quasar | hxxps://gofile[.]io/d/KNKNlk

Analysis

max time kernel
70s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/KNKNlk

Score

10^/10

quasar emmassub discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

rath3r.xyz:4782

Mutex

7126373e-e872-4f94-bbbb-42e88d57137b

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
Windows.WARP.JITService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftUpdateTaskMachineCore
subdirectory
ice

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cdc-180.dat	family_quasar
behavioral1/memory/6084-189-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2384	emmasBackdoor.exe
4456	emmasBackdoor.tmp
6084	Client.exe
1868	Windows.WARP.JITService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\ice	Windows.WARP.JITService.exe
File created	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Windows.WARP.JITService.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EmmasBackdoor\is-DHHAU.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-3L7IM.tmp	emmasBackdoor.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5144	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	emmasBackdoor.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 89705.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4028	schtasks.exe
5312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4520	msedge.exe
4520	msedge.exe
2844	msedge.exe
2844	msedge.exe
3468	identity_helper.exe
3468	identity_helper.exe
432	msedge.exe
432	msedge.exe
5144	powershell.exe
5144	powershell.exe
5144	powershell.exe
4456	emmasBackdoor.tmp
4456	emmasBackdoor.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	6084	Client.exe
Token: SeDebugPrivilege	1868	Windows.WARP.JITService.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
4456	emmasBackdoor.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1868	Windows.WARP.JITService.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 820	2844	msedge.exe	82
PID 2844 wrote to memory of 820	2844	msedge.exe	82
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 3388	2844	msedge.exe	83
PID 2844 wrote to memory of 4520	2844	msedge.exe	84
PID 2844 wrote to memory of 4520	2844	msedge.exe	84
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85
PID 2844 wrote to memory of 3640	2844	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/KNKNlk
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce34718
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5501640482866878600,5038361024739321382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2404

C:\Users\Admin\Desktop\emmasBackdoor.exe
"C:\Users\Admin\Desktop\emmasBackdoor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
- C:\Users\Admin\AppData\Local\Temp\is-DKUV1.tmp\emmasBackdoor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DKUV1.tmp\emmasBackdoor.tmp" /SL5="$A002C,1909968,965632,C:\Users\Admin\Desktop\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-BCOIT.tmp\disable_defender.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5144
- - C:\Program Files (x86)\EmmasBackdoor\Client.exe
    "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:6084
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4028
  - - C:\Windows\system32\ice\Windows.WARP.JITService.exe
      "C:\Windows\system32\ice\Windows.WARP.JITService.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1868
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EmmasBackdoor\Client.exe

Filesize
3.1MB

MD5
66ebe604ddf4d6ab60a183f515536528

SHA1
278782873ae0a5cac94add051edfc12e223be55c

SHA256
37e733731381c02941e4a8da30350cf968532d08012b6bb91e525241e8ee2c86

SHA512
756de51b5f6116640736f7dd37faf6172db79c8eaf8da17ba1e3d788d5c0179a01746f7d30044ca5c535c1b3d938bfde3e5d810b7fe50815030be8a5288c2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1ada57e0cf2f0a16424b248f08e9790b

SHA1
342f3cfe4d45c07c1405cedd72019c92c0cbda02

SHA256
bbe9e8fc59263b3880f0ae30750ffeee193b831e73c27ad823268684b3a85bc1

SHA512
25cf21c1982c8971efb71e64fa9421f4528a2ad3be4ed4e7f238f1a99e65a71a918a0eee15905cbbc8b994f85e5624680274529d4376045a27b6770c26074f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
855B

MD5
240a42e345be7c2ff5ac0651ac7a8403

SHA1
b1b27402c00de533eaf3adb2f0bc13eccfdafe4c

SHA256
0cec653b1900b577b781dca9564124efd68296fe8c42802ec436ada07a74214a

SHA512
ff8a691b4686a86a7a45de3fc998f5a534e1c80af64c1ab1a8917e84fb02437ea26c4b99e5da98c2bb53966fec2661274e702e19842ee240187ec562b0927552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e339f7be04fecc7a17b534c1689cd74

SHA1
911518e14932cb22345022fcfbeeff8cc6421d5a

SHA256
888ca0dde30ddb90911fbdcf6aaaeec42b77e99920c2a749dda125640b2e6d8a

SHA512
9b307b22424564e3c7dc3ce20f2b0a961b5756d6e3aed2a230c830c1a8ad250f546e968c8e3fe218cd54421a35f7428ce091d344c5fbd30196059fcb65ee3a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f44d46f826910f3aed10146f157b38a

SHA1
808377c8084a179bcbd6ed6f6e44e6f9616fcd3f

SHA256
f0ed6451d29621419229f2b383844dd1128baa72c5f27ae80f8d62ac4d78e589

SHA512
34ea50878d622a41a63541f848ca0d587a158c704bfc8fcf22f1e1ad7e403a8c6a3aa8b82c848b2fb02d8deb69631f36a0d1264ccbd1a40b80c8707a620670d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8217a4dc19e8e7bc1779b6f8e1b2f7b8

