da3d1081146490256d4f9a915346aacd2798ceb25bbfac7fb0712633d01df614

General

Target

autodist_proproctor_M2.zip
Size

12.7MB
MD5

79e16be058aebef738d903f58c47d15a
SHA1

c525be68407f85dc8bc81dfe5e9127fc57d33efc
SHA256

da3d1081146490256d4f9a915346aacd2798ceb25bbfac7fb0712633d01df614
SHA512

bad71405fe43d05ef966f19e45d05ec38123f99e2680acc713a8711e9506ccc9339e19b80c6bab29e6b67c99a74dcfc644ceb4e1c76a566f4ce183ebb79b83e8
SSDEEP

393216:OEy8XJ+hbq//9eM2m5ojIYxavz7s7mdTSi65Y:Ny8XwqteM2m5oj1+3EgTn65Y

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Quasar.vmp.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Quasar.vmp.exe

Executes dropped EXE 1 IoCs

Processes:

Quasar.vmp.exe

pid	Process
3704	Quasar.vmp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Quasar.vmp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Quasar.vmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Quasar.vmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Quasar.vmp.exe

pid	Process
3704	Quasar.vmp.exe
3704	Quasar.vmp.exe

Modifies registry class 1 IoCs

Processes:

7zFM.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4512	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	4512	7zFM.exe
Token: 35	4512	7zFM.exe
Token: SeSecurityPrivilege	4512	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeQuasar.vmp.exe

pid	Process
4512	7zFM.exe
4512	7zFM.exe
3704	Quasar.vmp.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Quasar.vmp.exe

pid	Process
3704	Quasar.vmp.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Quasar.vmp.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Quasar.vmp.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\autodist_proproctor_M2.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4512

C:\Users\Admin\Desktop\Quasar.vmp.exe
"C:\Users\Admin\Desktop\Quasar.vmp.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Mono.Cecil.dll

Filesize
277KB

MD5
8df4d6b5dc1629fcefcdc20210a88eac

SHA1
16c661757ad90eb84228aa3487db11a2eac6fe64

SHA256
3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e

SHA512
874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174

Download Submit
C:\Users\Admin\Desktop\Mono.Nat.dll

Filesize
45KB

MD5
e3986207ac534dcc31265bbfbd2ccc79

SHA1
3f1139ed1a4e2332507765a60ed2bf4dc0d6c29e

SHA256
89bf6331396dcf10a4d779059105f61a50b4d2fbbe7bf89cdd5dc3102296415f

SHA512
ede1e4bd5763cbeee3b20b53c8678c2a73cd50ca6963235cfab5a7795fc8cc47b42a4e9e0b16b4b68d0b39590bd61fc0e63a9667ead2414e7d1bb2c5e7d95cbb

Download Submit
C:\Users\Admin\Desktop\Quasar.vmp.exe

Filesize
2.1MB

MD5
a0dace1b704c623aba724810af79fb01

SHA1
39ccaaa4ed9840a2f8492f0bda615ae9f8e8b8dd

SHA256
ef857f86022cd05c7916f9422ea9f731277b33a4c21efd2e2a475d95d6739f6d

SHA512
b6ccc516c7b506d4ad8094474c9b558f79a189e0790344aac54f240a9124f13dff7d485fdbcc05d83ea7330ce673f88bd4a51c7c09668cf5a006ca09304054dc

Download Submit
C:\Users\Admin\Desktop\Vestris.ResourceLib.dll

Filesize
76KB

MD5
64e9cb25aeefeeba3bb579fb1a5559bc

SHA1
e719f80fcbd952609475f3d4a42aa578b2034624

SHA256
34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993

SHA512
b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c

Download Submit
C:\Users\Admin\Desktop\settings.xml

Filesize
410B

MD5
12251926fa9dcba8e4804f6a4b916738

SHA1
e05acba7468274ad42d42f3074e26e46e2ae5474

SHA256
4146117a7634ca0298529582217756dd06d19370d6806325ce0ab07878bb0c57

SHA512
d9bb8b63ae15195e652412a5cfa81b863675a5405e8945dee8679b96ed65eac58ffe2af411981058ddc51640d7316a6535ccbaa9591d763df7f43380bc8ad104

Download Submit
memory/3704-25-0x000002508FEE0000-0x000002508FEE1000-memory.dmp

Filesize
4KB

Download
memory/3704-22-0x00007FFCF99D3000-0x00007FFCF99D5000-memory.dmp

Filesize
8KB

Download
memory/3704-24-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download
memory/3704-29-0x000002508FF10000-0x000002508FF22000-memory.dmp

Filesize
72KB

Download
memory/3704-23-0x000002508DF40000-0x000002508E394000-memory.dmp

Filesize
4.3MB

Download
memory/3704-31-0x000002508FF30000-0x000002508FF4A000-memory.dmp

Filesize
104KB

Download
memory/3704-32-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download
memory/3704-27-0x000002508FF80000-0x000002508FFCC000-memory.dmp

Filesize
304KB

Download
memory/3704-34-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download
memory/3704-35-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download
memory/3704-36-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download
memory/3704-37-0x00000250AB620000-0x00000250AB644000-memory.dmp

Filesize
144KB

Download
memory/3704-38-0x00000250900D0000-0x00000250900E2000-memory.dmp

Filesize
72KB

Download
memory/3704-39-0x00007FFCF99D0000-0x00007FFCFA492000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads