Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2024, 02:02
Behavioral task
behavioral1
Sample
Hunters Cheeto.exe
Resource
win7-20240221-en
General
-
Target
Hunters Cheeto.exe
-
Size
3.1MB
-
MD5
7564f035316f6099b1ef442c007fb351
-
SHA1
6f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
-
SHA256
f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
-
SHA512
23d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9
-
SSDEEP
49152:rvrI22SsaNYfdPBldt698dBcjHc4mGmzwLoGdhTHHB72eh2NT:rvU22SsaNYfdPBldt6+dBcjHc4mS
Malware Config
Extracted
quasar
1.4.1
spoofer
192.168.1.9:4782
47.13.251.179:4782
a3394281-6ed5-43a7-afb3-ef307491a25e
-
encryption_key
1D21D2117C53149BFE9297D912388D2A8EE0417B
-
install_name
Graphics.exe
-
log_directory
l
-
reconnect_delay
3000
-
startup_key
AMD
-
subdirectory
AMD
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5004-0-0x0000000000940000-0x0000000000C64000-memory.dmp family_quasar behavioral2/files/0x000700000002320f-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4876 Graphics.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 2016 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5004 Hunters Cheeto.exe Token: SeDebugPrivilege 4876 Graphics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4876 Graphics.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5004 wrote to memory of 2868 5004 Hunters Cheeto.exe 88 PID 5004 wrote to memory of 2868 5004 Hunters Cheeto.exe 88 PID 5004 wrote to memory of 4876 5004 Hunters Cheeto.exe 90 PID 5004 wrote to memory of 4876 5004 Hunters Cheeto.exe 90 PID 4876 wrote to memory of 2016 4876 Graphics.exe 93 PID 4876 wrote to memory of 2016 4876 Graphics.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2868
-
-
C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57564f035316f6099b1ef442c007fb351
SHA16f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
SHA256f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
SHA51223d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9