Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2024 00:25
Behavioral task
behavioral1
Sample
schvine.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
schvine.exe
Resource
win10v2004-20240412-en
General
-
Target
schvine.exe
-
Size
3.1MB
-
MD5
77c7750e215b1a45430ebeecc5973d14
-
SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
-
SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
-
SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
SSDEEP
49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:38035
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3692-0-0x0000000000640000-0x0000000000964000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 4916 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4356 schtasks.exe 4696 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
schvine.exeUpdateHost.exedescription pid process Token: SeDebugPrivilege 3692 schvine.exe Token: SeDebugPrivilege 4916 UpdateHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
UpdateHost.exepid process 4916 UpdateHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
schvine.exeUpdateHost.execmd.exedescription pid process target process PID 3692 wrote to memory of 4356 3692 schvine.exe schtasks.exe PID 3692 wrote to memory of 4356 3692 schvine.exe schtasks.exe PID 3692 wrote to memory of 4916 3692 schvine.exe UpdateHost.exe PID 3692 wrote to memory of 4916 3692 schvine.exe UpdateHost.exe PID 4916 wrote to memory of 4696 4916 UpdateHost.exe schtasks.exe PID 4916 wrote to memory of 4696 4916 UpdateHost.exe schtasks.exe PID 4916 wrote to memory of 2992 4916 UpdateHost.exe schtasks.exe PID 4916 wrote to memory of 2992 4916 UpdateHost.exe schtasks.exe PID 4916 wrote to memory of 520 4916 UpdateHost.exe cmd.exe PID 4916 wrote to memory of 520 4916 UpdateHost.exe cmd.exe PID 520 wrote to memory of 2932 520 cmd.exe chcp.com PID 520 wrote to memory of 2932 520 cmd.exe chcp.com PID 520 wrote to memory of 1868 520 cmd.exe PING.EXE PID 520 wrote to memory of 1868 520 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\schvine.exe"C:\Users\Admin\AppData\Local\Temp\schvine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "WOS64" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZLyzMrWjUif9.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZLyzMrWjUif9.batFilesize
216B
MD5173696b3f94ef587b2f64986ebcec601
SHA12b40616b1dd8927989e730bbfc03ee8ff0cf609c
SHA256574d7eb43d9d85f9ae765206eeb9f50157090bd8c130c036c537f88603a5aa1b
SHA51249c078ae4c5fb6329118b6c6f06b55498c611c6c3651491af0284a3e5b09e761a48eae25c16d6f5ba2f2a94e6739c6cdd17085c6fa236d4890809160f871b7a9
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
3.1MB
MD577c7750e215b1a45430ebeecc5973d14
SHA15bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA2569aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
memory/3692-0-0x0000000000640000-0x0000000000964000-memory.dmpFilesize
3.1MB
-
memory/3692-1-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/3692-2-0x000000001B5B0000-0x000000001B5C0000-memory.dmpFilesize
64KB
-
memory/3692-9-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/4916-11-0x000000001BEB0000-0x000000001BEC0000-memory.dmpFilesize
64KB
-
memory/4916-12-0x000000001BC90000-0x000000001BCE0000-memory.dmpFilesize
320KB
-
memory/4916-13-0x000000001C640000-0x000000001C6F2000-memory.dmpFilesize
712KB
-
memory/4916-16-0x000000001BE20000-0x000000001BE32000-memory.dmpFilesize
72KB
-
memory/4916-17-0x000000001C580000-0x000000001C5BE000-memory.dmpFilesize
248KB
-
memory/4916-18-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/4916-19-0x000000001BEB0000-0x000000001BEC0000-memory.dmpFilesize
64KB
-
memory/4916-24-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/4916-10-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB