Analysis
-
max time kernel
34s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
18/08/2023, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
SkyClicker.exe
Resource
win7-20230712-en
General
-
Target
SkyClicker.exe
-
Size
879KB
-
MD5
8fd1d7bea1de60f132dc4103d48f80e9
-
SHA1
d202c62c782c6352b2fd0592f2fb1ffc41ec1e99
-
SHA256
63e121b2616865f3031d80563fac2dbfedab31ae1b44910cbc6aa42b1ddfcb28
-
SHA512
99de0315cd72ea827e801c827ed492c4b656405143e5e33909711c598e38be7b8ac443b08063493bc9d5890d8529a802a650a3acea23b7b59ac34d14ed0d56cc
-
SSDEEP
12288:OfMaHoBDU8vm1gJlZ753yWJtbYKh+px8XNoMPIhc:OfMaiU83NgWJJh+px8doJW
Malware Config
Extracted
quasar
1.3.0.0
Vasili
7.tcp.ngrok.io:26659
QSR_MUTEX_wD3LltN4UfhGLKcWXQ
-
encryption_key
S4LQWME0QBUBvcmHQtmO
-
install_name
AutoClicker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
AutoClicker
Signatures
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/files/0x0006000000012110-63.dat family_quasar behavioral1/files/0x0006000000012110-67.dat family_quasar behavioral1/files/0x0006000000012110-66.dat family_quasar behavioral1/memory/2304-69-0x0000000000D10000-0x0000000000DB0000-memory.dmp family_quasar behavioral1/files/0x003300000001609b-76.dat family_quasar behavioral1/files/0x003300000001609b-84.dat family_quasar behavioral1/files/0x003300000001609b-81.dat family_quasar behavioral1/files/0x003300000001609b-85.dat family_quasar behavioral1/memory/2284-87-0x0000000000130000-0x00000000001D0000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3060 SkyClickerUpdate.exe 2304 Skys AutoClicker.exe 2284 AutoClicker.exe -
Loads dropped DLL 3 IoCs
pid Process 2104 SkyClicker.exe 2104 SkyClicker.exe 2304 Skys AutoClicker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1660 schtasks.exe 2704 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2304 Skys AutoClicker.exe Token: SeDebugPrivilege 2284 AutoClicker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2284 AutoClicker.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 3060 2104 SkyClicker.exe 28 PID 2104 wrote to memory of 2304 2104 SkyClicker.exe 29 PID 2104 wrote to memory of 2304 2104 SkyClicker.exe 29 PID 2104 wrote to memory of 2304 2104 SkyClicker.exe 29 PID 2104 wrote to memory of 2304 2104 SkyClicker.exe 29 PID 2304 wrote to memory of 2704 2304 Skys AutoClicker.exe 31 PID 2304 wrote to memory of 2704 2304 Skys AutoClicker.exe 31 PID 2304 wrote to memory of 2704 2304 Skys AutoClicker.exe 31 PID 2304 wrote to memory of 2704 2304 Skys AutoClicker.exe 31 PID 2304 wrote to memory of 2284 2304 Skys AutoClicker.exe 33 PID 2304 wrote to memory of 2284 2304 Skys AutoClicker.exe 33 PID 2304 wrote to memory of 2284 2304 Skys AutoClicker.exe 33 PID 2304 wrote to memory of 2284 2304 Skys AutoClicker.exe 33 PID 2284 wrote to memory of 1660 2284 AutoClicker.exe 34 PID 2284 wrote to memory of 1660 2284 AutoClicker.exe 34 PID 2284 wrote to memory of 1660 2284 AutoClicker.exe 34 PID 2284 wrote to memory of 1660 2284 AutoClicker.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\SkyClicker.exe"C:\Users\Admin\AppData\Local\Temp\SkyClicker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\SkyClickerUpdate.exe"C:\Users\Admin\AppData\Roaming\SkyClickerUpdate.exe"2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe"C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2704
-
-
C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe"C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1660
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4