quasar | 00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Size

934KB
MD5

fee0d9b8fd3d7765f902463817e0db71
SHA1

a2e83ee17368cfbcaa52fa36eeb5b192e3d21c42
SHA256

00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c
SHA512

dfdf07b1c8211bb0bf3db619cbc07f7746f793bbb284247e6865d08e15dd83bccf668ea752f1431df51b508e69acb6eed291692119a4c72b3564bcc0124166fa
SSDEEP

12288:BkMv6/ZKWZFZJuugJ7PxAv1HXyg+S4ZcTAPxAGvxnnOF0T2l5sZjJ:BkMvOZJu/7Zsyg+eEP2GZEJOJ

Score

10^/10

quasar defense_evasion discovery evasion execution impact persistence ransomware spyware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2816-15-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2816-19-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2816-17-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2816-11-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def
behavioral1/memory/2816-9-0x0000000000400000-0x000000000045C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Vespre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	Vespre.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2816-15-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2816-19-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2816-17-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2816-11-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar
behavioral1/memory/2816-9-0x0000000000400000-0x000000000045C000-memory.dmp	family_quasar

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Vespre.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Executes dropped EXE 3 IoCs

pid	Process
1972	Vespre.exe
2668	Vespre.exe
1044	Vespre.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Vespre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe\""	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe\""	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Roaming\\GPret\\Vespre.exe\""	Vespre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Roaming\\GPret\\Vespre.exe\""	Vespre.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Vespre.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
9	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Modifies Security services 2 TTPs 16 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisDrv\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdBoot\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdFilter\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisSvc\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdBoot\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdFilter\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisSvc\Start = "4"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisDrv\Start = "4"	Vespre.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 1972 set thread context of 1044	1972	Vespre.exe	45

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vespre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vespre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1992	vssadmin.exe
560	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
2984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
1900	powershell.exe
1972	Vespre.exe
1972	Vespre.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Token: SeDebugPrivilege	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1972	Vespre.exe
Token: SeDebugPrivilege	1044	Vespre.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	Vespre.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2800	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	31
PID 2692 wrote to memory of 2800	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	31
PID 2692 wrote to memory of 2800	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	31
PID 2692 wrote to memory of 2800	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	31
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2692 wrote to memory of 2816	2692	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	32
PID 2816 wrote to memory of 3032	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	34
PID 2816 wrote to memory of 3032	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	34
PID 2816 wrote to memory of 3032	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	34
PID 2816 wrote to memory of 3032	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	34
PID 2816 wrote to memory of 2500	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	36
PID 2816 wrote to memory of 2500	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	36
PID 2816 wrote to memory of 2500	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	36
PID 2816 wrote to memory of 2500	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	36
PID 2816 wrote to memory of 1992	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	38
PID 2816 wrote to memory of 1992	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	38
PID 2816 wrote to memory of 1992	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	38
PID 2816 wrote to memory of 1992	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	38
PID 2816 wrote to memory of 1900	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	41
PID 2816 wrote to memory of 1900	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	41
PID 2816 wrote to memory of 1900	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	41
PID 2816 wrote to memory of 1900	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	41
PID 2816 wrote to memory of 1972	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	43
PID 2816 wrote to memory of 1972	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	43
PID 2816 wrote to memory of 1972	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	43
PID 2816 wrote to memory of 1972	2816	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe	43
PID 1972 wrote to memory of 2668	1972	Vespre.exe	44
PID 1972 wrote to memory of 2668	1972	Vespre.exe	44
PID 1972 wrote to memory of 2668	1972	Vespre.exe	44
PID 1972 wrote to memory of 2668	1972	Vespre.exe	44
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1972 wrote to memory of 1044	1972	Vespre.exe	45
PID 1044 wrote to memory of 2984	1044	Vespre.exe	46
PID 1044 wrote to memory of 2984	1044	Vespre.exe	46
PID 1044 wrote to memory of 2984	1044	Vespre.exe	46
PID 1044 wrote to memory of 2984	1044	Vespre.exe	46
PID 1044 wrote to memory of 672	1044	Vespre.exe	48
PID 1044 wrote to memory of 672	1044	Vespre.exe	48
PID 1044 wrote to memory of 672	1044	Vespre.exe	48
PID 1044 wrote to memory of 672	1044	Vespre.exe	48
PID 1044 wrote to memory of 560	1044	Vespre.exe	50
PID 1044 wrote to memory of 560	1044	Vespre.exe	50
PID 1044 wrote to memory of 560	1044	Vespre.exe	50
PID 1044 wrote to memory of 560	1044	Vespre.exe	50
PID 1044 wrote to memory of 2832	1044	Vespre.exe	52
PID 1044 wrote to memory of 2832	1044	Vespre.exe	52
PID 1044 wrote to memory of 2832	1044	Vespre.exe	52
PID 1044 wrote to memory of 2832	1044	Vespre.exe	52

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Vespre.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Vespre.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
"C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
  "C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe"
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe
  "C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies security service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies Security services
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2816
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /delete /tn "iceTelemetryLogtte" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin" delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
    "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
      "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe
      "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Modifies security service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Modifies Security services
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /delete /tn "iceTelemetryLogtte" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:672
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        "vssadmin" delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GPret\settings.xml

Filesize
137B

MD5
5e2fed2afe7d007c0ab27b308afed971

SHA1
61a28c39e779581188313be2259998eb897cf4aa

SHA256
5b3b07df23c2b320bfb878662e8f812c96e3b8dbda668adb173a3aa236c98f52

SHA512
f6e593810403313382c69cf41b97536c63b348e8e9648d3e65675297a47c2ef5d9be302acee4999b3225f01f3fafd6a7735932e7b6f1e81f7b85d5523b730382

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bb6f7d496c55a7ca16270be9d3924249

SHA1
fc1f40cd3e147a3df38f24ec6a3b07f639c5f436

SHA256
f58254c98322bef0fb3fcaa847d894f7ce19991373ef69c4edce8c27db0588e7

SHA512
afa8229e19adca4624ca75ec14779e18f966b622ddbcaf4e731a3a1a2f11514aee87c2209b952ff9107a28441026bcadb546c503b9fdc0a7a637b755858feb74

Download Submit
\Users\Admin\AppData\Roaming\GPret\Vespre.exe

Filesize
934KB

MD5
fee0d9b8fd3d7765f902463817e0db71

SHA1
a2e83ee17368cfbcaa52fa36eeb5b192e3d21c42

SHA256
00752a2889e0712000b18846f8a060434d23d6fcae5e98e3cb8d39f70376366c

SHA512
dfdf07b1c8211bb0bf3db619cbc07f7746f793bbb284247e6865d08e15dd83bccf668ea752f1431df51b508e69acb6eed291692119a4c72b3564bcc0124166fa

Download Submit
memory/1044-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-43-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1972-42-0x0000000000E90000-0x0000000000F7E000-memory.dmp

Filesize
952KB

Download
memory/2692-6-0x0000000005360000-0x0000000005400000-memory.dmp

Filesize
640KB

Download
memory/2692-21-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-1-0x0000000001270000-0x000000000135E000-memory.dmp

Filesize
952KB

Download
memory/2692-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-3-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2692-4-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2816-7-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-22-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-11-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-41-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-20-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download