Analysis
-
max time kernel
35s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
SkyClicker.exe
Resource
win7-20230712-en
General
-
Target
SkyClicker.exe
-
Size
879KB
-
MD5
8fd1d7bea1de60f132dc4103d48f80e9
-
SHA1
d202c62c782c6352b2fd0592f2fb1ffc41ec1e99
-
SHA256
63e121b2616865f3031d80563fac2dbfedab31ae1b44910cbc6aa42b1ddfcb28
-
SHA512
99de0315cd72ea827e801c827ed492c4b656405143e5e33909711c598e38be7b8ac443b08063493bc9d5890d8529a802a650a3acea23b7b59ac34d14ed0d56cc
-
SSDEEP
12288:OfMaHoBDU8vm1gJlZ753yWJtbYKh+px8XNoMPIhc:OfMaiU83NgWJJh+px8doJW
Malware Config
Extracted
quasar
1.3.0.0
Vasili
7.tcp.ngrok.io:26659
QSR_MUTEX_wD3LltN4UfhGLKcWXQ
-
encryption_key
S4LQWME0QBUBvcmHQtmO
-
install_name
AutoClicker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
AutoClicker
Signatures
-
Quasar payload 6 IoCs
resource yara_rule behavioral2/files/0x0006000000023268-147.dat family_quasar behavioral2/files/0x0006000000023268-153.dat family_quasar behavioral2/files/0x0006000000023268-154.dat family_quasar behavioral2/memory/4824-158-0x00000000007A0000-0x0000000000840000-memory.dmp family_quasar behavioral2/files/0x000600000002326a-174.dat family_quasar behavioral2/files/0x000600000002326a-173.dat family_quasar -
Executes dropped EXE 3 IoCs
pid Process 756 SkyClickerUpdate.exe 4824 Skys AutoClicker.exe 392 AutoClicker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5064 schtasks.exe 3276 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4824 Skys AutoClicker.exe Token: SeDebugPrivilege 392 AutoClicker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 392 AutoClicker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3056 wrote to memory of 756 3056 SkyClicker.exe 80 PID 3056 wrote to memory of 756 3056 SkyClicker.exe 80 PID 3056 wrote to memory of 756 3056 SkyClicker.exe 80 PID 3056 wrote to memory of 4824 3056 SkyClicker.exe 81 PID 3056 wrote to memory of 4824 3056 SkyClicker.exe 81 PID 3056 wrote to memory of 4824 3056 SkyClicker.exe 81 PID 4824 wrote to memory of 5064 4824 Skys AutoClicker.exe 84 PID 4824 wrote to memory of 5064 4824 Skys AutoClicker.exe 84 PID 4824 wrote to memory of 5064 4824 Skys AutoClicker.exe 84 PID 4824 wrote to memory of 392 4824 Skys AutoClicker.exe 88 PID 4824 wrote to memory of 392 4824 Skys AutoClicker.exe 88 PID 4824 wrote to memory of 392 4824 Skys AutoClicker.exe 88 PID 392 wrote to memory of 3276 392 AutoClicker.exe 90 PID 392 wrote to memory of 3276 392 AutoClicker.exe 90 PID 392 wrote to memory of 3276 392 AutoClicker.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\SkyClicker.exe"C:\Users\Admin\AppData\Local\Temp\SkyClicker.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\SkyClickerUpdate.exe"C:\Users\Admin\AppData\Roaming\SkyClickerUpdate.exe"2⤵
- Executes dropped EXE
PID:756
-
-
C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe"C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Skys AutoClicker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5064
-
-
C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe"C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AutoClicker\AutoClicker.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3276
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
258KB
MD54cc67fd222248aef648e6fa803c918c4
SHA10e614d4b57fa433f39d1fca128e19b52aaf7de02
SHA256c8e137290f940dc4ef1b1acb2a1745cf59d335681ef3d32e199bffad639fc0f3
SHA512518d9f91a41fb10efc08bd02447982f11654c2f131e96527dbee8dabe0a6ff4123cf210ae20ddfaab54796d57f033be7c31afe2926e239ff0a0d218f43052fa5
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4
-
Filesize
611KB
MD5404ff5f5505d295755a32bcb659f822c
SHA1cec19696a9f6b0b49fe7486a13a832306657a26d
SHA256c60bb9619232051d996595dfc8919562b5814a5f1c3ebe06022d6c1aa21d053d
SHA512d37de98166385eefeb064df6bbfa7457c8ebd4ae19b360cd897042a0b6079bc8038569b9fdaf4efde04f722a1a34b7e498fae82828cdc4646c342ef8963391c4