Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/12/2022, 12:46
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
502KB
-
MD5
bbd0db3230e57aeb7ca23e59aadf0134
-
SHA1
fdda0bfd08bbd74557dd878bda12f05368befb7d
-
SHA256
741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
-
SHA512
4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
SSDEEP
6144:VTEgdc0YpXAGbgiIN2RSBuSBtPB+a9VIvyTcEi9b8F9vkDC+ROcTR32:VTEgdfYlbgRljSCN8CQOcd2
Malware Config
Extracted
quasar
1.4.0
Office04
flingmodder-53370.portmap.io:53370
c16cce68-0a86-440c-89b1-c088c1c8b4cb
-
encryption_key
9BFDFBA45AE2C2C16DA4EEEA02438784B89CACC0
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
windows
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/456-54-0x0000000000A40000-0x0000000000AC4000-memory.dmp family_quasar behavioral1/files/0x000a000000012300-58.dat family_quasar behavioral1/files/0x000a000000012300-59.dat family_quasar behavioral1/memory/1496-60-0x0000000000CE0000-0x0000000000D64000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1496 svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1616 schtasks.exe 280 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 456 tmp.exe Token: SeDebugPrivilege 1496 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1496 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 456 wrote to memory of 1616 456 tmp.exe 28 PID 456 wrote to memory of 1616 456 tmp.exe 28 PID 456 wrote to memory of 1616 456 tmp.exe 28 PID 456 wrote to memory of 1496 456 tmp.exe 30 PID 456 wrote to memory of 1496 456 tmp.exe 30 PID 456 wrote to memory of 1496 456 tmp.exe 30 PID 1496 wrote to memory of 280 1496 svchost.exe 31 PID 1496 wrote to memory of 280 1496 svchost.exe 31 PID 1496 wrote to memory of 280 1496 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1616
-
-
C:\Users\Admin\AppData\Roaming\windows\svchost.exe"C:\Users\Admin\AppData\Roaming\windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:280
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3