Analysis
-
max time kernel
130s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-04-2024 07:39
General
-
Target
experimentingnew.exe
-
Size
3.1MB
-
MD5
399bbb3dc58bcc8cc2fe9aef9a3ebac5
-
SHA1
37be03a9765a8b321c0ddf2ff00acdb106502b7b
-
SHA256
821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98
-
SHA512
98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f
-
SSDEEP
49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:15209
2c47ae55-417f-4523-8ffe-361bacffde6b
-
encryption_key
5921775375700E0556963615862881AFA90D9F9F
-
install_name
Microsoft Windows Search Indexer.exe
-
log_directory
Discord
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
svchost
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-0-0x0000000000A00000-0x0000000000D24000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe family_quasar -
Drops file in Drivers directory 1 IoCs
Processes:
Microsoft Windows Search Indexer.exedescription ioc process File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat Microsoft Windows Search Indexer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Microsoft Windows Search Indexer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Microsoft Windows Search Indexer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Microsoft Windows Search Indexer.exe -
Executes dropped EXE 2 IoCs
Processes:
Microsoft Windows Search Indexer.exeMicrosoft Windows Search Indexer.exepid process 1060 Microsoft Windows Search Indexer.exe 2300 Microsoft Windows Search Indexer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
Processes:
Microsoft Windows Search Indexer.exedescription ioc process File created C:\Program Files (x86)\mbamtestfile.dat Microsoft Windows Search Indexer.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4640 schtasks.exe 4468 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
taskmgr.exeMicrosoft Windows Search Indexer.exepid process 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2300 Microsoft Windows Search Indexer.exe 2300 Microsoft Windows Search Indexer.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
experimentingnew.exeMicrosoft Windows Search Indexer.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2900 experimentingnew.exe Token: SeDebugPrivilege 1060 Microsoft Windows Search Indexer.exe Token: SeDebugPrivilege 2440 taskmgr.exe Token: SeSystemProfilePrivilege 2440 taskmgr.exe Token: SeCreateGlobalPrivilege 2440 taskmgr.exe Token: 33 2440 taskmgr.exe Token: SeIncBasePriorityPrivilege 2440 taskmgr.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
taskmgr.exeMicrosoft Windows Search Indexer.exepid process 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2300 Microsoft Windows Search Indexer.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
Processes:
taskmgr.exepid process 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe 2440 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Microsoft Windows Search Indexer.exepid process 1060 Microsoft Windows Search Indexer.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
experimentingnew.exeMicrosoft Windows Search Indexer.execmd.exedescription pid process target process PID 2900 wrote to memory of 4640 2900 experimentingnew.exe schtasks.exe PID 2900 wrote to memory of 4640 2900 experimentingnew.exe schtasks.exe PID 2900 wrote to memory of 1060 2900 experimentingnew.exe Microsoft Windows Search Indexer.exe PID 2900 wrote to memory of 1060 2900 experimentingnew.exe Microsoft Windows Search Indexer.exe PID 1060 wrote to memory of 4468 1060 Microsoft Windows Search Indexer.exe schtasks.exe PID 1060 wrote to memory of 4468 1060 Microsoft Windows Search Indexer.exe schtasks.exe PID 1060 wrote to memory of 4084 1060 Microsoft Windows Search Indexer.exe cmd.exe PID 1060 wrote to memory of 4084 1060 Microsoft Windows Search Indexer.exe cmd.exe PID 1060 wrote to memory of 4124 1060 Microsoft Windows Search Indexer.exe schtasks.exe PID 1060 wrote to memory of 4124 1060 Microsoft Windows Search Indexer.exe schtasks.exe PID 4084 wrote to memory of 3792 4084 cmd.exe chcp.com PID 4084 wrote to memory of 3792 4084 cmd.exe chcp.com PID 4084 wrote to memory of 4880 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 4880 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 2300 4084 cmd.exe Microsoft Windows Search Indexer.exe PID 4084 wrote to memory of 2300 4084 cmd.exe Microsoft Windows Search Indexer.exe PID 4084 wrote to memory of 2300 4084 cmd.exe Microsoft Windows Search Indexer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe"C:\Users\Admin\AppData\Local\Temp\experimentingnew.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4640 -
C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViF7BHIzsl6O.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3792
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4880 -
C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"C:\Users\Admin\AppData\Roaming\svchost\Microsoft Windows Search Indexer.exe"4⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "Runtime Broker" /f3⤵PID:4124
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1476
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466B
MD59cacb3eda6512b3317c2266f3cb6bb68
SHA145a29ce93dc697b97f667b4e38721a59b3c2ad15
SHA25686e4c8382264bdb53077a3125525b689f35a850ed0f300a90cc3174e1f6c95b6
SHA512d8f898455cf1d16e846a8b6948bb85e764b64d4bb64dff8a12dde95344d4b072407639bc3a1ff3087e110570a5db24a9bdfdb9eb8d6cb32041c74b82006d182e
-
Filesize
2.5MB
MD51e885823577394ea61ea89438ffe2954
SHA1e53e96f7374790bdad8a614949b398b055c3a27b
SHA2567c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
SHA51273f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
-
Filesize
3.1MB
MD5399bbb3dc58bcc8cc2fe9aef9a3ebac5
SHA137be03a9765a8b321c0ddf2ff00acdb106502b7b
SHA256821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98
SHA51298e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f