Analysis
-
max time kernel
271s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 23:25
Behavioral task
behavioral1
Sample
New.exe
Resource
win10v2004-20240426-en
General
-
Target
New.exe
-
Size
409KB
-
MD5
cf570b21f42f0ce411b7c9961068931e
-
SHA1
f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d
-
SHA256
d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
-
SHA512
de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684
-
SSDEEP
12288:jpyJcC+PgUUboV2hShYoyTyrIh9eqh6bIK+Pz9:9wd+Y2IweyA9eqkMZ
Malware Config
Extracted
quasar
3.1.5
Video
runderscore00-25501.portmap.host:25501
$Sxr-oWTh3ZS9htfe80iIl5
-
encryption_key
zK8u0rpHf4TJzGf65Flt
-
install_name
Win11.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Windows 11 Boot
-
subdirectory
Win11
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/432-1-0x0000000000030000-0x000000000009C000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation New.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New.exedescription pid process Token: SeDebugPrivilege 432 New.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New.exepid process 432 New.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
New.execmd.exedescription pid process target process PID 432 wrote to memory of 952 432 New.exe cmd.exe PID 432 wrote to memory of 952 432 New.exe cmd.exe PID 432 wrote to memory of 952 432 New.exe cmd.exe PID 952 wrote to memory of 3444 952 cmd.exe chcp.com PID 952 wrote to memory of 3444 952 cmd.exe chcp.com PID 952 wrote to memory of 3444 952 cmd.exe chcp.com PID 952 wrote to memory of 5012 952 cmd.exe PING.EXE PID 952 wrote to memory of 5012 952 cmd.exe PING.EXE PID 952 wrote to memory of 5012 952 cmd.exe PING.EXE PID 432 wrote to memory of 1980 432 New.exe SCHTASKS.exe PID 432 wrote to memory of 1980 432 New.exe SCHTASKS.exe PID 432 wrote to memory of 1980 432 New.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New.exe"C:\Users\Admin\AppData\Local\Temp\New.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3XyKTWJLX4Bg.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3444
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:5012 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD5ce89cf6bd96820c008122f12ae7c9f82
SHA1f5f593666c2d191f5dba7f0f1d5b3ad1b6116038
SHA256c89ab7b82dfc29ad9ded2494f6e33c35270917d607fd0540d3fc9cecb7ed8348
SHA51202b5b0957200a1ca9a6a15072d4f607db06c42c12acde30d8698e1d7055fdd1131a2591e47b3ce0e9d9c6718c4f08178d49043c40e0e67282ba8090d3b9a613f
-
Filesize
224B
MD5dfcbdef06c720514af8e8b63c2e48878
SHA17ee7489cdc298005b41d29c12f337c0e1444a662
SHA256ef2a64128a7d97ed575b2a2647092292286bcefb4d87cee822792e30b623af88
SHA512376056467e26d47b02d7b20f9472f617eea4d69a44d639aaf4de47fa413e352b5501368ad0eaf0bb9123bdd60b8d23e9f86d1fab3dda0872b77274c1c438b393