Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe
Resource
win7-20220414-en
General
-
Target
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe
-
Size
3.1MB
-
MD5
bee78b7c6bf3e0794fd5351b5a4ebeea
-
SHA1
19744fe4bb1a73c803f5c8e3f8c715f2e08ada9b
-
SHA256
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
-
SHA512
041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9
Malware Config
Extracted
quasar
1.3.0.0
Power
5.45.67.165:2874
QSR_MUTEX_lCaExbOzxDAtqtYVRp
-
encryption_key
d5QxWp96Drx5Tu8vGyyl
-
install_name
gottem.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Frengate
-
subdirectory
SubDir
Signatures
-
Quasar Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-58-0x0000000000B00000-0x0000000000E50000-memory.dmp family_quasar behavioral1/memory/1256-66-0x0000000000FF0000-0x0000000001340000-memory.dmp family_quasar behavioral1/memory/1256-67-0x00000000776E0000-0x0000000077860000-memory.dmp family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gottem.exepid process 1256 gottem.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exegottem.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gottem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gottem.exe -
Loads dropped DLL 1 IoCs
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exepid process 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe -
Processes:
resource yara_rule behavioral1/memory/2036-58-0x0000000000B00000-0x0000000000E50000-memory.dmp themida C:\Users\Admin\AppData\Roaming\SubDir\gottem.exe themida \Users\Admin\AppData\Roaming\SubDir\gottem.exe themida behavioral1/memory/1256-66-0x0000000000FF0000-0x0000000001340000-memory.dmp themida behavioral1/memory/1256-67-0x00000000776E0000-0x0000000077860000-memory.dmp themida -
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exegottem.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gottem.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exegottem.exepid process 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe 1256 gottem.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1608 schtasks.exe 1472 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exegottem.exedescription pid process Token: SeDebugPrivilege 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe Token: SeDebugPrivilege 1256 gottem.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gottem.exepid process 1256 gottem.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exegottem.exedescription pid process target process PID 2036 wrote to memory of 1608 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe schtasks.exe PID 2036 wrote to memory of 1608 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe schtasks.exe PID 2036 wrote to memory of 1608 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe schtasks.exe PID 2036 wrote to memory of 1608 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe schtasks.exe PID 2036 wrote to memory of 1256 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe gottem.exe PID 2036 wrote to memory of 1256 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe gottem.exe PID 2036 wrote to memory of 1256 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe gottem.exe PID 2036 wrote to memory of 1256 2036 3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe gottem.exe PID 1256 wrote to memory of 1472 1256 gottem.exe schtasks.exe PID 1256 wrote to memory of 1472 1256 gottem.exe schtasks.exe PID 1256 wrote to memory of 1472 1256 gottem.exe schtasks.exe PID 1256 wrote to memory of 1472 1256 gottem.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe"C:\Users\Admin\AppData\Local\Temp\3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Frengate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1608 -
C:\Users\Admin\AppData\Roaming\SubDir\gottem.exe"C:\Users\Admin\AppData\Roaming\SubDir\gottem.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Frengate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\gottem.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\gottem.exeFilesize
3.1MB
MD5bee78b7c6bf3e0794fd5351b5a4ebeea
SHA119744fe4bb1a73c803f5c8e3f8c715f2e08ada9b
SHA2563976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
SHA512041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9
-
\Users\Admin\AppData\Roaming\SubDir\gottem.exeFilesize
3.1MB
MD5bee78b7c6bf3e0794fd5351b5a4ebeea
SHA119744fe4bb1a73c803f5c8e3f8c715f2e08ada9b
SHA2563976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
SHA512041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9
-
memory/1256-61-0x0000000000000000-mapping.dmp
-
memory/1256-66-0x0000000000FF0000-0x0000000001340000-memory.dmpFilesize
3.3MB
-
memory/1256-67-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1472-68-0x0000000000000000-mapping.dmp
-
memory/1608-59-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/2036-57-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/2036-58-0x0000000000B00000-0x0000000000E50000-memory.dmpFilesize
3.3MB