26334

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

94.156.67.162:2424

Mutex

u9DoUUYRqSpnC2yFWujhfhjfhjfjhfjjhfjhfjhhfjhf

Attributes

encryption_key
GyLD0XdgIcr57WAXJ73w
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1004-123-0x0000000001100000-0x000000000114E000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2696-88-0x0000000001210000-0x0000000001262000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1832 created 3360	1832	Calculate.pif	55

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	atikmdag-patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	IssuedPartition.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	SleepingVolumes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
3592	atikmdag-patcher.exe
2732	SleepingVolumes.exe
3568	IssuedPartition.exe
2884	Recipe.pif
1832	Calculate.pif
2696	RegAsm.exe
2976	RegAsm.exe
1004	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-HGM59.tmp	atikmdag-patcher.exe
File opened for modification	C:\Windows\SysWOW64\SleepingVolumes.exe	atikmdag-patcher.exe
File opened for modification	C:\Windows\SysWOW64\IssuedPartition.exe	atikmdag-patcher.exe
File created	C:\Windows\SysWOW64\is-PQ73T.tmp	atikmdag-patcher.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3820	tasklist.exe
4876	tasklist.exe
3000	tasklist.exe
3068	tasklist.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\My Program\atikmdag-patcher.exe	atikmdag-patcher.exe
File created	C:\Program Files (x86)\My Program\is-F1AEG.tmp	atikmdag-patcher.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ViewsEditing	IssuedPartition.exe
File opened for modification	C:\Windows\LawAwful	IssuedPartition.exe
File opened for modification	C:\Windows\SurelyAnti	SleepingVolumes.exe
File opened for modification	C:\Windows\HaveTampa	IssuedPartition.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atikmdag-patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IssuedPartition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SleepingVolumes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calculate.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atikmdag-patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atikmdag-patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recipe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2732	SleepingVolumes.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5072	atikmdag-patcher.exe
5072	atikmdag-patcher.exe
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	tasklist.exe
Token: SeDebugPrivilege	4876	tasklist.exe
Token: SeDebugPrivilege	3000	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	1004	RegAsm.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5072	atikmdag-patcher.exe
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2884	Recipe.pif
2884	Recipe.pif
2884	Recipe.pif
1832	Calculate.pif
1832	Calculate.pif
1832	Calculate.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1004	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 5072	1736	atikmdag-patcher.exe	84
PID 1736 wrote to memory of 5072	1736	atikmdag-patcher.exe	84
PID 1736 wrote to memory of 5072	1736	atikmdag-patcher.exe	84
PID 5072 wrote to memory of 3592	5072	atikmdag-patcher.exe	87
PID 5072 wrote to memory of 3592	5072	atikmdag-patcher.exe	87
PID 5072 wrote to memory of 3592	5072	atikmdag-patcher.exe	87
PID 5072 wrote to memory of 2732	5072	atikmdag-patcher.exe	88
PID 5072 wrote to memory of 2732	5072	atikmdag-patcher.exe	88
PID 5072 wrote to memory of 2732	5072	atikmdag-patcher.exe	88
PID 5072 wrote to memory of 3568	5072	atikmdag-patcher.exe	89
PID 5072 wrote to memory of 3568	5072	atikmdag-patcher.exe	89
PID 5072 wrote to memory of 3568	5072	atikmdag-patcher.exe	89
PID 3568 wrote to memory of 704	3568	IssuedPartition.exe	90
PID 3568 wrote to memory of 704	3568	IssuedPartition.exe	90
PID 3568 wrote to memory of 704	3568	IssuedPartition.exe	90
PID 2732 wrote to memory of 1208	2732	SleepingVolumes.exe	92
PID 2732 wrote to memory of 1208	2732	SleepingVolumes.exe	92
PID 2732 wrote to memory of 1208	2732	SleepingVolumes.exe	92
PID 1208 wrote to memory of 3820	1208	cmd.exe	95
PID 1208 wrote to memory of 3820	1208	cmd.exe	95
PID 1208 wrote to memory of 3820	1208	cmd.exe	95
PID 1208 wrote to memory of 4248	1208	cmd.exe	96
PID 1208 wrote to memory of 4248	1208	cmd.exe	96
PID 1208 wrote to memory of 4248	1208	cmd.exe	96
PID 1208 wrote to memory of 4876	1208	cmd.exe	101
PID 1208 wrote to memory of 4876	1208	cmd.exe	101
PID 1208 wrote to memory of 4876	1208	cmd.exe	101
PID 1208 wrote to memory of 4536	1208	cmd.exe	102
PID 1208 wrote to memory of 4536	1208	cmd.exe	102
PID 1208 wrote to memory of 4536	1208	cmd.exe	102
PID 1208 wrote to memory of 5116	1208	cmd.exe	103
PID 1208 wrote to memory of 5116	1208	cmd.exe	103
PID 1208 wrote to memory of 5116	1208	cmd.exe	103
PID 1208 wrote to memory of 1004	1208	cmd.exe	104
PID 1208 wrote to memory of 1004	1208	cmd.exe	104
PID 1208 wrote to memory of 1004	1208	cmd.exe	104
PID 1208 wrote to memory of 1184	1208	cmd.exe	105
PID 1208 wrote to memory of 1184	1208	cmd.exe	105
PID 1208 wrote to memory of 1184	1208	cmd.exe	105
PID 1208 wrote to memory of 2884	1208	cmd.exe	107
PID 1208 wrote to memory of 2884	1208	cmd.exe	107
PID 1208 wrote to memory of 2884	1208	cmd.exe	107
PID 1208 wrote to memory of 4504	1208	cmd.exe	108
PID 1208 wrote to memory of 4504	1208	cmd.exe	108
PID 1208 wrote to memory of 4504	1208	cmd.exe	108
PID 704 wrote to memory of 3000	704	cmd.exe	110
PID 704 wrote to memory of 3000	704	cmd.exe	110
PID 704 wrote to memory of 3000	704	cmd.exe	110
PID 704 wrote to memory of 3632	704	cmd.exe	111
PID 704 wrote to memory of 3632	704	cmd.exe	111
PID 704 wrote to memory of 3632	704	cmd.exe	111
PID 704 wrote to memory of 3068	704	cmd.exe	112
PID 704 wrote to memory of 3068	704	cmd.exe	112
PID 704 wrote to memory of 3068	704	cmd.exe	112
PID 704 wrote to memory of 184	704	cmd.exe	113
PID 704 wrote to memory of 184	704	cmd.exe	113
PID 704 wrote to memory of 184	704	cmd.exe	113
PID 704 wrote to memory of 2196	704	cmd.exe	114
PID 704 wrote to memory of 2196	704	cmd.exe	114
PID 704 wrote to memory of 2196	704	cmd.exe	114
PID 704 wrote to memory of 2852	704	cmd.exe	115
PID 704 wrote to memory of 2852	704	cmd.exe	115
PID 704 wrote to memory of 2852	704	cmd.exe	115
PID 704 wrote to memory of 1216	704	cmd.exe	116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe
  "C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe
    "C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher-1.4.14\atikmdag-patcher.exe" /VERYSILENT
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Program Files (x86)\My Program\atikmdag-patcher.exe
      "C:\Program Files (x86)\My Program\atikmdag-patcher.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3592
  - - C:\Windows\SysWOW64\SleepingVolumes.exe
      "C:\Windows\SysWOW64\SleepingVolumes.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Superb Superb.bat & Superb.bat & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 300019
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "neattitudesmailedpopulations" Peoples
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Establishment + ..\Cabinets + ..\Finish + ..\Feel + ..\Permanent + ..\Terrorist + ..\Stem V
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\300019\Recipe.pif
        
