Resubmissions

28-05-2024 02:35

240528-c3cl8acg65 10

28-05-2024 02:34

240528-c2ncbsbe8y 10

Analysis

  • max time kernel
    1799s
  • max time network
    1802s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 02:35

General

  • Target

    SynapseX.Revamped.V1.5.rar

  • Size

    6.9MB

  • MD5

    358e3fc465a47e440775cd04fe9e9650

  • SHA1

    c0dea173ba12149b325de5831c2e08d8c3ff7b21

  • SHA256

    8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011

  • SHA512

    1a8dad583487280053ec13a088f02f54177f2c14318d9edfc60121884e6bda8e06979c47fa2e9100db21ecedcb30431a1842c2a6ef3c69f20b703ea07865348f

  • SSDEEP

    196608:SGOV4gKBR19F8lsJ7WJ+ZVNXARR+n9fmYclvlcf:SB4LFXKsJ7QmVNXARkVwl9cf

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

skbidiooiilet-31205.portmap.host:31205

Mutex

b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6

Attributes
  • encryption_key

    6F721445F7E0B1CF58980D84A9D49F4458D4EFD9

  • install_name

    Update.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    Windows Update

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 14 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:2560
        • C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:2500
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A86607\1
        3⤵
        • Modifies registry class
        PID:1252
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AFB068\version.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:2648
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A71398\.text
        3⤵
        • Modifies registry class
        PID:2636
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text
          4⤵
            PID:840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe

      Filesize

      3.1MB

      MD5

      9434a1822088cedbce057d280c235864

      SHA1

      c09173a18e5ae2d9d38bd4d3d196adf1423f924e

      SHA256

      de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

      SHA512

      7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

    • C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text

      Filesize

      3.1MB

      MD5

      9693ab4017b430693aab5ed990a8161a

      SHA1

      03d71ff31ff1b9d516ddaa77668cbaafd8f39905

      SHA256

      052a59ba9192055583d81d9e50b6a723c1f2323e0fca8e35c7af1f361ca76518

      SHA512

      02ca270ee8242196548bc1d9f1642e5e6e58792081c28c12ab7e3bac6d723f14f0dcdaaf4f5279f2077c6523f65a558185a8f2c79a5d5bd0e24d061ef785435e

    • C:\Users\Admin\AppData\Local\Temp\7zOC6AFB068\version.txt

      Filesize

      1KB

      MD5

      ab6f65c5a67f69a1f23c29373b6b6ada

      SHA1

      eb80cda039fd6ac2453402f793dc372eadf0e24f

      SHA256

      e333770e0c4c51e6c05101eae443bde40a7ab64fe4362374e4a900dc6cbe2aca

      SHA512

      d8910b4105e7925e4597d8011cf415453571e4f2ee61e39a0ad14be549ef51ce20e11502b4790536ac02724d2f12ae9717a1cadbd3eb02bfc459b8868f29fd12

    • memory/2480-41-0x0000000001010000-0x0000000001334000-memory.dmp

      Filesize

      3.1MB

    • memory/2540-35-0x00000000002A0000-0x00000000005C4000-memory.dmp

      Filesize

      3.1MB