Analysis
-
max time kernel
298s -
max time network
301s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 22:28
Behavioral task
behavioral1
Sample
ZebraObfuscator.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ZebraObfuscator.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ZebraObfuscator.exe
Resource
win11-20240508-en
General
-
Target
ZebraObfuscator.exe
-
Size
3.1MB
-
MD5
a98be80edea7fa660fc36b2702ad262b
-
SHA1
b18b3cada82a61bfbb1ed5d56550223ce0d10fe2
-
SHA256
2acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a
-
SHA512
82d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a
-
SSDEEP
49152:TvEI22SsaNYfdPBldt698dBcjHi0iUuBeYuocdkhRoTHHB72eh2NT:Tvp22SsaNYfdPBldt6+dBcjHi5UzG
Malware Config
Extracted
quasar
1.4.1
Obfuscator
even-lemon.gl.at.ply.gg:33587
1272508c-0529-4a9c-ae6e-b9fe2c597a25
-
encryption_key
2695178836BA12133DD75A122E23A754EAD78C5F
-
install_name
$sxr-powershell.exe
-
log_directory
Windows
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/1120-1-0x0000000000250000-0x0000000000574000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$sxr-powershell.exepid process 2992 $sxr-powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3928 schtasks.exe 2504 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ZebraObfuscator.exe$sxr-powershell.exedescription pid process Token: SeDebugPrivilege 1120 ZebraObfuscator.exe Token: SeDebugPrivilege 2992 $sxr-powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 2992 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ZebraObfuscator.exe$sxr-powershell.exedescription pid process target process PID 1120 wrote to memory of 2504 1120 ZebraObfuscator.exe schtasks.exe PID 1120 wrote to memory of 2504 1120 ZebraObfuscator.exe schtasks.exe PID 1120 wrote to memory of 2992 1120 ZebraObfuscator.exe $sxr-powershell.exe PID 1120 wrote to memory of 2992 1120 ZebraObfuscator.exe $sxr-powershell.exe PID 2992 wrote to memory of 3928 2992 $sxr-powershell.exe schtasks.exe PID 2992 wrote to memory of 3928 2992 $sxr-powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe"C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2504 -
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
3.1MB
MD5a98be80edea7fa660fc36b2702ad262b
SHA1b18b3cada82a61bfbb1ed5d56550223ce0d10fe2
SHA2562acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a
SHA51282d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a
-
memory/1120-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmpFilesize
8KB
-
memory/1120-1-0x0000000000250000-0x0000000000574000-memory.dmpFilesize
3.1MB
-
memory/1120-2-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmpFilesize
10.8MB
-
memory/1120-10-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmpFilesize
10.8MB
-
memory/2992-9-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmpFilesize
10.8MB
-
memory/2992-11-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmpFilesize
10.8MB
-
memory/2992-12-0x000000001BF00000-0x000000001BF50000-memory.dmpFilesize
320KB
-
memory/2992-13-0x000000001C840000-0x000000001C8F2000-memory.dmpFilesize
712KB
-
memory/2992-14-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmpFilesize
10.8MB