Analysis
-
max time kernel
68s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 12:59
Behavioral task
behavioral1
Sample
Beta.exe
Resource
win7-20240221-en
Errors
General
-
Target
Beta.exe
-
Size
3.1MB
-
MD5
bb26a2979d9a61725f910422403ed4dd
-
SHA1
b46d4a3a7f7253e1d7268c060702d301ebb36dd6
-
SHA256
fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef
-
SHA512
dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200
-
SSDEEP
49152:ivEt62XlaSFNWPjljiFa2RoUYI9ihqKhHvJQMoGd9THHB72eh2NT:ivY62XlaSFNWPjljiFXRoUYImh5
Malware Config
Extracted
quasar
1.4.1
Astro-1
arthurus36.duckdns.org:5555
ad7cd985-5e2e-45a3-9246-b82449c7c4d8
-
encryption_key
6314C8C60AA1035CEB920FD38F0342E398BAF5D0
-
install_name
cmdprmpt.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
systemdex
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-1-0x0000000000DA0000-0x00000000010C4000-memory.dmp family_quasar C:\Windows\System32\cmdprmpt.exe family_quasar behavioral1/memory/2116-8-0x0000000000F30000-0x0000000001254000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
cmdprmpt.exepid process 2116 cmdprmpt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mstsc.exedescription ioc process File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\X: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\W: mstsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
Beta.execmdprmpt.exedescription ioc process File created C:\Windows\system32\cmdprmpt.exe Beta.exe File opened for modification C:\Windows\system32\cmdprmpt.exe Beta.exe File opened for modification C:\Windows\system32\cmdprmpt.exe cmdprmpt.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2720 schtasks.exe 2080 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Beta.execmdprmpt.exedescription pid process Token: SeDebugPrivilege 2032 Beta.exe Token: SeDebugPrivilege 2116 cmdprmpt.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Beta.execmdprmpt.exedescription pid process target process PID 2032 wrote to memory of 2080 2032 Beta.exe schtasks.exe PID 2032 wrote to memory of 2080 2032 Beta.exe schtasks.exe PID 2032 wrote to memory of 2080 2032 Beta.exe schtasks.exe PID 2032 wrote to memory of 2116 2032 Beta.exe cmdprmpt.exe PID 2032 wrote to memory of 2116 2032 Beta.exe cmdprmpt.exe PID 2032 wrote to memory of 2116 2032 Beta.exe cmdprmpt.exe PID 2116 wrote to memory of 2720 2116 cmdprmpt.exe schtasks.exe PID 2116 wrote to memory of 2720 2116 cmdprmpt.exe schtasks.exe PID 2116 wrote to memory of 2720 2116 cmdprmpt.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beta.exe"C:\Users\Admin\AppData\Local\Temp\Beta.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2080
-
-
C:\Windows\system32\cmdprmpt.exe"C:\Windows\system32\cmdprmpt.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2720
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2880
-
C:\Windows\system32\mstsc.exe"C:\Windows\system32\mstsc.exe"1⤵
- Enumerates connected drives
PID:2796
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1520
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5bb26a2979d9a61725f910422403ed4dd
SHA1b46d4a3a7f7253e1d7268c060702d301ebb36dd6
SHA256fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef
SHA512dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200