Analysis
-
max time kernel
212s -
max time network
300s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-05-2024 23:25
Behavioral task
behavioral1
Sample
New.exe
Resource
win10v2004-20240426-en
General
-
Target
New.exe
-
Size
409KB
-
MD5
cf570b21f42f0ce411b7c9961068931e
-
SHA1
f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d
-
SHA256
d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
-
SHA512
de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684
-
SSDEEP
12288:jpyJcC+PgUUboV2hShYoyTyrIh9eqh6bIK+Pz9:9wd+Y2IweyA9eqkMZ
Malware Config
Extracted
quasar
3.1.5
Video
runderscore00-25501.portmap.host:25501
$Sxr-oWTh3ZS9htfe80iIl5
-
encryption_key
zK8u0rpHf4TJzGf65Flt
-
install_name
Win11.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Windows 11 Boot
-
subdirectory
Win11
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2740-1-0x0000000000C50000-0x0000000000CBC000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New.exedescription pid process Token: SeDebugPrivilege 2740 New.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New.exepid process 2740 New.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
New.execmd.exedescription pid process target process PID 2740 wrote to memory of 3556 2740 New.exe cmd.exe PID 2740 wrote to memory of 3556 2740 New.exe cmd.exe PID 2740 wrote to memory of 3556 2740 New.exe cmd.exe PID 3556 wrote to memory of 4720 3556 cmd.exe chcp.com PID 3556 wrote to memory of 4720 3556 cmd.exe chcp.com PID 3556 wrote to memory of 4720 3556 cmd.exe chcp.com PID 3556 wrote to memory of 3992 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3992 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3992 3556 cmd.exe PING.EXE PID 2740 wrote to memory of 4648 2740 New.exe SCHTASKS.exe PID 2740 wrote to memory of 4648 2740 New.exe SCHTASKS.exe PID 2740 wrote to memory of 4648 2740 New.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New.exe"C:\Users\Admin\AppData\Local\Temp\New.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Pu4kK0nZ1GL.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4720
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:3992 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD52dedd42362a90a721d4700553de023ed
SHA1e3974c125cdbe411a0110207b40723854bbd0c90
SHA256df2b5669f1f564df5f4929c415c5ee5d9eb4c09a474b44230a8bd3ce5b712445
SHA512cb46389bf7a7faa19a362f62fe99e670118a4898a303f3eb8ee8f3602e7a73e41ffc22476a9f979fcf3ce55ef6594a95d0e059902f597f23482d6225765ff948
-
Filesize
224B
MD5c906612cf0067cbc9d22ea083cac6bae
SHA144df01af9e4b23396c6c7a224f24834a34bcf69a
SHA256d83e7c884a32ef8cdc29692d253f196201a430caaa3407b4a296c02bc5a9a66e
SHA512266e2c5aa2b041c45d91cd91f2bcc008059275a39949c5dbb15c4142a7153ae84e548d6cf988818252fb5d5e7fd374b4e57fc1a0c5e5b94d765360b2867b99c0