Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 16:50
Static task
static1
Behavioral task
behavioral1
Sample
61d8551b55b55b3d929e2281362b9513.exe
Resource
win7-20231215-en
General
-
Target
61d8551b55b55b3d929e2281362b9513.exe
-
Size
1.3MB
-
MD5
61d8551b55b55b3d929e2281362b9513
-
SHA1
3e140d3c4e8e261bd5ff3308bbf0d03cb288f278
-
SHA256
61ac9f591b1d67f0c954049d2e6d15cebf213055d6ed6ee0cada7a1f295b1b96
-
SHA512
c093444f4dcc78db595e42322e463747d980b2dbd6a51a88ac620d9728e4c457e9656777a624302a123fafd473a3b374d5d9cfe3b0f0e755695fb9ffc95e731c
-
SSDEEP
24576:q9cIUWY2lnQrwrAXnKGc0tCaZWgz9L1jFo9teFGLIEQ9YmChH5YvdVaCUmNz5:5dvAwdnKutCaZWgzVJa9t6GkEAW9KaC
Malware Config
Extracted
quasar
1.3.0.0
Office04
0.tcp.ngrok.io:14530
QSR_MUTEX_w8Mfgcdxl7hldMH2pY
-
encryption_key
zYcujUQPEU4C2FHrr1HG
-
install_name
Diciple Cheats Loader-Protected.exe
-
log_directory
Key Strokes
-
reconnect_delay
3000
-
startup_key
svhost.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral2/memory/4932-1-0x0000000001000000-0x0000000001400000-memory.dmp family_quasar behavioral2/memory/4932-17-0x0000000001000000-0x0000000001400000-memory.dmp family_quasar behavioral2/memory/3100-18-0x0000000000BB0000-0x0000000000FB0000-memory.dmp family_quasar behavioral2/memory/3100-20-0x0000000000BB0000-0x0000000000FB0000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3100 Diciple Cheats Loader-Protected.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe 61d8551b55b55b3d929e2281362b9513.exe File opened for modification C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe 61d8551b55b55b3d929e2281362b9513.exe File opened for modification C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe Diciple Cheats Loader-Protected.exe File opened for modification C:\Windows\SysWOW64\SubDir Diciple Cheats Loader-Protected.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 41 IoCs
pid Process 4932 61d8551b55b55b3d929e2281362b9513.exe 4932 61d8551b55b55b3d929e2281362b9513.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 880 schtasks.exe 4064 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4932 61d8551b55b55b3d929e2281362b9513.exe Token: SeDebugPrivilege 3100 Diciple Cheats Loader-Protected.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4932 61d8551b55b55b3d929e2281362b9513.exe 3100 Diciple Cheats Loader-Protected.exe 3100 Diciple Cheats Loader-Protected.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4932 wrote to memory of 880 4932 61d8551b55b55b3d929e2281362b9513.exe 93 PID 4932 wrote to memory of 880 4932 61d8551b55b55b3d929e2281362b9513.exe 93 PID 4932 wrote to memory of 880 4932 61d8551b55b55b3d929e2281362b9513.exe 93 PID 4932 wrote to memory of 3100 4932 61d8551b55b55b3d929e2281362b9513.exe 95 PID 4932 wrote to memory of 3100 4932 61d8551b55b55b3d929e2281362b9513.exe 95 PID 4932 wrote to memory of 3100 4932 61d8551b55b55b3d929e2281362b9513.exe 95 PID 3100 wrote to memory of 4064 3100 Diciple Cheats Loader-Protected.exe 96 PID 3100 wrote to memory of 4064 3100 Diciple Cheats Loader-Protected.exe 96 PID 3100 wrote to memory of 4064 3100 Diciple Cheats Loader-Protected.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d8551b55b55b3d929e2281362b9513.exe"C:\Users\Admin\AppData\Local\Temp\61d8551b55b55b3d929e2281362b9513.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\61d8551b55b55b3d929e2281362b9513.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:880
-
-
C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe"C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhost.exe" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Diciple Cheats Loader-Protected.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD561d8551b55b55b3d929e2281362b9513
SHA13e140d3c4e8e261bd5ff3308bbf0d03cb288f278
SHA25661ac9f591b1d67f0c954049d2e6d15cebf213055d6ed6ee0cada7a1f295b1b96
SHA512c093444f4dcc78db595e42322e463747d980b2dbd6a51a88ac620d9728e4c457e9656777a624302a123fafd473a3b374d5d9cfe3b0f0e755695fb9ffc95e731c