Overview

overview

10

Static

static

3

thesigma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    thesigma.exe

  • Size

    1.6MB

  • MD5

    7689437063c4eb4aab919fd25de6702d

  • SHA1

    36252a4df082fef51b2a1ab07f771e17860986d1

  • SHA256

    440271ab4c5959d7679fe00e6b223bcb8401a869e72d464cde8f880ff62f58da

  • SHA512

    13b874366ae7c25ba70f79cc3bd36af8668f3a0c750696c149a8cc15ee6cb850b002612ee519188910884b391b41667f1b072dac2d7a3a44a265f25201c22145

  • SSDEEP

    24576:0IjFRSPYlrMKgc6bN5WV63pDWWb6ohTLzeUtfjldLNvyvI:1jDaYlrM/NhLfdLNMI

Score
10/10
quasarslavespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

nugget1234-38628.portmap.host:38628

Mutex

$Sxr-AYc4tpo0KefMRW4CpM

Attributes
  • encryption_key

    O77hjXYiXiE656Wt67Lm

  • install_name

    System.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    WindowsAudioHelper

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\thesigma.exe
    "C:\Users\Admin\AppData\Local\Temp\thesigma.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Local\SeroR0X1.exe
      "C:\Users\Admin\AppData\Local\SeroR0X1.exe"
      2⤵
      • Executes dropped EXE
      PID:3196
    • C:\Users\Admin\kysss.exe
      "C:\Users\Admin\kysss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "WindowsAudioHelper" /sc ONLOGON /tr "C:\Users\Admin\kysss.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4564
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\SeroR0X1.exe
    Filesize

    1.2MB

    MD5

    344e503504ab85f745091fc9b84e6da4

    SHA1

    1fdcb8c74f8b4cb9d2783446681e64b8dd0dd14a

    SHA256

    c5ded6fd8541173abf2aee16808c2444249d92ad0cb2ed832087dc5fa57e7885

    SHA512

    c20c7df32aff991a5da0b8446dc7c91f833747be147deb2f1c6e991cac9519e5f0933996c420b3402123021fdf58cf0bcfaf8f0fc4a5b6205bd63d08548aa667

    Download Submit
  • C:\Users\Admin\kysss.exe
    Filesize

    410KB

    MD5

    67bb0deed2d9593f08f90381b84d2b57

    SHA1

    452c8d9c37d77552636e643087d282dd05764fce

    SHA256

    c88480ebfa75fa6e61f2bfd801ead4d30f6e6c462d2a7331010b2fc0c935ed8a

    SHA512

    aca90ddfad451c31bb38aec9b7eefdd0d1460fc69b2dbe865d29d75eb7c7f59850634b37074bd7701e5c951f079ed72273bfb21879d3dea2e8dfa42481e1e51e

    Download Submit
  • memory/3152-67-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-66-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-64-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-65-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-63-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-62-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-61-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-55-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-56-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-57-0x00000260D2DD0000-0x00000260D2DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3196-53-0x0000020C9A480000-0x0000020C9A629000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/3196-42-0x0000020C9A160000-0x0000020C9A170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-40-0x0000020CFFA20000-0x0000020CFFB5E000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3196-54-0x00007FFB61930000-0x00007FFB623F1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3196-41-0x00007FFB61930000-0x00007FFB623F1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4628-48-0x00000000056D0000-0x0000000005736000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4628-47-0x0000000005640000-0x0000000005650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4628-46-0x0000000005770000-0x0000000005802000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4628-45-0x0000000073EC0000-0x0000000074670000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4628-44-0x0000000005C80000-0x0000000006224000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4628-51-0x0000000006BC0000-0x0000000006BCA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4628-43-0x0000000000D40000-0x0000000000DAC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/4628-49-0x0000000005C10000-0x0000000005C22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4628-50-0x0000000006A10000-0x0000000006A4C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4628-70-0x0000000073EC0000-0x0000000074670000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4628-71-0x0000000005640000-0x0000000005650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4628-72-0x0000000073EC0000-0x0000000074670000-memory.dmp
    Filesize

    7.7MB

    Download