Analysis
-
max time kernel
1s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 23:29
Behavioral task
behavioral1
Sample
SynapseXBootstrapper.exe
Resource
win10v2004-20240426-en
General
-
Target
SynapseXBootstrapper.exe
-
Size
3.1MB
-
MD5
9434a1822088cedbce057d280c235864
-
SHA1
c09173a18e5ae2d9d38bd4d3d196adf1423f924e
-
SHA256
de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
-
SHA512
7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632
-
SSDEEP
49152:PvnI22SsaNYfdPBldt698dBcjHHeJ/uBx3ioGdyTHHB72eh2NT:PvI22SsaNYfdPBldt6+dBcjH4/X
Malware Config
Extracted
quasar
1.4.1
Windows Update
skbidiooiilet-31205.portmap.host:31205
b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6
-
encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
-
install_name
Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
Windows Update
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3360-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe family_quasar -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3548 schtasks.exe 4796 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SynapseXBootstrapper.exedescription pid process Token: SeDebugPrivilege 3360 SynapseXBootstrapper.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
SynapseXBootstrapper.exedescription pid process target process PID 3360 wrote to memory of 3548 3360 SynapseXBootstrapper.exe schtasks.exe PID 3360 wrote to memory of 3548 3360 SynapseXBootstrapper.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SynapseXBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SynapseXBootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3548
-
-
C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"2⤵PID:2344
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59434a1822088cedbce057d280c235864
SHA1c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA5127461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632