        Recipe.pif V
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\300019\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\300019\RegAsm.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2696
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
  - - C:\Windows\SysWOW64\IssuedPartition.exe
      "C:\Windows\SysWOW64\IssuedPartition.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Countries Countries.bat & Countries.bat & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 591324
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "vanadsllicensednotes" Report
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Shoppers + ..\Oxford + ..\Render + ..\Leone + ..\Gasoline + ..\Luke + ..\Solaris + ..\Zu s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\591324\Calculate.pif
        
        Calculate.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\591324\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\591324\RegAsm.exe
        7⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\591324\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\591324\RegAsm.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1004
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url" & echo URL="C:\Users\Admin\AppData\Local\ThreatGuard Dynamics\ScanGuardian.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\atikmdag-patcher.exe

Filesize
90KB

MD5
ce53dcf26c43eb08e70e220bb69419f6

SHA1
fda92e8cbd1b37c9ed277190d70153ff73c6bc05

SHA256
575df9c65e0251572372226e6323068e2c17adbbcba91bb5adc22f2f653db7ba

SHA512
88f96ed7ed056aa49103ae331a928023463aa6e8f4548f8df2f9e4c7610a9f6d3cf12c5ccedc0ddd8c57e4a386e7236081c4b83d41702cfeebfc65ece286c47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\300019\Recipe.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\300019\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\300019\V

Filesize
535KB

MD5
6eeccad0b3675bac0e1b8f55bd0c772d

SHA1
97f9bff72f577fe41525b968e1f55c8068b0c6ba

SHA256
0db60962a90f707be80c33be235b35b1e68e3375fb2b91838a0ea9643ed9697d

SHA512
aa4edcaaff2412a0ce34eead041b23a73c29d496571ff805a1798cb51a4445b98d2c9322e1c8e157948b8d3cf230c96670ea8c342f27b706bc9c749da8e3b315

Download Submit
C:\Users\Admin\AppData\Local\Temp\591324\s

Filesize
600KB

MD5
3e0872ae6a8a7fe9a91a91d05d3d12aa

SHA1
a2dd3836a034755373893451a87210f5e76a328a

SHA256
07c8122686c2ec81d9c08dff1a83ee6239e07fc273f15644dab7505772456356

SHA512
57744b18ddb077f6bcbefa785d48bcc39b6bff5dc499163a4a8c5e39d68a4d4edab6dde51152ca04b9d641a2ec349a505cacdb3f1a7bc94a0664e7aaaa80f89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bg

Filesize
872KB

MD5
6b3bde94f6395656dc82ebb2a9c120ad

SHA1
00f4b4872d385c6068203aab313c0aec98e87ddc

SHA256
8f64a1d7da43035bd5a0718105797a9bcd01d9267274d01ebb8c6bb211505b1c

SHA512
7e3fcdf021de2706fba4836cda7d153b775df5f5b3f95c0a485bb355e7d9ab394b191be7011140a1cf4ae94dc8514d7a341e9ba1f85a4a77f41b85777e87426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cabinets

Filesize
90KB

MD5
6d289be013c36877cae8238ee66c8cb8

SHA1
4980f2f0b62d6be79d2cf8dc3ab313860091d8c1

SHA256
75542700a57b2f0a3872f78f3fd9537b1785b0638a0325ae380677ea0e5eacaf

SHA512
ca92ffddaec58ff496bf49bf74aa190edb1eb5717c156924049a9b7fb4d13c16a785c4de638876bd995a540af5887f683b926724940afa03b5ba02e59f2dec7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Controversy

Filesize
872KB

MD5
55f6e4af92f4f13df5616a4eaee74ff9

SHA1
95b4b0a32ba7c68c1128a8e5c8f7f52a1b943de4

SHA256
8b00c1ccabfce0ac126a8893b3bbef939e1567c5315861d9657345df25e3368d

SHA512
669ba46fbf71d73c1e6faaec3cf2cae2ea66d4f2dd3e443d339685bbf58104494dd66d3c5ed4d2ecea49f83daabf1a34674d5e3f0c868e47a24a3bd58853fa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Countries

Filesize
23KB

MD5
9ddd963443718abe977c9357fab86a94

SHA1
259024311afca7687b7a2d82154759ad6cdbb2a4

SHA256
a27d7b521852e960c5ae5bf3bf0e169099c0a065b4f803848bb9f7733f052b5f

SHA512
f0b9787cc8d9351080b593cea643b3806603d2b88b392fc61a39a86edd66f16d764625f4ed392dd638133e9e85869192002c7a4bfda09a2365fb9143c0ba1c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Establishment

Filesize
86KB

MD5
e2ec1bf9c6f830aa140aac0a8ee93597

SHA1
4f1b70e58da27a05879083418c544dcad5ff4348

SHA256
baef4430197c8be6d0ea8f377b6d73a47af7af429250f08cfacd8ae142891228

SHA512
42b5c31c4529dcb9b6c843ca9d59a1fa6c148c2a67e0a3bc43559a3234f573b1b9063dc94b12e4e6054f36d8c6c8d9ffcddd854b665a65d06aaa6f19860bb033

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feel

Filesize
77KB

MD5
c6d37fea6926e587a1ee735140af9653

SHA1
d66f77081a6f7d8807525310ce9cecf18c7741c2

SHA256
505756be76a34d73dbd825fdbdddcd65e676c1cd316ebfe382e13c059627526a

SHA512
cb5a683b65db2fb0ddc540e905222ac2704acc82dada4c2c2ab71e13bd4310344d415437e2f2443a3aded3b4323301962a13c3325729a5a8ee0bfa9e0e88067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Finish

Filesize
88KB

MD5
1f44cadeb98fd8e0901fdaeb1679f231

SHA1
c3cc046bfababe9f18ae7ad3a15d85ff321f85f1

SHA256
dbd53609f5cb1219a9487f0b2a666ea831856ca719c12756910f6416c6076bf3

SHA512
1b8ab923d69e6080f0a99b833453508319cf26d2c67f3d588403d4e92027e693320d6b62a4e5aab272bd1020575cbbc4c17894ac26e0472c37032036ac6bfdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gasoline

Filesize
68KB

MD5
a04219dcad1119ab06f46c978a53174a

SHA1
090808b7b925a19aa6b1d5fd2d11e41330acaa3f

SHA256
6bc1e3d022cb4a53d84a4512b00b66c58d0ea497e0b441ca6b40f70eb3cefecf

SHA512
180af0df48e2890ecf495d833a463a514d1eda3c6903b0b1b3d5bb907b2f476ea4bc3a6c5d8aa2dade7a1c9732175dc8f6d32b664f8c08da02292b44fad582d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leone

Filesize
77KB

MD5
5a603362e316258ff20bc0d60837a601

SHA1
d2d924b2aa432589c2907f06aeff3ab0525d3ae7

SHA256
58a3c985176fc752c8690eae06d08e8c7f037585f40a14c747218d8611b73258

SHA512
c85eb52f718afad206526e0b2dbd04210060876d08b5bb4d3b744d125b18edaa5a004c581bd9fcb95faad4a0d20b3fb43496d57ca6a5f26495421790e011580a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luke

Filesize
54KB

MD5
f103b7d8e33c010ae8899209e2df2f52

SHA1
14b6dff68ce6af9abf64c788c2ec0ea8cc4e2c06

SHA256
395ab65ac592affd560d4916aeb8a52b6cbe9d565f97137ab3c2ddfac93bd32d

SHA512
c2d2573de98194f32f096eca0a1a1837d7b3fdab83e91932a8f41c27c14ad53f86458c9aa2a859e49b9b5bfbdd3acf7ea771891aef908a2363cf2cc616a5552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oxford

Filesize
94KB

MD5
9d6f4097b50570c5b92c66d2c71de11d

SHA1
22c5d131b148cab569fd803c560316b18b7f9760

SHA256
2cef318ae0fb95403b7b5b741c7c8ec48cbd40b87d82ed838a0707b864ebc2c7

SHA512
ec4211f6bf2bfc41939cf8f585e6723829409e4698957f8dbaabfc403e66eb121a351a921b9ce9a0295c775ed0a6fa0077c9524c098bd2816cebd8629c098c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peoples

