quasar | d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1

General

Target

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Size

797KB
MD5

7ea9f823d613c41364ebb2d1d0a6189a
SHA1

4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b
SHA256

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1
SHA512

d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de
SSDEEP

12288:q6K0egDGMTCm4Nj9XuVIxlJY0RJFHV0ea8d1xxHiU78Ejy2QHPlvrqfmhemL11xI:qJ0eoLTCZNjQmfJpXHjHoDfW4eqhgP

Score

10^/10

quasar htroy discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HTROY

C2

87.120.116.115:61510

onadeatcamsides.sytes.net:61511

Mutex

QSR_MUTEX_ZAU4jFZ758CCGtDmef

Attributes

encryption_key
rK1SiSuzs11zCQEpJeMg
install_name
Updates.exe
log_directory
Logs
reconnect_delay
30000
startup_key
NewUpdates
subdirectory
Mindow

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe

flow	ioc
8	ip-api.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
43	ip-api.com

Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4604-6-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Updates.exeUpdates.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Updates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Updates.exe

Executes dropped EXE 12 IoCs

Processes:

Updates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exe

pid	process
3820	Updates.exe
4948	Updates.exe
1364	Updates.exe
4820	Updates.exe
512	Updates.exe
2972	Updates.exe
4776	Updates.exe
1428	Updates.exe
3540	Updates.exe
1016	Updates.exe
2552	Updates.exe
2784	Updates.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
43 ip-api.com

flow	ioc
8	ip-api.com
43	ip-api.com

Suspicious use of SetThreadContext 12 IoCs

Processes:

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.exeUpdates.exe

description	pid	process	target process
PID 2816 set thread context of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 set thread context of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 set thread context of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 3820 set thread context of 4948	3820	Updates.exe	Updates.exe
PID 3820 set thread context of 1364	3820	Updates.exe	Updates.exe
PID 3820 set thread context of 4820	3820	Updates.exe	Updates.exe
PID 512 set thread context of 2972	512	Updates.exe	Updates.exe
PID 512 set thread context of 4776	512	Updates.exe	Updates.exe
PID 512 set thread context of 1428	512	Updates.exe	Updates.exe
PID 3540 set thread context of 1016	3540	Updates.exe	Updates.exe
PID 3540 set thread context of 2552	3540	Updates.exe	Updates.exe
PID 3540 set thread context of 2784	3540	Updates.exe	Updates.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2776	3604	WerFault.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
4808	1364	WerFault.exe	Updates.exe
768	4820	WerFault.exe	Updates.exe
4444	2972	WerFault.exe	Updates.exe
4872	1428	WerFault.exe	Updates.exe
2320	1016	WerFault.exe	Updates.exe
3608	2552	WerFault.exe	Updates.exe
3880	2784	WerFault.exe	Updates.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.exePING.EXEUpdates.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeschtasks.exePING.EXEUpdates.execmd.exechcp.comschtasks.exeschtasks.execmd.exechcp.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXE

pid process

3876 PING.EXE
548 PING.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3876 PING.EXE
548 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2544 schtasks.exe
4384 schtasks.exe
3468 schtasks.exe

pid	process
3876	PING.EXE
548	PING.EXE

pid	process
3876	PING.EXE
548	PING.EXE

pid	process
2544	schtasks.exe
4384	schtasks.exe
3468	schtasks.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exeUpdates.exe

description	pid	process
Token: SeDebugPrivilege	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Token: SeDebugPrivilege	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Token: SeDebugPrivilege	3820	Updates.exe
Token: SeDebugPrivilege	4948	Updates.exe
Token: SeDebugPrivilege	512	Updates.exe
Token: SeDebugPrivilege	4776	Updates.exe
Token: SeDebugPrivilege	3540	Updates.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Updates.exeUpdates.exe

pid process

1364 Updates.exe
1428 Updates.exe

pid	process
1364	Updates.exe
1428	Updates.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exed36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exeUpdates.exeUpdates.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 3604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 4604	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 2816 wrote to memory of 464	2816	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
PID 464 wrote to memory of 2544	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	schtasks.exe
PID 464 wrote to memory of 2544	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	schtasks.exe
PID 464 wrote to memory of 2544	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	schtasks.exe
PID 464 wrote to memory of 3820	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	Updates.exe
PID 464 wrote to memory of 3820	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	Updates.exe
PID 464 wrote to memory of 3820	464	d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4948	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 1364	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 3820 wrote to memory of 4820	3820	Updates.exe	Updates.exe
PID 4948 wrote to memory of 4384	4948	Updates.exe	schtasks.exe
PID 4948 wrote to memory of 4384	4948	Updates.exe	schtasks.exe
PID 4948 wrote to memory of 4384	4948	Updates.exe	schtasks.exe
PID 4948 wrote to memory of 3016	4948	Updates.exe	cmd.exe
PID 4948 wrote to memory of 3016	4948	Updates.exe	cmd.exe
PID 4948 wrote to memory of 3016	4948	Updates.exe	cmd.exe
PID 3016 wrote to memory of 2360	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 2360	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 2360	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 3876	3016	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
"C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe"
1⤵
- Quasar RAT
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 80
    3⤵
    - Program crash
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2544
- - C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
    "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ivdo37YPLwWW.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876
      - C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        7⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 80
        8⤵
        Program crash
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "NewUpdates" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe" /rl HIGHEST /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3kUdi4VqFcf3.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        "C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        10⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 80
        11⤵
        Program crash
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        10⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 80
        11⤵
        Program crash
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        10⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 80
        11⤵
        Program crash
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        
        C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
        7⤵
        Executes dropped EXE
        Suspicious use of UnmapMainImage
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 12
        8⤵
        Program crash
        
        PID:4872
  - - C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      4⤵
      Executes dropped EXE
      Suspicious use of UnmapMainImage
      PID:1364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 12
        5⤵
        Program crash
        
        PID:4808
  - - C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe
      4⤵
      Executes dropped EXE
      PID:4820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 80
        5⤵
        Program crash
        
        PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1364 -ip 1364
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4820 -ip 4820
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2972 -ip 2972
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1428 -ip 1428
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1016 -ip 1016
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2552 -ip 2552
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2784 -ip 2784
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe.log

Filesize
522B

MD5
0f39d6b9afc039d81ff31f65cbf76826

SHA1
8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

SHA256
ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

SHA512
5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3kUdi4VqFcf3.bat

Filesize
208B

MD5
fae185e2082d5557fd7d7a95a54b9ec8

SHA1
c3541842e9a07538e778f9f8865c1cc74dede0d8

SHA256
4248ed167268c26b65161744068f826ef611825d2df9494ce71ca99aedf6c0a6

SHA512
d5f807c63b08d87c5d6cf3af5b8c21236f66ed383b40812446b5f749b64292f858371e8f1ec34a26ed2881060e7abdad8d665e9c16b3b9615e3e85c9e21a869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivdo37YPLwWW.bat

Filesize
208B

MD5
066f9cd86dd363532c0fc77ca4254a18

SHA1
68b573beff8765c87a7583bbe2217b94a291206f

SHA256
1c2aa87f5ddf982ff0a7a315643ee6b855a6c529dc5bfebb27fcf3fbef3e4687

SHA512
663bb908d20a709acf2924c00f92884ed98d9287433eaaa77ac0721f511e541354fe6fcfa5a7e91f2a6e688fe8be547eb5cbdbf6eefebf8fe2281fc769118e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mindow\Updates.exe

Filesize
797KB

MD5
7ea9f823d613c41364ebb2d1d0a6189a

SHA1
4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b

SHA256
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1

SHA512
d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de

Download Submit
memory/464-18-0x00000000065B0000-0x00000000065C2000-memory.dmp

Filesize
72KB

Download
memory/464-17-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/464-16-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/464-20-0x0000000006C30000-0x0000000006C6C000-memory.dmp

Filesize
240KB

Download
memory/464-25-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/464-14-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-4-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/2816-12-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-0-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/2816-3-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-2-0x00000000056B0000-0x000000000579E000-memory.dmp

Filesize
952KB

Download
memory/2816-1-0x0000000000CB0000-0x0000000000D82000-memory.dmp

Filesize
840KB

Download
memory/4604-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4604-19-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4604-15-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4604-11-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4604-13-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/4604-10-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-34-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads