Analysis
-
max time kernel
90s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 00:25
Behavioral task
behavioral1
Sample
schvine.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
schvine.exe
Resource
win10v2004-20240412-en
General
-
Target
schvine.exe
-
Size
3.1MB
-
MD5
77c7750e215b1a45430ebeecc5973d14
-
SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
-
SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
-
SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
SSDEEP
49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1
Malware Config
Extracted
quasar
1.4.1
SLAVE
uk2.localto.net:38035
cc0a2b76-665e-4e16-b318-5ee02270fbcd
-
encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
-
install_name
UpdateHost.exe
-
log_directory
Error Logs
-
reconnect_delay
3000
-
startup_key
WOS64
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/2308-0-0x0000000000A40000-0x0000000000D64000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
UpdateHost.exepid process 2720 UpdateHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1852 schtasks.exe 2800 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
schvine.exeUpdateHost.exedescription pid process Token: SeDebugPrivilege 2308 schvine.exe Token: SeDebugPrivilege 2720 UpdateHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
UpdateHost.exepid process 2720 UpdateHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
schvine.exeUpdateHost.execmd.exedescription pid process target process PID 2308 wrote to memory of 1852 2308 schvine.exe schtasks.exe PID 2308 wrote to memory of 1852 2308 schvine.exe schtasks.exe PID 2308 wrote to memory of 2720 2308 schvine.exe UpdateHost.exe PID 2308 wrote to memory of 2720 2308 schvine.exe UpdateHost.exe PID 2720 wrote to memory of 2800 2720 UpdateHost.exe schtasks.exe PID 2720 wrote to memory of 2800 2720 UpdateHost.exe schtasks.exe PID 2720 wrote to memory of 3268 2720 UpdateHost.exe schtasks.exe PID 2720 wrote to memory of 3268 2720 UpdateHost.exe schtasks.exe PID 2720 wrote to memory of 3248 2720 UpdateHost.exe cmd.exe PID 2720 wrote to memory of 3248 2720 UpdateHost.exe cmd.exe PID 3248 wrote to memory of 240 3248 cmd.exe chcp.com PID 3248 wrote to memory of 240 3248 cmd.exe chcp.com PID 3248 wrote to memory of 3376 3248 cmd.exe PING.EXE PID 3248 wrote to memory of 3376 3248 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\schvine.exe"C:\Users\Admin\AppData\Local\Temp\schvine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "WOS64" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgbzoyWpMo6.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MkgbzoyWpMo6.batFilesize
216B
MD500f0a01531752f53fa070f9ec5c1addc
SHA168ab89adada1f39e20c5f699b8d30e8513afebd9
SHA2562e5e0101e6311af79e39b06c86202aa2b652a9f709b1b2ded6729aeb97dd63b8
SHA512672ef5c5224cba70618ac2a73e22cf5c105acf05f4f745ac51e31a6d75c1acc0989188b0ee5c41f37a52fc84f7ebead2e71c6818653ddfcb392eb09338297157
-
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exeFilesize
3.1MB
MD577c7750e215b1a45430ebeecc5973d14
SHA15bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA2569aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
-
memory/2308-0-0x0000000000A40000-0x0000000000D64000-memory.dmpFilesize
3.1MB
-
memory/2308-1-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmpFilesize
10.8MB
-
memory/2308-2-0x000000001BB70000-0x000000001BB80000-memory.dmpFilesize
64KB
-
memory/2308-9-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmpFilesize
10.8MB
-
memory/2720-11-0x000000001BDA0000-0x000000001BDB0000-memory.dmpFilesize
64KB
-
memory/2720-12-0x000000001C400000-0x000000001C450000-memory.dmpFilesize
320KB
-
memory/2720-13-0x000000001C510000-0x000000001C5C2000-memory.dmpFilesize
712KB
-
memory/2720-16-0x000000001C4A0000-0x000000001C4B2000-memory.dmpFilesize
72KB
-
memory/2720-17-0x000000001D120000-0x000000001D15C000-memory.dmpFilesize
240KB
-
memory/2720-18-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmpFilesize
10.8MB
-
memory/2720-19-0x000000001BDA0000-0x000000001BDB0000-memory.dmpFilesize
64KB
-
memory/2720-24-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmpFilesize
10.8MB
-
memory/2720-10-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmpFilesize
10.8MB