Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-05-2024 20:58
Behavioral task
behavioral1
Sample
python-3.12.3-amd64_protected.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
python-3.12.3-amd64_protected.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
python-3.12.3-amd64_protected.exe
-
Size
8.6MB
-
MD5
328626049b23e7d5fbe12f9503853d53
-
SHA1
402ca69107944196f421a16ce3be363a0f4e991c
-
SHA256
96eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
-
SHA512
5425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
SSDEEP
196608:VGjSZs4BJq1Ey1FJrMwM/RAWOY+3uWjNyWte7c:VXZsI0F5MYYjWjM7c
Malware Config
Extracted
quasar
1.4.1
Python
5.39.43.50:1488
393fbc9d-531f-4025-b3f0-bed4d56f6ed3
-
encryption_key
1E01F0D74E189002EDB2FABC8EC064751C9D7A63
-
install_name
Python.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Python3
-
subdirectory
Python3
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-11-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar behavioral1/memory/1640-12-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar behavioral1/memory/1640-24-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar behavioral1/memory/4192-27-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar behavioral1/memory/4192-28-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar behavioral1/memory/4192-41-0x0000000000400000-0x0000000001A14000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
python-3.12.3-amd64_protected.exePython.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ python-3.12.3-amd64_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Python.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
python-3.12.3-amd64_protected.exePython.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion python-3.12.3-amd64_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion python-3.12.3-amd64_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Python.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Python.exe -
Executes dropped EXE 1 IoCs
Processes:
Python.exepid process 4192 Python.exe -
Processes:
resource yara_rule behavioral1/memory/1640-11-0x0000000000400000-0x0000000001A14000-memory.dmp themida behavioral1/memory/1640-12-0x0000000000400000-0x0000000001A14000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Python3\Python.exe themida behavioral1/memory/1640-24-0x0000000000400000-0x0000000001A14000-memory.dmp themida behavioral1/memory/4192-27-0x0000000000400000-0x0000000001A14000-memory.dmp themida behavioral1/memory/4192-28-0x0000000000400000-0x0000000001A14000-memory.dmp themida behavioral1/memory/4192-41-0x0000000000400000-0x0000000001A14000-memory.dmp themida -
Processes:
python-3.12.3-amd64_protected.exePython.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA python-3.12.3-amd64_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Python.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
python-3.12.3-amd64_protected.exePython.exepid process 1640 python-3.12.3-amd64_protected.exe 4192 Python.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3472 schtasks.exe 876 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
python-3.12.3-amd64_protected.exePython.exepid process 1640 python-3.12.3-amd64_protected.exe 1640 python-3.12.3-amd64_protected.exe 4192 Python.exe 4192 Python.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
python-3.12.3-amd64_protected.exePython.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1640 python-3.12.3-amd64_protected.exe Token: SeDebugPrivilege 4192 Python.exe Token: SeShutdownPrivilege 3452 shutdown.exe Token: SeRemoteShutdownPrivilege 3452 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Python.exeLogonUI.exepid process 4192 Python.exe 1612 LogonUI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
python-3.12.3-amd64_protected.exePython.exedescription pid process target process PID 1640 wrote to memory of 3472 1640 python-3.12.3-amd64_protected.exe schtasks.exe PID 1640 wrote to memory of 3472 1640 python-3.12.3-amd64_protected.exe schtasks.exe PID 1640 wrote to memory of 3472 1640 python-3.12.3-amd64_protected.exe schtasks.exe PID 1640 wrote to memory of 4192 1640 python-3.12.3-amd64_protected.exe Python.exe PID 1640 wrote to memory of 4192 1640 python-3.12.3-amd64_protected.exe Python.exe PID 1640 wrote to memory of 4192 1640 python-3.12.3-amd64_protected.exe Python.exe PID 4192 wrote to memory of 876 4192 Python.exe schtasks.exe PID 4192 wrote to memory of 876 4192 Python.exe schtasks.exe PID 4192 wrote to memory of 876 4192 Python.exe schtasks.exe PID 4192 wrote to memory of 3452 4192 Python.exe shutdown.exe PID 4192 wrote to memory of 3452 4192 Python.exe shutdown.exe PID 4192 wrote to memory of 3452 4192 Python.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\python-3.12.3-amd64_protected.exe"C:\Users\Admin\AppData\Local\Temp\python-3.12.3-amd64_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Python3" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Python3\Python.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Python3\Python.exe"C:\Users\Admin\AppData\Roaming\Python3\Python.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Python3" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Python3\Python.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Python3\Python.exeFilesize
8.6MB
MD5328626049b23e7d5fbe12f9503853d53
SHA1402ca69107944196f421a16ce3be363a0f4e991c
SHA25696eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
SHA5125425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
memory/1640-15-0x0000000006680000-0x000000000668A000-memory.dmpFilesize
40KB
-
memory/1640-11-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-14-0x0000000006080000-0x0000000006112000-memory.dmpFilesize
584KB
-
memory/1640-6-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-5-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-4-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-7-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-8-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-10-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-1-0x0000000077016000-0x0000000077017000-memory.dmpFilesize
4KB
-
memory/1640-12-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-13-0x0000000006140000-0x000000000663E000-memory.dmpFilesize
5.0MB
-
memory/1640-3-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-0-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-2-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-22-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-24-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-41-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-27-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-28-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-29-0x0000000006CC0000-0x00000000072C6000-memory.dmpFilesize
6.0MB
-
memory/4192-23-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-31-0x0000000007630000-0x00000000076E2000-memory.dmpFilesize
712KB
-
memory/4192-35-0x0000000008170000-0x00000000081AE000-memory.dmpFilesize
248KB
-
memory/4192-36-0x00000000081E0000-0x0000000008246000-memory.dmpFilesize
408KB
-
memory/4192-34-0x0000000007EC0000-0x0000000007ED2000-memory.dmpFilesize
72KB
-
memory/4192-30-0x0000000007440000-0x0000000007490000-memory.dmpFilesize
320KB