Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe
Resource
win10v2004-20220721-en
General
-
Target
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe
-
Size
5.9MB
-
MD5
1fb5d967f92174e0bbb15262f8cd209f
-
SHA1
76fbd5b88154976887b5099c21666ca3be2cd76e
-
SHA256
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024
-
SHA512
a0ff48d7e219c71828d0cbde56f59af7326dff4da021789cefc68d1ea90ea467eb98b7418070a3007a63f58ad5987dc9effe79bc143a33c5ecbe1a963a708ea9
Malware Config
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/908-56-0x000000001BF70000-0x000000001C720000-memory.dmp family_quasar -
Drops file in System32 directory 2 IoCs
Processes:
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exedescription ioc process File created C:\Windows\system32\Windows\RuntimeBroker.exe 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe File opened for modification C:\Windows\system32\Windows\RuntimeBroker.exe 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exedescription pid process Token: SeDebugPrivilege 908 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exedescription pid process target process PID 908 wrote to memory of 1556 908 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe schtasks.exe PID 908 wrote to memory of 1556 908 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe schtasks.exe PID 908 wrote to memory of 1556 908 740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe"C:\Users\Admin\AppData\Local\Temp\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-54-0x0000000000380000-0x000000000096A000-memory.dmpFilesize
5.9MB
-
memory/908-55-0x000000001B950000-0x000000001BD1A000-memory.dmpFilesize
3.8MB
-
memory/908-56-0x000000001BF70000-0x000000001C720000-memory.dmpFilesize
7.7MB
-
memory/908-57-0x0000000000340000-0x0000000000362000-memory.dmpFilesize
136KB
-
memory/1556-58-0x0000000000000000-mapping.dmp