SHA1
0731da12024a2f285ca603ac45fca4f91d030fed

SHA256
1f0eb8bd0506c9f289b4a94afc5d3631ad97a24b1911ee52ef241303bd485444

SHA512
fce7c65cf45c1f2fc486b59bf72d69c1d7f0c1d718d7a8c2a6d41fce09f1d736593b07dd9a88baa0093007f24833273eb35af8487360b5bc2053830d69e3001d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5cd9efa455ad2e8f3262ed1a892e2b18

SHA1
d1ec963ba170d1f2a39d49f27431cf8ae1ab1d7c

SHA256
2a44ce88869c98aaafbde30e8541c4cd159e4e5da40c5548df1765832c876d6a

SHA512
ffe462be8ead19d2a040b2cd931eca6e38554cbdbaaa7f9a35048e404e3d6cf64acb025663d6c2fe74b9a99c92b707863507c9646fc12c23165a5b647dc4680f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dc6e7941b8660d3c37f826376d464312

SHA1
0654399ea32456e07991e5b424a849151de72959

SHA256
b5fb250561f8ab18f4c58551216078a06e5011a1f5af6aa0f91b5e55bc547e75

SHA512
aa648da431587e87c73832422f561c7f4bc1b7e9be9b402a3dcd3e7ee3bca670fa7f270375216bf913777c812320fd64ccd567e16bd8faa3695f2b53d4b44ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzsu3fjh.yto.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BCOIT.tmp\disable_defender.ps1

Filesize
544B

MD5
3568227fbb730d48fa31d13e87f9a370

SHA1
83ac8fbb2b9c35337f372977fe3323f63060c5ff

SHA256
a06e1c77a4ab2a13f90dc2f86bbb4cb662f2bd10b1f805b1b7745af4c2ad3698

SHA512
2b8863dbdc4c980eac867e600ca008261d046a99bf40cfc02a350ec45a04e3a7b958b21219ad0a26b339336f779ba167aa84c45dbe4d9d9ada004c4515ba6d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DKUV1.tmp\emmasBackdoor.tmp

Filesize
3.3MB

MD5
95c49a50069cf27284ac7b186df5aae0

SHA1
4120193848e7726aac277f9ea6e4b3670342ed03

SHA256
9f62b6f4c234ded050162b55a9c6de0c604578dee34462b96615e48169a485bb

SHA512
f6d3fd7454943aac838cd81e17c35787747185e0736823424453ffbf375da1e921dba0a5ce88a05f7a71e2ac367d47ee8fbabbd529f48997b99f1a3afa5370cd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 89705.crdownload

Filesize
2.9MB

MD5
0266f80fe6efd3e3e4bd0363d17bcbde

SHA1
b144914eb53d2e35e410be64d2db052d06d680df

SHA256
6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411

SHA512
21174624b988b26d16ba96c57b65a0dd0c0fa02d5396ca29c5cc11851f7546a528e1343f3216b224f3deebb1e749ac1dfd02fc5485bf4a0dd5b6d0983c496ac8

Download Submit
memory/1868-200-0x000000001BB80000-0x000000001BC32000-memory.dmp

Filesize
712KB

Download
memory/1868-199-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/2384-198-0x0000000000390000-0x000000000048A000-memory.dmp

Filesize
1000KB

Download
memory/2384-169-0x0000000000390000-0x000000000048A000-memory.dmp

Filesize
1000KB

Download
memory/2384-94-0x0000000000390000-0x000000000048A000-memory.dmp

Filesize
1000KB

Download
memory/4456-197-0x00000000005B0000-0x0000000000909000-memory.dmp

Filesize
3.3MB

Download
memory/4456-185-0x00000000005B0000-0x0000000000909000-memory.dmp

Filesize
3.3MB

Download
memory/4456-170-0x00000000005B0000-0x0000000000909000-memory.dmp

Filesize
3.3MB

Download
memory/5144-136-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/5144-156-0x0000000007A70000-0x0000000007A92000-memory.dmp

Filesize
136KB

Download
memory/5144-147-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/5144-148-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/5144-149-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/5144-150-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/5144-151-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/5144-152-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/5144-153-0x0000000007920000-0x0000000007934000-memory.dmp

Filesize
80KB

Download
memory/5144-154-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/5144-155-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/5144-146-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/5144-157-0x0000000008950000-0x0000000008EF4000-memory.dmp

Filesize
5.6MB

Download
memory/5144-126-0x0000000070800000-0x000000007084C000-memory.dmp

Filesize
304KB

Download
memory/5144-125-0x0000000006990000-0x00000000069C2000-memory.dmp

Filesize
200KB

Download
memory/5144-123-0x00000000063F0000-0x000000000643C000-memory.dmp

Filesize
304KB

Download
memory/5144-122-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/5144-121-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/5144-107-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/5144-111-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/5144-110-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/5144-109-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/5144-108-0x0000000005770000-0x0000000005D98000-memory.dmp

Filesize
6.2MB

Download
memory/6084-189-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download