Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 00:47
Behavioral task
behavioral1
Sample
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Resource
win10v2004-20240508-en
General
-
Target
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
-
Size
3.1MB
-
MD5
483d0a45f61e108b7a89c6707e138d62
-
SHA1
da16e84ef741a6a82038468da5990b25e3bf751c
-
SHA256
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
-
SHA512
5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
-
SSDEEP
49152:Wvxt62XlaSFNWPjljiFa2RoUYIiyTCD8foGdIoTHHB72eh2NT:Wv762XlaSFNWPjljiFXRoUYIiyTCc
Malware Config
Extracted
quasar
1.4.1
Beamed Celex
192.168.2.102:5145
Nixon:5145
a9d8efa6-449f-415c-bad7-c7fbd83156d2
-
encryption_key
288C4AC276CDC9ADD45AEABDE642A8A88681F7BB
-
install_name
Celex.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Celex
-
subdirectory
Celex
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/952-1-0x0000000000970000-0x0000000000C94000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Celex\Celex.exe family_quasar -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Celex.exeCelex.exeCelex.exeCelex.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Celex.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Celex.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Celex.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Celex.exe -
Executes dropped EXE 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 4244 Celex.exe 2424 Celex.exe 4372 Celex.exe 1756 Celex.exe 4580 Celex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2408 schtasks.exe 4604 schtasks.exe 3708 schtasks.exe 5024 schtasks.exe 4500 schtasks.exe 1608 schtasks.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 4420 PING.EXE 2568 PING.EXE 3816 PING.EXE 1004 PING.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exedescription pid process Token: SeDebugPrivilege 952 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Token: SeDebugPrivilege 4244 Celex.exe Token: SeDebugPrivilege 2424 Celex.exe Token: SeDebugPrivilege 4372 Celex.exe Token: SeDebugPrivilege 1756 Celex.exe Token: SeDebugPrivilege 4580 Celex.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 4244 Celex.exe 2424 Celex.exe 4372 Celex.exe 1756 Celex.exe 4580 Celex.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Celex.exeCelex.exeCelex.exeCelex.exeCelex.exepid process 4244 Celex.exe 2424 Celex.exe 4372 Celex.exe 1756 Celex.exe 4580 Celex.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.exedescription pid process target process PID 952 wrote to memory of 3708 952 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe schtasks.exe PID 952 wrote to memory of 3708 952 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe schtasks.exe PID 952 wrote to memory of 4244 952 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Celex.exe PID 952 wrote to memory of 4244 952 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe Celex.exe PID 4244 wrote to memory of 5024 4244 Celex.exe schtasks.exe PID 4244 wrote to memory of 5024 4244 Celex.exe schtasks.exe PID 4244 wrote to memory of 1272 4244 Celex.exe cmd.exe PID 4244 wrote to memory of 1272 4244 Celex.exe cmd.exe PID 1272 wrote to memory of 3828 1272 cmd.exe chcp.com PID 1272 wrote to memory of 3828 1272 cmd.exe chcp.com PID 1272 wrote to memory of 4420 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 4420 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 2424 1272 cmd.exe Celex.exe PID 1272 wrote to memory of 2424 1272 cmd.exe Celex.exe PID 2424 wrote to memory of 4500 2424 Celex.exe schtasks.exe PID 2424 wrote to memory of 4500 2424 Celex.exe schtasks.exe PID 2424 wrote to memory of 1996 2424 Celex.exe cmd.exe PID 2424 wrote to memory of 1996 2424 Celex.exe cmd.exe PID 1996 wrote to memory of 2272 1996 cmd.exe chcp.com PID 1996 wrote to memory of 2272 1996 cmd.exe chcp.com PID 1996 wrote to memory of 2568 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 2568 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 4372 1996 cmd.exe Celex.exe PID 1996 wrote to memory of 4372 1996 cmd.exe Celex.exe PID 4372 wrote to memory of 1608 4372 Celex.exe schtasks.exe PID 4372 wrote to memory of 1608 4372 Celex.exe schtasks.exe PID 4372 wrote to memory of 4052 4372 Celex.exe cmd.exe PID 4372 wrote to memory of 4052 4372 Celex.exe cmd.exe PID 4052 wrote to memory of 4304 4052 cmd.exe chcp.com PID 4052 wrote to memory of 4304 4052 cmd.exe chcp.com PID 4052 wrote to memory of 3816 4052 cmd.exe PING.EXE PID 4052 wrote to memory of 3816 4052 cmd.exe PING.EXE PID 4052 wrote to memory of 1756 4052 cmd.exe Celex.exe PID 4052 wrote to memory of 1756 4052 cmd.exe Celex.exe PID 1756 wrote to memory of 2408 1756 Celex.exe schtasks.exe PID 1756 wrote to memory of 2408 1756 Celex.exe schtasks.exe PID 1756 wrote to memory of 4208 1756 Celex.exe cmd.exe PID 1756 wrote to memory of 4208 1756 Celex.exe cmd.exe PID 4208 wrote to memory of 1588 4208 cmd.exe chcp.com PID 4208 wrote to memory of 1588 4208 cmd.exe chcp.com PID 4208 wrote to memory of 1004 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 1004 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 4580 4208 cmd.exe Celex.exe PID 4208 wrote to memory of 4580 4208 cmd.exe Celex.exe PID 4580 wrote to memory of 4604 4580 Celex.exe schtasks.exe PID 4580 wrote to memory of 4604 4580 Celex.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3708 -
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y8CQis3wSVyx.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3828
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4420 -
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:4500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dnPl84w36B9.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2272
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:2568 -
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:1608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miXjyljK3KEk.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4304
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:3816 -
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:2408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbEtdbodxnkO.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1588
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:1004 -
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:4604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celex.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\9dnPl84w36B9.batFilesize
205B
MD57899430c6f6b10f84c891b62dd754a3a
SHA17a471a89a4ff53dbeee46cb8a43f29cb8c44a360
SHA25693ebfe5362b68c9d6637d4cca57169c42dd7cc9c793fdf935676ac04ff2e4433
SHA5128e56fa8732ba7615d8af8ccd5271f57949885e5824b43538496eaa01580eb493b83b256a2fb8595609796e29a6d0382f071a2e6a773513f301b20ff36c88f94c
-
C:\Users\Admin\AppData\Local\Temp\Y8CQis3wSVyx.batFilesize
205B
MD5607ca8f3a9a2b08f9d883ce486d87e9a
SHA11b4291606eb6121758017e877f5b9ae87b36f253
SHA256033815ad10777b7b068156312799a2702e16986cac934c1e07396bc2a1e0a466
SHA512a2165f5060d3fdf1c57fe3bf7ad2047b481dcf5baed5fe77865ff81403422239c668cfc52e2f99a54eef58d33f19c28d286b5ecc84fdd189460c73eea43c0b04
-
C:\Users\Admin\AppData\Local\Temp\miXjyljK3KEk.batFilesize
205B
MD50bedfe26ea41c97a17bb488d0de39d98
SHA112d414e06d56d3bb1303a9181aa2ef690569d672
SHA256a7d0e8f03b57d0627433011a139227f8574b37ed658bb24dd064529a3db36514
SHA512828bc7f0de22ba056496efdaa7ea92f0d55d9d682934caf7bfaad04a72b621fd61ab47e9119f66d5b5e820701597a574146a06c02eb8be14445be4fa2a503a8c
-
C:\Users\Admin\AppData\Local\Temp\pbEtdbodxnkO.batFilesize
205B
MD53489e6ecfef6e91ee1a8ce4fe9c28765
SHA1d466bdaf73bc9dea5e2f9a3b003027fa1f0c65d9
SHA256456e0dc54c67802accd1d02ec790f2d34f1228d4441bacbf87da56613b5a11ce
SHA51211817625b6e1e2f4f97a46e4589157e2092deef5aa83faafc519fa4bebbead47d98c8ba5dba3257c6585465aa27f6a4fd442252035d7bdf5dfa74d63460172ee
-
C:\Users\Admin\AppData\Roaming\Celex\Celex.exeFilesize
3.1MB
MD5483d0a45f61e108b7a89c6707e138d62
SHA1da16e84ef741a6a82038468da5990b25e3bf751c
SHA25634bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
SHA5125c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
-
memory/952-1-0x0000000000970000-0x0000000000C94000-memory.dmpFilesize
3.1MB
-
memory/952-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/952-0-0x00007FF816413000-0x00007FF816415000-memory.dmpFilesize
8KB
-
memory/952-8-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/4244-9-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/4244-19-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/4244-13-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/4244-12-0x000000001BF70000-0x000000001C022000-memory.dmpFilesize
712KB
-
memory/4244-11-0x000000001BE60000-0x000000001BEB0000-memory.dmpFilesize
320KB
-
memory/4244-10-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB