Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Resource
win7-20240903-en
General
-
Target
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
-
Size
797KB
-
MD5
7ea9f823d613c41364ebb2d1d0a6189a
-
SHA1
4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b
-
SHA256
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1
-
SHA512
d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de
-
SSDEEP
12288:q6K0egDGMTCm4Nj9XuVIxlJY0RJFHV0ea8d1xxHiU78Ejy2QHPlvrqfmhemL11xI:qJ0eoLTCZNjQmfJpXHjHoDfW4eqhgP
Malware Config
Extracted
quasar
1.3.0.0
HTROY
87.120.116.115:61510
onadeatcamsides.sytes.net:61511
QSR_MUTEX_ZAU4jFZ758CCGtDmef
-
encryption_key
rK1SiSuzs11zCQEpJeMg
-
install_name
Updates.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
NewUpdates
-
subdirectory
Mindow
Signatures
-
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeflow ioc 9 ip-api.com 12 ip-api.com 2 ip-api.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe -
Quasar family
-
Quasar payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-8-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1040-6-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/1040-4-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/820-54-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/820-53-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2784-76-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2784-75-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Executes dropped EXE 12 IoCs
Processes:
Updates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exepid process 2744 Updates.exe 2840 Updates.exe 2776 Updates.exe 2804 Updates.exe 2280 Updates.exe 2524 Updates.exe 820 Updates.exe 2236 Updates.exe 1872 Updates.exe 2784 Updates.exe 2788 Updates.exe 2096 Updates.exe -
Loads dropped DLL 12 IoCs
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.execmd.exeUpdates.execmd.exeUpdates.exepid process 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe 2744 Updates.exe 2744 Updates.exe 2744 Updates.exe 816 cmd.exe 2280 Updates.exe 2280 Updates.exe 2280 Updates.exe 2520 cmd.exe 1872 Updates.exe 1872 Updates.exe 1872 Updates.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com 9 ip-api.com 12 ip-api.com -
Suspicious use of SetThreadContext 12 IoCs
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.exeUpdates.exedescription pid process target process PID 2500 set thread context of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 set thread context of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 set thread context of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2744 set thread context of 2840 2744 Updates.exe Updates.exe PID 2744 set thread context of 2776 2744 Updates.exe Updates.exe PID 2744 set thread context of 2804 2744 Updates.exe Updates.exe PID 2280 set thread context of 2524 2280 Updates.exe Updates.exe PID 2280 set thread context of 820 2280 Updates.exe Updates.exe PID 2280 set thread context of 2236 2280 Updates.exe Updates.exe PID 1872 set thread context of 2784 1872 Updates.exe Updates.exe PID 1872 set thread context of 2788 1872 Updates.exe Updates.exe PID 1872 set thread context of 2096 1872 Updates.exe Updates.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeschtasks.exeUpdates.exePING.EXEUpdates.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.execmd.exeUpdates.exeUpdates.exechcp.comUpdates.exeUpdates.exeUpdates.exeschtasks.execmd.exePING.EXEschtasks.exechcp.comUpdates.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEpid process 2120 PING.EXE 1300 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1712 schtasks.exe 2820 schtasks.exe 3028 schtasks.exe 1360 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exedescription pid process Token: SeDebugPrivilege 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Token: SeDebugPrivilege 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Token: SeDebugPrivilege 2744 Updates.exe Token: SeDebugPrivilege 2776 Updates.exe Token: SeDebugPrivilege 2280 Updates.exe Token: SeDebugPrivilege 820 Updates.exe Token: SeDebugPrivilege 1872 Updates.exe Token: SeDebugPrivilege 2096 Updates.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exedescription pid process target process PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1848 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 1040 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 2500 wrote to memory of 2672 2500 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe PID 1040 wrote to memory of 2820 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe schtasks.exe PID 1040 wrote to memory of 2820 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe schtasks.exe PID 1040 wrote to memory of 2820 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe schtasks.exe PID 1040 wrote to memory of 2820 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe schtasks.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 1040 wrote to memory of 2744 1040 d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2840 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2776 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2804 2744 Updates.exe Updates.exe PID 2744 wrote to memory of 2804 2744 Updates.exe Updates.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe"C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe"1⤵
- Quasar RAT
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeC:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe2⤵PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeC:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqxJfyHzrnXI.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1300
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1360
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F2Kw3nME9xkh.bat" "8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2120
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe10⤵
- Executes dropped EXE
PID:2788
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1712
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exeC:\Users\Admin\AppData\Roaming\Mindow\Updates.exe4⤵
- Executes dropped EXE
PID:2804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeC:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe2⤵PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD570e57fdd50a1c1d01f9823afd3c284ba
SHA106ecdc8b08cfe41ed808fff0af18d848579305a8
SHA256cfb6028cef7ba71363eccf05dcb8f83d963016d97e8bc4dbfc2a4931cb3cabfc
SHA512e15002dab1d6bb16717dc5766a7bab22c62b18f932e9c27a3ac68dd786bd3593bc1564b7a7b7d5e77028669f2be38f1bb2daf8ec649e767e03fc0ea0b5a4d323
-
Filesize
208B
MD5ff6f2e0c33e6d51fa7a0f592c47c00da
SHA143a3c4a8953b1e9dae451b81c8100f54df34fb54
SHA25664a7c16d11bdbf86a0b6f781766cf73045d4a61fed7251f6a04efa4a8aa7b030
SHA512a7daaea7fc4898f4b17d1af2f84d255daa010dfc6b184a6238dffb746bcfb0655033834e0ca1d2780c7d433f177a383049ef609283a78bb7d2925ae20b6818f3
-
Filesize
797KB
MD57ea9f823d613c41364ebb2d1d0a6189a
SHA14f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b
SHA256d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1
SHA512d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de