Analysis
-
max time kernel
277s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-05-2024 22:28
Behavioral task
behavioral1
Sample
ZebraObfuscator.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ZebraObfuscator.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ZebraObfuscator.exe
Resource
win11-20240508-en
General
-
Target
ZebraObfuscator.exe
-
Size
3.1MB
-
MD5
a98be80edea7fa660fc36b2702ad262b
-
SHA1
b18b3cada82a61bfbb1ed5d56550223ce0d10fe2
-
SHA256
2acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a
-
SHA512
82d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a
-
SSDEEP
49152:TvEI22SsaNYfdPBldt698dBcjHi0iUuBeYuocdkhRoTHHB72eh2NT:Tvp22SsaNYfdPBldt6+dBcjHi5UzG
Malware Config
Extracted
quasar
1.4.1
Obfuscator
even-lemon.gl.at.ply.gg:33587
1272508c-0529-4a9c-ae6e-b9fe2c597a25
-
encryption_key
2695178836BA12133DD75A122E23A754EAD78C5F
-
install_name
$sxr-powershell.exe
-
log_directory
Windows
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4512-1-0x0000000000FF0000-0x0000000001314000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$sxr-powershell.exepid process 3368 $sxr-powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 832 schtasks.exe 1492 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ZebraObfuscator.exe$sxr-powershell.exedescription pid process Token: SeDebugPrivilege 4512 ZebraObfuscator.exe Token: SeDebugPrivilege 3368 $sxr-powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 3368 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ZebraObfuscator.exe$sxr-powershell.exedescription pid process target process PID 4512 wrote to memory of 832 4512 ZebraObfuscator.exe schtasks.exe PID 4512 wrote to memory of 832 4512 ZebraObfuscator.exe schtasks.exe PID 4512 wrote to memory of 3368 4512 ZebraObfuscator.exe $sxr-powershell.exe PID 4512 wrote to memory of 3368 4512 ZebraObfuscator.exe $sxr-powershell.exe PID 3368 wrote to memory of 1492 3368 $sxr-powershell.exe schtasks.exe PID 3368 wrote to memory of 1492 3368 $sxr-powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe"C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
3.1MB
MD5a98be80edea7fa660fc36b2702ad262b
SHA1b18b3cada82a61bfbb1ed5d56550223ce0d10fe2
SHA2562acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a
SHA51282d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a
-
memory/3368-10-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/3368-11-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/3368-12-0x000000001C1E0000-0x000000001C230000-memory.dmpFilesize
320KB
-
memory/3368-13-0x000000001C2F0000-0x000000001C3A2000-memory.dmpFilesize
712KB
-
memory/3368-14-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/3368-15-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/4512-0-0x00007FFE96333000-0x00007FFE96334000-memory.dmpFilesize
4KB
-
memory/4512-1-0x0000000000FF0000-0x0000000001314000-memory.dmpFilesize
3.1MB
-
memory/4512-2-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB
-
memory/4512-9-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmpFilesize
9.9MB