Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 00:25
Behavioral task
behavioral1
Sample
schvine.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
schvine.exe
Resource
win10v2004-20240412-en
General
-
Target
schvine.exe
-
Size
3.1MB
-
MD5
77c7750e215b1a45430ebeecc5973d14
-
SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
-
SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
-
SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
SSDEEP
49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:38035
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-0-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
UpdateHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation UpdateHost.exe -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 2208 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3440 schtasks.exe 3020 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
schvine.exeUpdateHost.exedescription pid process Token: SeDebugPrivilege 4440 schvine.exe Token: SeDebugPrivilege 2208 UpdateHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
UpdateHost.exepid process 2208 UpdateHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
schvine.exeUpdateHost.execmd.exedescription pid process target process PID 4440 wrote to memory of 3440 4440 schvine.exe schtasks.exe PID 4440 wrote to memory of 3440 4440 schvine.exe schtasks.exe PID 4440 wrote to memory of 2208 4440 schvine.exe UpdateHost.exe PID 4440 wrote to memory of 2208 4440 schvine.exe UpdateHost.exe PID 2208 wrote to memory of 3020 2208 UpdateHost.exe schtasks.exe PID 2208 wrote to memory of 3020 2208 UpdateHost.exe schtasks.exe PID 2208 wrote to memory of 4352 2208 UpdateHost.exe schtasks.exe PID 2208 wrote to memory of 4352 2208 UpdateHost.exe schtasks.exe PID 2208 wrote to memory of 4940 2208 UpdateHost.exe cmd.exe PID 2208 wrote to memory of 4940 2208 UpdateHost.exe cmd.exe PID 4940 wrote to memory of 4312 4940 cmd.exe chcp.com PID 4940 wrote to memory of 4312 4940 cmd.exe chcp.com PID 4940 wrote to memory of 1132 4940 cmd.exe PING.EXE PID 4940 wrote to memory of 1132 4940 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\schvine.exe"C:\Users\Admin\AppData\Local\Temp\schvine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "WOS64" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eNAlgOS4dD5n.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eNAlgOS4dD5n.batFilesize
216B
MD5ffc319e6314536c71ebfdf66bf0e6dfc
SHA1eaacad8de54aae0c2eab60f6ed8525bc65ba44b2
SHA256a7954dbdf9a66c364c9ebbff810471401d992fcef5d1facc8da6d9d70ce49212
SHA5125d09a7970464f3556cddd6f579c78450b6fa6d17451603da868b2df9f1585a357679bae184a1bf3a27bb222ad0d9fd97adc35da3bc64fde69d7802ce5e9a20cb
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
3.1MB
MD577c7750e215b1a45430ebeecc5973d14
SHA15bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA2569aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
memory/2208-11-0x000000001BDC0000-0x000000001BDD0000-memory.dmpFilesize
64KB
-
memory/2208-10-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmpFilesize
10.8MB
-
memory/2208-12-0x0000000003450000-0x00000000034A0000-memory.dmpFilesize
320KB
-
memory/2208-13-0x000000001C580000-0x000000001C632000-memory.dmpFilesize
712KB
-
memory/2208-17-0x000000001CD80000-0x000000001CDBC000-memory.dmpFilesize
240KB
-
memory/2208-16-0x000000001C4F0000-0x000000001C502000-memory.dmpFilesize
72KB
-
memory/2208-18-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmpFilesize
10.8MB
-
memory/2208-23-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmpFilesize
10.8MB
-
memory/4440-2-0x000000001BD30000-0x000000001BD40000-memory.dmpFilesize
64KB
-
memory/4440-9-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmpFilesize
10.8MB
-
memory/4440-0-0x0000000000C90000-0x0000000000FB4000-memory.dmpFilesize
3.1MB
-
memory/4440-1-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmpFilesize
10.8MB