Overview

overview

10

Static

static

10

ArgonOSINT.exe

windows10-2004-x64

10

Resubmissions

04-05-2024 05:10

240504-ft619aea3y 10

04-05-2024 05:06

240504-frlbrsdh81 10

Analysis

  • max time kernel
    39s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ArgonOSINT.exe

  • Size

    409KB

  • MD5

    c4f70954d48c8653fde31fc63c619fc8

  • SHA1

    c2fe0bc4eab66f6cbf19ab3a80817eba8084982e

  • SHA256

    dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5

  • SHA512

    1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc

  • SSDEEP

    12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g

Score
10/10
quasarslavespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes
  • encryption_key

    BfQu2aop09VkjugTkmuc

  • install_name

    $sxr-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    $sxr-powershell

  • subdirectory

    Windows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe
    "C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4908
    • C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe
      "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YDcHpYbtowEk.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1572
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4436
          • C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe
            "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5072
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:3324
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dveCQIQTAyDq.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4612
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                6⤵
                  PID:5092
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:396
        • C:\Windows\SysWOW64\SCHTASKS.exe
          "SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST
          2⤵
          • Creates scheduled task(s)
          PID:1832
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:448

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$sxr-powershell.exe.log
        Filesize

        1KB

        MD5

        8013ca45a4b68a281377f2c7b517ac8a

        SHA1

        aff79b7c8f408e5ae6f00cf9d83e2fd95d9affc3

        SHA256

        234381ea204c431d0936c4141a38381629938e4f5d40dd0ef01de6a282abbae7

        SHA512

        428305df713c12d2165303a9b0433c83a0e3f3088a9551deb6403e9351814c38c2377e7c22ede57bcd23ca764e02fce431c52aba6bf4b998b89a518129fda2d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\YDcHpYbtowEk.bat
        Filesize

        217B

        MD5

        0208e6dff30ca940adb424746cddd27b

        SHA1

        a8fa94cbcfbd35187f18eb6e1535d0a7d477e54c

        SHA256

        c6094641e8430a83779fe951bcb69f063ed1bac59f504604fd04387f9e151e6f

        SHA512

        68b71a7a89a9e20d22491a287eefc81ee29e8e8fcb748d5b22e0394fbc4f1451f4082fa68c12b35eab2f2615e3f0f4fed67f2d3ff89719ba302f884eef2dbe68

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\dveCQIQTAyDq.bat
        Filesize

        217B

        MD5

        2fe648ed7242d601150f9a487876a9b3

        SHA1

        9f72a3e059738327ed923a58b9a63bd342ddeb56

        SHA256

        5a5a54e44810cda839b2d14238a5146352c59eda39a81d02253acf8f843018a3

        SHA512

        92422adbbfa0002575b913c6cb6fa5ed066c4c00f4453232f0ed36f18989894cc3deab044edd6c3483ec8e00673be68a79b55a3b333bff0d85ef0b3c17140ab8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe
        Filesize

        409KB

        MD5

        c4f70954d48c8653fde31fc63c619fc8

        SHA1

        c2fe0bc4eab66f6cbf19ab3a80817eba8084982e

        SHA256

        dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5

        SHA512

        1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc

        Download Submit
      • memory/448-15-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-14-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-16-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-7-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-8-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-9-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-13-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-19-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-18-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/448-17-0x000001678C9C0000-0x000001678C9C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4900-6-0x0000000005450000-0x0000000005462000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4900-0-0x00000000753EE000-0x00000000753EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4900-5-0x0000000004FB0000-0x0000000005016000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4900-20-0x00000000753EE000-0x00000000753EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4900-21-0x00000000753E0000-0x0000000075B90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4900-4-0x00000000753E0000-0x0000000075B90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4900-28-0x00000000753E0000-0x0000000075B90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4900-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4900-2-0x00000000054C0000-0x0000000005A64000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4900-1-0x0000000000470000-0x00000000004DC000-memory.dmp
        Filesize

        432KB

        Download