Filesize
648B

MD5
19c25dffef22892968a862ba6a7624bf

SHA1
cc966cf971bb623342393231a3b1122e68b31ea2

SHA256
3b805582e150bbeecbc9328c7b700f1729741d2bc878d61aa952a9ccdae752ce

SHA512
fb0f44dcb21fc0cbbba2bba391145c62820d3bfbd685f1aa4ebbbb1f8cecde5b321b4e3fd88a8a3ae4b80173bd551c2554044a0ae1a9f62dde82097408349853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Permanent

Filesize
60KB

MD5
64ef442247c4f4fa586a2df61d2d557b

SHA1
5c4379cd39b7d39a2becae94ff1d61ddeaaa2701

SHA256
fc459c274ee2eed363d1bca47a3938d5e6fb31e58ff38e51688f4f6632252a73

SHA512
b1f7856d944f192d1adba121433311b9e8ec57942ec792e816e99a1d82d8bc0066b0d97d61ccd3d223f2336cf5bbad37956c7591008aa194cf1640445d69b5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Render

Filesize
90KB

MD5
963b0e20d96de80bc37efc0d74f0f6c6

SHA1
34c813c9381dcbba295ed8d7c8900fac287ddc4b

SHA256
89de49e36f35173e38e0328462815fe6bac4b3f27130e9d0feb0a37d3b703b3b

SHA512
967bc929e6ffc8a99253419d9c7a67ad04b8e76ceb90a1115f9265d888134216e11911f20a8010e8ebef373a9110cda8fc53279dd65de035cbbd817bb3108837

Download Submit
C:\Users\Admin\AppData\Local\Temp\Report

Filesize
512B

MD5
019b576f05e7104f1598fe6fafdc09e5

SHA1
927ada74cff28105f90ec58bfdfc0752f7eae6ce

SHA256
be6a03d4367a2c4a862edbe2501fa29cc1498a57f4966d79c2b389eb2d197c3e

SHA512
66abbbb9b02fcffadcd4beef6c0f47632445076254e676e8740bd41528ec80577de556391d38250d42768d859d9547c5ed7a2dc72a7d8691d44d1d8af200d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoppers

Filesize
74KB

MD5
0febae5c31c84cc1c9f87d241151d3ba

SHA1
daf09419665da6585bce511ac4dfbf4cc9d70722

SHA256
e394388e1c7870e24704ad4eed6122ca3ca573c7a5424067fd06d18db9059525

SHA512
ea385a101ba41137543df8782230ed23211ff6fd6b7064e004fff2b8975bcaeca7ef88275906b7cf36a5cc4f55e74842128170f0da43912999d4b7a72dbe9d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaris

Filesize
93KB

MD5
8f7576029044042f2e1538283319b8ba

SHA1
e4ebd180ca6c366ece0c509735d017214137c895

SHA256
3da0981ed15267d09d174f5077497a7e31d99c07ee6376f0329db6b12dc7af19

SHA512
629da688551ea1a23e33c354ac7bc8ff06bb8c115b6c2ad48321b0d3ee26498bce72525d86acf81712ce02d87dd91ed8e645fa15011020ddda6cd6340a3fec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stem

Filesize
57KB

MD5
c832b3403c4fa3ff6a73485e93cf20d4

SHA1
4223d69e848c60f3b9bc704462e1914258a5e2c6

SHA256
c12e1781b67a62b0be9e868a965ab41cce79c95b4d3197e153c0bc12cbba4c03

SHA512
1dccf1753f14ac7f0afc4a72f09136355f92b38614b16e65889e3829b6803e443d4fa8ce8b4e0409fb758e5c9851ae045a03bd5b77c6a42612f03d2c5d4e6a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Superb

Filesize
6KB

MD5
ad2d4526b7415a9f8f1cace80a765c54

SHA1
d4c3e2101c24720ef0691c754b48faeda9f31118

SHA256
05147d654defda287523f6ffe898079e06281f80bad23b9cc8363f4577315c54

SHA512
fe33e3c17b0643f632d1a233fa143d962542957f2b3af9e6011daf84545f0ebf8bc2ca00688988b393735d6a70efbb580cb5ba2db62e371c4974584f095b0884

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrorist

Filesize
77KB

MD5
299871a25e8ba0595dbee52dda3b434b

SHA1
2ffeee7fd8ea69d26a6f5a60481fbc233824a2bc

SHA256
695bcee60171c4351b051f5e38241a0f514a2855a5f51ad83d5bdba29248b0eb

SHA512
3fda6ccbdb8ca5e1293812658c45397a5164a46604f02bc1269560decf9e3af630be9c3279b608275beb7febee55ba0f36fc1435775bae499823cdf864899d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp20B2.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zu

Filesize
50KB

MD5
6690ba0c15e7f192d9c21ba112ac8d6d

SHA1
8e76bda517ff496cd30a6863d534910850dc81f7

SHA256
e89f359d8492008ee0898d8750c71c174f468c59d32b38178226cca833a34c52

SHA512
2707b2c8f9a66ccf13cead5e61854b0bd4deb1c53a2076f879ec1c94267f4715d644bf975562428015dca96e3f699a852ba4d8a67bd5265cd0d3afb4eac0e085

Download Submit
C:\Windows\SysWOW64\IssuedPartition.exe

Filesize
1.2MB

MD5
b6adfc8b1f0bec7f82e9b2c3361fb6c4

SHA1
b5d9d8707b5c9343c9c602f2ad028e5c2dad6075

SHA256
6c82cf75c41224cef94f1a0399d50d8258febb75f5d919a72f0b4ea3cd042db6

SHA512
cc15df7fc35dd3850c006256f4678224db76214b0e15375032f5e5393d6534109c1c2a66f20d2545ea924d481b4ac3512da1c5e53b6de6823db0c39c4e632feb

Download Submit
C:\Windows\SysWOW64\SleepingVolumes.exe

Filesize
1.4MB

MD5
0f125aa38abf18809545399ce7a427ca

SHA1
78e4642fe95ac209cc521a130e7012af5f1d9458

SHA256
21b5f418f961dd7d1ba24453e837ee9ff1598a2c7af0f27ffbe2a8e3775fcdbc

SHA512
2faf7fef61378ac2486cbc8d6418df5e1b21951e12a29234b008f0a9ca41c110414a2dfed09e15b15eb878d33eef9204df0cba1713019a3c2080e4fd93a6122e

Download Submit
memory/1004-126-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/1004-123-0x0000000001100000-0x000000000114E000-memory.dmp

Filesize
312KB

Download
memory/1736-0-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/1736-4-0x0000000000060000-0x0000000000399000-memory.dmp

Filesize
3.2MB

Download
memory/2696-91-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/2696-94-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/2696-97-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/2696-114-0x0000000006390000-0x0000000006406000-memory.dmp

Filesize
472KB

Download
memory/2696-115-0x0000000006A80000-0x0000000006A9E000-memory.dmp

Filesize
120KB

Download
memory/2696-118-0x00000000071C0000-0x00000000077D8000-memory.dmp

Filesize
6.1MB

Download
memory/2696-119-0x0000000006D10000-0x0000000006E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2696-120-0x0000000006C50000-0x0000000006C62000-memory.dmp

Filesize
72KB

Download
memory/2696-121-0x0000000006CB0000-0x0000000006CEC000-memory.dmp

Filesize
240KB

Download
memory/2696-122-0x0000000006E20000-0x0000000006E6C000-memory.dmp

Filesize
304KB

Download
memory/2696-88-0x0000000001210000-0x0000000001262000-memory.dmp

Filesize
328KB

Download
memory/5072-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/5072-29-0x0000000000060000-0x0000000000399000-memory.dmp

Filesize
3.2MB

Download