Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-12-2023 05:13
General
-
Target
loldestroyer.exe
-
Size
3.1MB
-
MD5
fd19dff19426de33ff1b16ea4ba48b55
-
SHA1
45200a4b3f66eca4374e7efe40ae08775b1716b6
-
SHA256
48c104cd33329e1faf768c90d9dbd6dee4e820ee61c647ab1597941cdae5a476
-
SHA512
260a1a3058216e91e687f630d3bdf12cb55e506b2caa53ab7a6518cb1437405e6e00fee10bb5988b40fb84cf714817a68ab81678a36b889a72e9720c770d6241
-
SSDEEP
49152:ivBt62XlaSFNWPjljiFa2RoUYIUpw2bR00LoGdQTHHB72eh2NT:ivr62XlaSFNWPjljiFXRoUYIUpwh6
Malware Config
Extracted
quasar
1.4.1
Office04
2.tcp.us-cal-1.ngrok.io:11792
831d9989-b01a-4dcf-bf1b-dfc5c9ff4d48
-
encryption_key
EB1C9E3AFC9D36808D51DFE00497AE60B97F0817
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
epic
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1716-0-0x0000000000690000-0x00000000009B4000-memory.dmp family_quasar behavioral1/files/0x000300000002a7ed-6.dat family_quasar behavioral1/files/0x000300000002a7ed-8.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2972 Client.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir loldestroyer.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe loldestroyer.exe File opened for modification C:\Windows\system32\SubDir\Client.exe loldestroyer.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5080 schtasks.exe 3672 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 loldestroyer.exe Token: SeDebugPrivilege 2972 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2972 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1716 wrote to memory of 5080 1716 loldestroyer.exe 81 PID 1716 wrote to memory of 5080 1716 loldestroyer.exe 81 PID 1716 wrote to memory of 2972 1716 loldestroyer.exe 83 PID 1716 wrote to memory of 2972 1716 loldestroyer.exe 83 PID 2972 wrote to memory of 3672 2972 Client.exe 84 PID 2972 wrote to memory of 3672 2972 Client.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\loldestroyer.exe"C:\Users\Admin\AppData\Local\Temp\loldestroyer.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "epic" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:5080
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "epic" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fd19dff19426de33ff1b16ea4ba48b55
SHA145200a4b3f66eca4374e7efe40ae08775b1716b6
SHA25648c104cd33329e1faf768c90d9dbd6dee4e820ee61c647ab1597941cdae5a476
SHA512260a1a3058216e91e687f630d3bdf12cb55e506b2caa53ab7a6518cb1437405e6e00fee10bb5988b40fb84cf714817a68ab81678a36b889a72e9720c770d6241
-
Filesize
3.1MB
MD5fd19dff19426de33ff1b16ea4ba48b55
SHA145200a4b3f66eca4374e7efe40ae08775b1716b6
SHA25648c104cd33329e1faf768c90d9dbd6dee4e820ee61c647ab1597941cdae5a476
SHA512260a1a3058216e91e687f630d3bdf12cb55e506b2caa53ab7a6518cb1437405e6e00fee10bb5988b40fb84cf714817a68ab81678a36b889a72e9720c770d6241