Analysis
-
max time kernel
130s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/03/2024, 02:02
Behavioral task
behavioral1
Sample
Hunters Cheeto.exe
Resource
win7-20240221-en
General
-
Target
Hunters Cheeto.exe
-
Size
3.1MB
-
MD5
7564f035316f6099b1ef442c007fb351
-
SHA1
6f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
-
SHA256
f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
-
SHA512
23d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9
-
SSDEEP
49152:rvrI22SsaNYfdPBldt698dBcjHc4mGmzwLoGdhTHHB72eh2NT:rvU22SsaNYfdPBldt6+dBcjHc4mS
Malware Config
Extracted
quasar
1.4.1
spoofer
192.168.1.9:4782
47.13.251.179:4782
a3394281-6ed5-43a7-afb3-ef307491a25e
-
encryption_key
1D21D2117C53149BFE9297D912388D2A8EE0417B
-
install_name
Graphics.exe
-
log_directory
l
-
reconnect_delay
3000
-
startup_key
AMD
-
subdirectory
AMD
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2484-0-0x0000000000290000-0x00000000005B4000-memory.dmp family_quasar behavioral1/files/0x000c0000000132c6-6.dat family_quasar behavioral1/memory/2552-9-0x0000000001340000-0x0000000001664000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2552 Graphics.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2496 schtasks.exe 2632 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2484 Hunters Cheeto.exe Token: SeDebugPrivilege 2552 Graphics.exe Token: SeDebugPrivilege 2476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe 2476 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2552 Graphics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2496 2484 Hunters Cheeto.exe 28 PID 2484 wrote to memory of 2496 2484 Hunters Cheeto.exe 28 PID 2484 wrote to memory of 2496 2484 Hunters Cheeto.exe 28 PID 2484 wrote to memory of 2552 2484 Hunters Cheeto.exe 30 PID 2484 wrote to memory of 2552 2484 Hunters Cheeto.exe 30 PID 2484 wrote to memory of 2552 2484 Hunters Cheeto.exe 30 PID 2552 wrote to memory of 2632 2552 Graphics.exe 31 PID 2552 wrote to memory of 2632 2552 Graphics.exe 31 PID 2552 wrote to memory of 2632 2552 Graphics.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2632
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57564f035316f6099b1ef442c007fb351
SHA16f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
SHA256f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
SHA51223d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9