Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 00:47
Behavioral task
behavioral1
Sample
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Resource
win10v2004-20240508-en
General
-
Target
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
-
Size
3.1MB
-
MD5
483d0a45f61e108b7a89c6707e138d62
-
SHA1
da16e84ef741a6a82038468da5990b25e3bf751c
-
SHA256
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
-
SHA512
5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
-
SSDEEP
49152:Wvxt62XlaSFNWPjljiFa2RoUYIiyTCD8foGdIoTHHB72eh2NT:Wv762XlaSFNWPjljiFXRoUYIiyTCc
Malware Config
Extracted
quasar
1.4.1
Beamed Celex
192.168.2.102:5145
Nixon:5145
a9d8efa6-449f-415c-bad7-c7fbd83156d2
-
encryption_key
288C4AC276CDC9ADD45AEABDE642A8A88681F7BB
-
install_name
Celex.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Celex
-
subdirectory
Celex
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2080-7-0x0000000001120000-0x0000000001444000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Celex\Celex.exe family_quasar behavioral1/memory/2436-1-0x0000000001250000-0x0000000001574000-memory.dmp family_quasar behavioral1/memory/340-33-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar behavioral1/memory/2872-44-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/3028-55-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar -
Executes dropped EXE 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 2080 Celex.exe 2936 Celex.exe 340 Celex.exe 2872 Celex.exe 3028 Celex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1848 schtasks.exe 1504 schtasks.exe 2636 schtasks.exe 1728 schtasks.exe 2356 schtasks.exe 468 schtasks.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 688 PING.EXE 1976 PING.EXE 2564 PING.EXE 2236 PING.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exedescription pid process Token: SeDebugPrivilege 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Token: SeDebugPrivilege 2080 Celex.exe Token: SeDebugPrivilege 2936 Celex.exe Token: SeDebugPrivilege 340 Celex.exe Token: SeDebugPrivilege 2872 Celex.exe Token: SeDebugPrivilege 3028 Celex.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 2080 Celex.exe 2936 Celex.exe 340 Celex.exe 2872 Celex.exe 3028 Celex.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 2080 Celex.exe 2936 Celex.exe 340 Celex.exe 2872 Celex.exe 3028 Celex.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exedescription pid process target process PID 2436 wrote to memory of 1728 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe schtasks.exe PID 2436 wrote to memory of 1728 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe schtasks.exe PID 2436 wrote to memory of 1728 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe schtasks.exe PID 2436 wrote to memory of 2080 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Celex.exe PID 2436 wrote to memory of 2080 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Celex.exe PID 2436 wrote to memory of 2080 2436 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Celex.exe PID 2080 wrote to memory of 2636 2080 Celex.exe schtasks.exe PID 2080 wrote to memory of 2636 2080 Celex.exe schtasks.exe PID 2080 wrote to memory of 2636 2080 Celex.exe schtasks.exe PID 2080 wrote to memory of 2828 2080 Celex.exe cmd.exe PID 2080 wrote to memory of 2828 2080 Celex.exe cmd.exe PID 2080 wrote to memory of 2828 2080 Celex.exe cmd.exe PID 2828 wrote to memory of 2620 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2620 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2620 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2564 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2564 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2564 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2936 2828 cmd.exe Celex.exe PID 2828 wrote to memory of 2936 2828 cmd.exe Celex.exe PID 2828 wrote to memory of 2936 2828 cmd.exe Celex.exe PID 2936 wrote to memory of 2356 2936 Celex.exe schtasks.exe PID 2936 wrote to memory of 2356 2936 Celex.exe schtasks.exe PID 2936 wrote to memory of 2356 2936 Celex.exe schtasks.exe PID 2936 wrote to memory of 2224 2936 Celex.exe cmd.exe PID 2936 wrote to memory of 2224 2936 Celex.exe cmd.exe PID 2936 wrote to memory of 2224 2936 Celex.exe cmd.exe PID 2224 wrote to memory of 2232 2224 cmd.exe chcp.com PID 2224 wrote to memory of 2232 2224 cmd.exe chcp.com PID 2224 wrote to memory of 2232 2224 cmd.exe chcp.com PID 2224 wrote to memory of 2236 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 2236 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 2236 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 340 2224 cmd.exe Celex.exe PID 2224 wrote to memory of 340 2224 cmd.exe Celex.exe PID 2224 wrote to memory of 340 2224 cmd.exe Celex.exe PID 340 wrote to memory of 468 340 Celex.exe schtasks.exe PID 340 wrote to memory of 468 340 Celex.exe schtasks.exe PID 340 wrote to memory of 468 340 Celex.exe schtasks.exe PID 340 wrote to memory of 380 340 Celex.exe cmd.exe PID 340 wrote to memory of 380 340 Celex.exe cmd.exe PID 340 wrote to memory of 380 340 Celex.exe cmd.exe PID 380 wrote to memory of 1144 380 cmd.exe chcp.com PID 380 wrote to memory of 1144 380 cmd.exe chcp.com PID 380 wrote to memory of 1144 380 cmd.exe chcp.com PID 380 wrote to memory of 688 380 cmd.exe PING.EXE PID 380 wrote to memory of 688 380 cmd.exe PING.EXE PID 380 wrote to memory of 688 380 cmd.exe PING.EXE PID 380 wrote to memory of 2872 380 cmd.exe Celex.exe PID 380 wrote to memory of 2872 380 cmd.exe Celex.exe PID 380 wrote to memory of 2872 380 cmd.exe Celex.exe PID 2872 wrote to memory of 1848 2872 Celex.exe schtasks.exe PID 2872 wrote to memory of 1848 2872 Celex.exe schtasks.exe PID 2872 wrote to memory of 1848 2872 Celex.exe schtasks.exe PID 2872 wrote to memory of 772 2872 Celex.exe cmd.exe PID 2872 wrote to memory of 772 2872 Celex.exe cmd.exe PID 2872 wrote to memory of 772 2872 Celex.exe cmd.exe PID 772 wrote to memory of 2964 772 cmd.exe chcp.com PID 772 wrote to memory of 2964 772 cmd.exe chcp.com PID 772 wrote to memory of 2964 772 cmd.exe chcp.com PID 772 wrote to memory of 1976 772 cmd.exe PING.EXE PID 772 wrote to memory of 1976 772 cmd.exe PING.EXE PID 772 wrote to memory of 1976 772 cmd.exe PING.EXE PID 772 wrote to memory of 3028 772 cmd.exe Celex.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\s72nFzzHhQz3.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C6cmR5QcZR7A.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\44K55chyoz1Q.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2BBnuJqRgXKZ.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2BBnuJqRgXKZ.batFilesize
205B
MD5a8a40785e947cbd4654ac01e1881455e
SHA1ba3f8805233e3cc7d03c70e4b53f49aab46e8874
SHA256d8740d79469e0ea584dbfca1d775a02c1c6f2ae7b58638cf3e8dffdb9edf559d
SHA512d49a3e26adcf053719070a6c1b6305149aa01fb02eae17bcfe8e391f053e89f5b77bf95c4515fe28c983675757be9fe1cde890d047d1b444b4c3a3810a82bd40
-
C:\Users\Admin\AppData\Local\Temp\44K55chyoz1Q.batFilesize
205B
MD5efd5c6839e7dc868e9191ae1b6f7a526
SHA12f77aa7b86fa67d8edf14b738fd7170df43c7fd9
SHA2569afd6bfa6727b03f64c86aa345b34e8194a57dbcf96956364b1a8cbbdd26b574
SHA5127c2cbf200e33bc185d9f8dc9cf420e8423810894f479a1a4a374716d83d46bb6a0524c681ea932dc3c35415d5851e13cb0fce8a18898f99f4627e4084bb3e1a2
-
C:\Users\Admin\AppData\Local\Temp\C6cmR5QcZR7A.batFilesize
205B
MD5102d56b1eede5ee3b82dc5b347b6b5bc
SHA1f5b1e03bcc6f01c601de743b89d665b49332af18
SHA2568a176c2ef61749b3f703ff2ad6f5046913e29e4092ec0bb5cde9e7461f6c2ef1
SHA5121d4fe819f960609c7a48accef359ccfb7b93e896e7fa31f1f8c3a5175004476967d225cac983d3778236d2bbf954cf1994cf5a60106711a37341ab47fe467972
-
C:\Users\Admin\AppData\Local\Temp\s72nFzzHhQz3.batFilesize
205B
MD52c0615443f674595076afee6bd6a0188
SHA1d3f7f12531079290d7fcadc7dba6b2511a527add
SHA2561a2d5dfcc78298da47fb99157d9a2127a2b0199e2f17d8af19d3c6647675075a
SHA51230ac097b4e0415ea8db03847141dda52b76911c410c7aa8bc360998866dc69b3d96535f096b2a411cedb5df66571b22a7f66f4a4967b4c495269c85e288dbf1b
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exeFilesize
3.1MB
MD5483d0a45f61e108b7a89c6707e138d62
SHA1da16e84ef741a6a82038468da5990b25e3bf751c
SHA25634bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
SHA5125c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
-
memory/340-33-0x0000000000120000-0x0000000000444000-memory.dmpFilesize
3.1MB
-
memory/2080-11-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2080-20-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2080-7-0x0000000001120000-0x0000000001444000-memory.dmpFilesize
3.1MB
-
memory/2080-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2080-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2436-1-0x0000000001250000-0x0000000001574000-memory.dmpFilesize
3.1MB
-
memory/2436-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmpFilesize
4KB
-
memory/2436-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2436-8-0x000007FEF5710000-0x000007FEF60FC000-memory.dmpFilesize
9.9MB
-
memory/2872-44-0x00000000012F0000-0x0000000001614000-memory.dmpFilesize
3.1MB
-
memory/3028-55-0x0000000000350000-0x0000000000674000-memory.dmpFilesize
3.1MB