quasar | 0175d8a12d65b359733a5442daf4ca4b3160212eae7eed1679f9ae4a6b21ff0f

Analysis

max time kernel
101s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ixeeno.exe
Size

1.5MB
MD5

2433a7e38a0a4cf473fd26fb8429aae0
SHA1

a25454de6895dfdebdc86e8e799b3578f733d28d
SHA256

0175d8a12d65b359733a5442daf4ca4b3160212eae7eed1679f9ae4a6b21ff0f
SHA512

df7d60d46fb612617a667049e8e20caca3896af9516ba05ecf5c482e0ca1e2d92df4fcabce9f5cf1b04b277c17dc3e10c53c96cbde9e4ced600ceca7c0b0dbc3
SSDEEP

24576:qlRNJAhU6S2HIPbcNE0KKzaOwIRxl2SVciNkgSMgm5Q+r3qVt:WDKEwKKzwipVcCPZyO4

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/3548-1-0x000002480DD70000-0x000002480DEFA000-memory.dmp	family_quasar
behavioral1/memory/3548-2-0x000002480E3C0000-0x000002480E3DA000-memory.dmp	family_quasar
behavioral1/files/0x001900000002b074-7.dat	family_quasar

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\UMDF\usbmmIdd.dll	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
5012	svchost.exe
3392	deviceinstaller64.exe
3836	deviceinstaller64.exe
1556	PS9lIfsUy9kB.exe

Loads dropped DLL 3 IoCs

pid	Process
1556	PS9lIfsUy9kB.exe
1556	PS9lIfsUy9kB.exe
1556	PS9lIfsUy9kB.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller.exe	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\SETA51A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\usbmmIdd.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	ixeeno.exe
File created	C:\Windows\system32\usbmmidd_v2.zip	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmidd.bat	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\License.txt	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmidd.bat	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\Win32\usbmmIdd.dll	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\x64\SETA519.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbmmidd.inf_amd64_2cb21e2b14e16bf2\usbmmidd.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\SubDir	ixeeno.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmidd.cat	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\Win32\usbmmIdd.dll	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbmmidd.inf_amd64_2cb21e2b14e16bf2\usbmmIdd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\idd_instructions.txt	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\x64\SETA519.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\SETA51A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\SETA52B.tmp	DrvInst.exe
File created	C:\Windows\system32\SubDir\svchost.exe	ixeeno.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbmmidd.inf_amd64_2cb21e2b14e16bf2\usbmmidd.PNF	deviceinstaller64.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller.exe	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\License.txt	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\x64\usbmmIdd.dll	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\x64\usbmmIdd.dll	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\SETA52B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\usbmmidd.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbmmidd.inf_amd64_2cb21e2b14e16bf2\x64\usbmmIdd.dll	DrvInst.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe	svchost.exe
File created	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\idd_instructions.txt	svchost.exe
File opened for modification	C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmidd.cat	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\x64\usbmmIdd.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{64135590-4308-dd4d-9c7d-14624db23068}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbmmidd.inf_amd64_2cb21e2b14e16bf2\x64\usbmmIdd.dll	DrvInst.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	deviceinstaller64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\c_display.PNF	deviceinstaller64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PS9lIfsUy9kB.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	deviceinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	deviceinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	deviceinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	deviceinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	deviceinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	deviceinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	deviceinstaller64.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5980	schtasks.exe
1888	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5012	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	ixeeno.exe
Token: SeDebugPrivilege	5012	svchost.exe
Token: SeAuditPrivilege	5056	svchost.exe
Token: SeSecurityPrivilege	5056	svchost.exe
Token: SeLoadDriverPrivilege	3392	deviceinstaller64.exe
Token: SeRestorePrivilege	5540	DrvInst.exe
Token: SeBackupPrivilege	5540	DrvInst.exe
Token: SeLoadDriverPrivilege	5540	DrvInst.exe
Token: SeLoadDriverPrivilege	5540	DrvInst.exe
Token: SeLoadDriverPrivilege	5540	DrvInst.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 5980	3548	ixeeno.exe	82
PID 3548 wrote to memory of 5980	3548	ixeeno.exe	82
PID 3548 wrote to memory of 5012	3548	ixeeno.exe	84
PID 3548 wrote to memory of 5012	3548	ixeeno.exe	84
PID 5012 wrote to memory of 1888	5012	svchost.exe	85
PID 5012 wrote to memory of 1888	5012	svchost.exe	85
PID 5012 wrote to memory of 3392	5012	svchost.exe	88
PID 5012 wrote to memory of 3392	5012	svchost.exe	88
PID 5056 wrote to memory of 4340	5056	svchost.exe	91
PID 5056 wrote to memory of 4340	5056	svchost.exe	91
PID 5056 wrote to memory of 5540	5056	svchost.exe	92
PID 5056 wrote to memory of 5540	5056	svchost.exe	92
PID 5012 wrote to memory of 3836	5012	svchost.exe	94
PID 5012 wrote to memory of 3836	5012	svchost.exe	94
PID 5012 wrote to memory of 1556	5012	svchost.exe	96
PID 5012 wrote to memory of 1556	5012	svchost.exe	96
PID 5012 wrote to memory of 1556	5012	svchost.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ixeeno.exe
"C:\Users\Admin\AppData\Local\Temp\ixeeno.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Repair Tool" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5980
- C:\Windows\system32\SubDir\svchost.exe
  "C:\Windows\system32\SubDir\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Repair Tool" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1888
- - C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe
    "C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe" install C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf usbmmidd
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- - C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe
    "C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe" enableidd 1
    3⤵
    - Executes dropped EXE
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\PS9lIfsUy9kB.exe
    "C:\Users\Admin\AppData\Local\Temp\PS9lIfsUy9kB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{49788afe-8c39-2142-9307-86b5898c3622}\usbmmidd.inf" "9" "4f9666e1f" "00000000000000F0" "WinSta0\Default" "0000000000000158" "208" "c:\windows\system32\usbmmidd_v2\usbmmidd_v2"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4340
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:d470a17d4e87d07b:MyDevice_Install:2.0.0.1:usbmmidd," "4f9666e1f" "00000000000000F0" "bdcf"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PS9lIfsUy9kB.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh57D1.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh57D1.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Windows\System32\SubDir\svchost.exe

Filesize
1.5MB

MD5
2433a7e38a0a4cf473fd26fb8429aae0

SHA1
a25454de6895dfdebdc86e8e799b3578f733d28d

SHA256
0175d8a12d65b359733a5442daf4ca4b3160212eae7eed1679f9ae4a6b21ff0f

SHA512
df7d60d46fb612617a667049e8e20caca3896af9516ba05ecf5c482e0ca1e2d92df4fcabce9f5cf1b04b277c17dc3e10c53c96cbde9e4ced600ceca7c0b0dbc3

Download Submit
C:\Windows\System32\usbmmidd_v2\usbmmidd_v2\deviceinstaller64.exe

Filesize
158KB

MD5
41283e1240acfc163f0e697073f07413

SHA1
a10cf33fbb23c4465921e6590c934873f3155317

SHA256
e9baa02cdae921acf0aae4d8e8c29a4cdf4057ab61f9c60862b7cc439e2753f7

SHA512
d7361a1656c8a8bf0b2bb8fa332105912285d23933bbc37ebe955b36e3fc158472216757bd87638860542cefadbbc17d36d5ef16cbd910b64fc25a2d7f42cfaf

Download Submit
C:\Windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmIdd.inf

Filesize
5KB

MD5
0a09dab1c9a7f2e685cd7f8b5bd43ec0

SHA1
14b5fae8397fbda873dcc9ffd5cc189f14490c28

SHA256
a8750ca15a86742f3012886c9932bb974158cd2d9779cf891c730d976a47726a

SHA512
f6cc96686f06f1871ae95ddbe9e553bbff506765965e4c846ee02328c6566730a9f4df493c36ab2104565d41dbd7ea67d054984163e45bc414a8f1efba293368

Download Submit
\??\c:\windows\system32\USBMMI~1\USBMMI~1\x64\usbmmIdd.dll

Filesize
69KB

MD5
ee848c427145609d998725a38e7ad9af

SHA1
6b97d9ab1c3978cdc2d6735c227adca8f0aabddb

SHA256
dc135d675127113915a7e5aa9fe57c84edad6be41d0890b265ef124ab26ea9e3

SHA512
5bd0eca69d16a6fe32856978047967e44f0d49c59cd611b02e9d24ca59c0d862ad5f8a4d50c6bed816fa11e2f4fee6fabbe3d6d735224084f47161693eee8007

Download Submit
\??\c:\windows\system32\usbmmidd_v2\usbmmidd_v2\usbmmIdd.cat

Filesize
11KB

MD5
e5f60b2f3a491983eac00dc7dc7c408b

SHA1
2566bf2ddc9e58f5262a2b11dda0c451d5ec9468

SHA256
470149c4cf9970ba59070aa7c9409c9f63a15727de99bab53e7e51f55310779f

SHA512
55b31a4da61b837891be7977bdf7b96457e5b54c5216e867bb1aca4580a84145f885896b13fcb72e937d3f424fec1105b4f9c0a9706dfabbec95fb53c7a302f5

Download Submit
memory/3548-3-0x00007FFAB13A0000-0x00007FFAB1E62000-memory.dmp

Filesize
10.8MB

Download
memory/3548-11-0x00007FFAB13A0000-0x00007FFAB1E62000-memory.dmp

Filesize
10.8MB

Download
memory/3548-0-0x00007FFAB13A3000-0x00007FFAB13A5000-memory.dmp

Filesize
8KB

Download
memory/3548-2-0x000002480E3C0000-0x000002480E3DA000-memory.dmp

Filesize
104KB

Download
memory/3548-1-0x000002480DD70000-0x000002480DEFA000-memory.dmp

Filesize
1.5MB

Download
memory/5012-15-0x00000204CC400000-0x00000204CC44E000-memory.dmp

Filesize
312KB

Download
memory/5012-21-0x00000204CC780000-0x00000204CC78A000-memory.dmp

Filesize
40KB

Download
memory/5012-23-0x00000204CCD50000-0x00000204CCD62000-memory.dmp

Filesize
72KB

Download
memory/5012-20-0x00007FFAB13A0000-0x00007FFAB1E62000-memory.dmp

Filesize
10.8MB

Download
memory/5012-19-0x00000204CC7B0000-0x00000204CC7EC000-memory.dmp

Filesize
240KB

Download
memory/5012-18-0x00000204CC510000-0x00000204CC522000-memory.dmp

Filesize
72KB

Download
memory/5012-14-0x00000204CC560000-0x00000204CC612000-memory.dmp

Filesize
712KB

Download
memory/5012-13-0x00000204CC450000-0x00000204CC4A0000-memory.dmp

Filesize
320KB

Download
memory/5012-12-0x00000204CAFE0000-0x00000204CAFF2000-memory.dmp

Filesize
72KB

Download
memory/5012-10-0x00007FFAB13A0000-0x00007FFAB1E62000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads