Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 15:27
Behavioral task
behavioral1
Sample
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe
Resource
win7-20240221-en
General
-
Target
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe
-
Size
4.7MB
-
MD5
bc03059f709594662ca9f9f0e33bc7bd
-
SHA1
b7dc7b3175d7d99714280629c232788f7a7b8e18
-
SHA256
5855aec848037736bc17bb493f326b5354022bba6c3767755dc8a415adc34e2d
-
SHA512
60e44dd84172edb91e0d17b9cdd6feadc81502667c0316c7c5bd760d425e667cf2b05e648f7d68aead2911cd4dd28775866cea7e96101fd1514bb183f8514dac
-
SSDEEP
98304:yCu0aTxAvr22SsaNYfdPBldt6+dBcjHtKRJ6BrIbzZ6IbzZR:TaN+M7jGI0Hj
Malware Config
Extracted
quasar
1.4.1
Office04
mx5.deitie.asia:4495
ebbf737a-dddd-43dd-9b0a-74831302455d
-
encryption_key
F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe family_quasar behavioral2/memory/2532-4-0x0000000000D20000-0x0000000001044000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2532-4-0x0000000000D20000-0x0000000001044000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/2532-4-0x0000000000D20000-0x0000000001044000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe INDICATOR_SUSPICIOUS_GENInfoStealer behavioral2/memory/2532-4-0x0000000000D20000-0x0000000001044000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Drops startup file 1 IoCs
Processes:
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe -
Executes dropped EXE 2 IoCs
Processes:
sign.exeClient.exepid process 2532 sign.exe 2300 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3480 schtasks.exe 3652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exepid process 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sign.exeClient.exedescription pid process Token: SeDebugPrivilege 2532 sign.exe Token: SeDebugPrivilege 2300 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exepid process 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exesign.exeClient.exedescription pid process target process PID 3108 wrote to memory of 2532 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe sign.exe PID 3108 wrote to memory of 2532 3108 2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe sign.exe PID 2532 wrote to memory of 3480 2532 sign.exe schtasks.exe PID 2532 wrote to memory of 3480 2532 sign.exe schtasks.exe PID 2532 wrote to memory of 2300 2532 sign.exe Client.exe PID 2532 wrote to memory of 2300 2532 sign.exe Client.exe PID 2300 wrote to memory of 3652 2300 Client.exe schtasks.exe PID 2300 wrote to memory of 3652 2300 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3480 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57498d554976744dfbd271ba755c6c192
SHA1ec733d01e776518e387d2f51d1a6559b81f03b1e
SHA25644089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7
SHA512d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030