quasar | 7b652915c4539bf3c40a0700ca93c63e5fb1e56fdf0eb89567f7f0a8fb081aeb

Resubmissions

15-12-2024 23:39

241215-3ndh3svkbl 10

15-12-2024 22:49

241215-2rpj3sspaq 10

Analysis

max time kernel
248s
max time network
217s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

85b177add44a49f07c6610191c064bbc
SHA1

7766290221b9dafd7c0d6d983070f55863ed1b26
SHA256

7b652915c4539bf3c40a0700ca93c63e5fb1e56fdf0eb89567f7f0a8fb081aeb
SHA512

0a4d7e6a5c3e2d63a92f2ae57ab68561f47e827edffea6ea83aebac8286aab886c3bd98c6e791222411d272a925e8b3e03e14dc1b1017aaa449c1b0674717798
SSDEEP

49152:TvChBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaUEGiBeHLoVd2THHB72eh2NT:Tv8t2d5aKCuVPzlEmVQ0wvwf/Gp

Score

10^/10

quasar ratted discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ratted

localhost:4782

87.97.126.177:4782

Mutex

48887e39-00c3-4c7d-9fbd-aa9bee5b1a88

Attributes

encryption_key
CD36E224C70A801E8033FBB0E5129B1EA712AE1D
install_name
Windows Font Manager.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Font Manager
subdirectory
Fonts

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2296-1-0x0000000000570000-0x0000000000894000-memory.dmp	family_quasar
behavioral1/files/0x001d00000002aae4-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2332	Windows Font Manager.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Fonts	Client-built.exe
File opened for modification	C:\Windows\system32\Fonts\Windows Font Manager.exe	Windows Font Manager.exe
File opened for modification	C:\Windows\system32\Fonts	Windows Font Manager.exe
File created	C:\Windows\system32\Fonts\Windows Font Manager.exe	Client-built.exe
File opened for modification	C:\Windows\system32\Fonts\Windows Font Manager.exe	Client-built.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\wow64_taskschedulersettings.resources_31bf3856ad364e35_10.0.22000.1_es-es_53d0afe267088a21\taskschd.msc	mmc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1916	taskkill.exe
2264	taskkill.exe
3040	taskkill.exe
1376	taskkill.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "65"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3332	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1760	Taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2356	Process not Found
4964	Process not Found
2788	Process not Found
4436	Process not Found
2904	Process not Found
4484	Process not Found
2324	Process not Found
4472	Process not Found
2640	Process not Found
1308	Process not Found
2428	Process not Found
3736	Process not Found
1288	Process not Found
1500	Process not Found
1540	Process not Found
572	Process not Found
1640	Process not Found
2352	Process not Found
3484	Process not Found
1692	Process not Found
4932	Process not Found
3164	Process not Found
3984	Process not Found
1624	Process not Found
2532	Process not Found
1104	Process not Found
1988	Process not Found
564	Process not Found
464	Process not Found
3136	Process not Found
908	Process not Found
4672	Process not Found
1248	Process not Found
5004	Process not Found
4452	Process not Found
4752	Process not Found
4744	Process not Found
3720	Process not Found
3416	Process not Found
1576	Process not Found
4592	Process not Found
1908	Process not Found
936	Process not Found
2748	Process not Found
4128	Process not Found
1100	Process not Found
1976	Process not Found
2784	Process not Found
4916	Process not Found
4692	Process not Found
2432	Process not Found
4984	Process not Found
912	Process not Found
3000	Process not Found
568	Process not Found
4740	Process not Found
1564	Process not Found
1852	Process not Found
5048	Process not Found
4072	Process not Found
4328	Process not Found
2068	Process not Found
1680	Process not Found
5008	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	Client-built.exe
Token: SeDebugPrivilege	2332	Windows Font Manager.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe
Token: 33	488	mmc.exe
Token: SeIncBasePriorityPrivilege	488	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe
1760	Taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
488	mmc.exe
488	mmc.exe
3004	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3332	2296	Client-built.exe	77
PID 2296 wrote to memory of 3332	2296	Client-built.exe	77
PID 2296 wrote to memory of 2332	2296	Client-built.exe	79
PID 2296 wrote to memory of 2332	2296	Client-built.exe	79
PID 2332 wrote to memory of 2432	2332	Windows Font Manager.exe	80
PID 2332 wrote to memory of 2432	2332	Windows Font Manager.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Font Manager" /sc ONLOGON /tr "C:\Windows\system32\Fonts\Windows Font Manager.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3332
- C:\Windows\system32\Fonts\Windows Font Manager.exe
  "C:\Windows\system32\Fonts\Windows Font Manager.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Font Manager" /sc ONLOGON /tr "C:\Windows\system32\Fonts\Windows Font Manager.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2432

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\WinSxS\wow64_taskschedulersettings.resources_31bf3856ad364e35_10.0.22000.1_es-es_53d0afe267088a21\taskschd.msc"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2264

C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3040

C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1376

C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.22000.1_none_861646fd953a616a\taskkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1916

C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1308

C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2540

C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\Taskmgr.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2852

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\SysWOW64\Taskmgr.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1760

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:2668

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:3212

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:2768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:3724

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:4772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:4660

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC
1⤵
PID:1120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Fonts\Windows Font Manager.exe

Filesize
3.1MB

MD5
85b177add44a49f07c6610191c064bbc

SHA1
7766290221b9dafd7c0d6d983070f55863ed1b26

SHA256
7b652915c4539bf3c40a0700ca93c63e5fb1e56fdf0eb89567f7f0a8fb081aeb

SHA512
0a4d7e6a5c3e2d63a92f2ae57ab68561f47e827edffea6ea83aebac8286aab886c3bd98c6e791222411d272a925e8b3e03e14dc1b1017aaa449c1b0674717798

Download Submit
memory/1760-28-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-25-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-23-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-17-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-27-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-29-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-26-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-19-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-18-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1760-24-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download
memory/2296-0-0x00007FFC89233000-0x00007FFC89235000-memory.dmp

Filesize
8KB

Download
memory/2296-10-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download
memory/2296-1-0x0000000000570000-0x0000000000894000-memory.dmp

Filesize
3.1MB

Download
memory/2332-13-0x000000001C8D0000-0x000000001C982000-memory.dmp

Filesize
712KB

Download
memory/2332-30-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download
memory/2332-12-0x000000001BCB0000-0x000000001BD00000-memory.dmp

Filesize
320KB

Download
memory/2332-11-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download
memory/2332-9-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download
memory/2332-14-0x00007FFC89230000-0x00007FFC89CF2000-memory.dmp

Filesize
10.8MB

Download