Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 04:26
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
2.8MB
-
MD5
c41aa4383be3c790c15b89ac0b52a046
-
SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97
-
SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
-
SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc
-
SSDEEP
49152:3AA1/64VAI5jOkaEiJFc5+DOyUfnEza32ehyfTbBDm:3Aq/64VAI5ixEiJFbmIBa
Malware Config
Extracted
quasar
1.4.0
Cheats
anubisgod.duckdns.org:1338
6f2a7175-754c-4ce5-a610-2f8866732c05
-
encryption_key
0411D8B9B23547F86733347B0634010F112E158F
-
install_name
dlscord.exe
-
log_directory
dlscordLogs
-
reconnect_delay
3000
-
startup_key
dlscord
-
subdirectory
dlscord
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1092-54-0x0000000000990000-0x0000000000C5A000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe family_quasar C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe family_quasar behavioral1/memory/1896-60-0x00000000010E0000-0x00000000013AA000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
dlscord.exepid process 1896 dlscord.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1144 schtasks.exe 1320 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exedlscord.exedescription pid process Token: SeDebugPrivilege 1092 tmp.exe Token: SeDebugPrivilege 1896 dlscord.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dlscord.exepid process 1896 dlscord.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exedlscord.exedescription pid process target process PID 1092 wrote to memory of 1144 1092 tmp.exe schtasks.exe PID 1092 wrote to memory of 1144 1092 tmp.exe schtasks.exe PID 1092 wrote to memory of 1144 1092 tmp.exe schtasks.exe PID 1092 wrote to memory of 1896 1092 tmp.exe dlscord.exe PID 1092 wrote to memory of 1896 1092 tmp.exe dlscord.exe PID 1092 wrote to memory of 1896 1092 tmp.exe dlscord.exe PID 1896 wrote to memory of 1320 1896 dlscord.exe schtasks.exe PID 1896 wrote to memory of 1320 1896 dlscord.exe schtasks.exe PID 1896 wrote to memory of 1320 1896 dlscord.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exeFilesize
2.8MB
MD5c41aa4383be3c790c15b89ac0b52a046
SHA10544bd37de62b386fa2ad5d3511e30b6c62c7f97
SHA25684f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
SHA512b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc
-
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exeFilesize
2.8MB
MD5c41aa4383be3c790c15b89ac0b52a046
SHA10544bd37de62b386fa2ad5d3511e30b6c62c7f97
SHA25684f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
SHA512b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc
-
memory/1092-54-0x0000000000990000-0x0000000000C5A000-memory.dmpFilesize
2.8MB
-
memory/1092-55-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1144-56-0x0000000000000000-mapping.dmp
-
memory/1320-62-0x0000000000000000-mapping.dmp
-
memory/1896-57-0x0000000000000000-mapping.dmp
-
memory/1896-60-0x00000000010E0000-0x00000000013AA000-memory.dmpFilesize
2.8MB