Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-06-2024 19:29
Behavioral task
behavioral1
Sample
cool.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
cool.exe
Resource
win11-20240508-en
General
-
Target
cool.exe
-
Size
409KB
-
MD5
8981944139c803c067c3a1fe11dc0d88
-
SHA1
dcc102fba961eaea31a2c218b1f6e4ae2a00c91b
-
SHA256
db5769a8780e6b398f48b33209ba18deb0eefeb0b6df143bb016c1defa718ac5
-
SHA512
668cfa950624ee38e5e0470379b784e14675df4c0f8e75009d28161a88789d3d778a79924d379ab43896d028e94814d582a1c882c5d2918053a320a8e1cc38f5
-
SSDEEP
6144:rMs9p1kREG60ol2tjSujSyfhQkHwKkcY2b+5oydLJF6qty9fHg5a:jpiREGJBtjSujS1k8hoyM/9fHg5a
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
adult-mai.gl.at.ply.gg:51745
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
72dhc0vkceueKRBldQr9
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1280-1-0x00000000005B0000-0x000000000061C000-memory.dmp family_quasar C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$sxr-powershell.exepid process 2732 $sxr-powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
cool.exe$sxr-powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe cool.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe $sxr-powershell.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2 $sxr-powershell.exe File created C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe cool.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 4804 schtasks.exe 3516 SCHTASKS.exe 1164 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cool.exe$sxr-powershell.exedescription pid process Token: SeDebugPrivilege 1280 cool.exe Token: SeDebugPrivilege 2732 $sxr-powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 2732 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cool.exe$sxr-powershell.exedescription pid process target process PID 1280 wrote to memory of 4804 1280 cool.exe schtasks.exe PID 1280 wrote to memory of 4804 1280 cool.exe schtasks.exe PID 1280 wrote to memory of 4804 1280 cool.exe schtasks.exe PID 1280 wrote to memory of 2732 1280 cool.exe $sxr-powershell.exe PID 1280 wrote to memory of 2732 1280 cool.exe $sxr-powershell.exe PID 1280 wrote to memory of 2732 1280 cool.exe $sxr-powershell.exe PID 1280 wrote to memory of 3516 1280 cool.exe SCHTASKS.exe PID 1280 wrote to memory of 3516 1280 cool.exe SCHTASKS.exe PID 1280 wrote to memory of 3516 1280 cool.exe SCHTASKS.exe PID 2732 wrote to memory of 1164 2732 $sxr-powershell.exe schtasks.exe PID 2732 wrote to memory of 1164 2732 $sxr-powershell.exe schtasks.exe PID 2732 wrote to memory of 1164 2732 $sxr-powershell.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cool.exe"C:\Users\Admin\AppData\Local\Temp\cool.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cool.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77cool.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\cool.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD58981944139c803c067c3a1fe11dc0d88
SHA1dcc102fba961eaea31a2c218b1f6e4ae2a00c91b
SHA256db5769a8780e6b398f48b33209ba18deb0eefeb0b6df143bb016c1defa718ac5
SHA512668cfa950624ee38e5e0470379b784e14675df4c0f8e75009d28161a88789d3d778a79924d379ab43896d028e94814d582a1c882c5d2918053a320a8e1cc38f5
-
memory/1280-6-0x0000000005DF0000-0x0000000005E02000-memory.dmpFilesize
72KB
-
memory/1280-1-0x00000000005B0000-0x000000000061C000-memory.dmpFilesize
432KB
-
memory/1280-3-0x0000000005110000-0x00000000051A2000-memory.dmpFilesize
584KB
-
memory/1280-4-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB
-
memory/1280-5-0x00000000051B0000-0x0000000005216000-memory.dmpFilesize
408KB
-
memory/1280-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmpFilesize
4KB
-
memory/1280-7-0x0000000006340000-0x000000000637C000-memory.dmpFilesize
240KB
-
memory/1280-2-0x0000000005620000-0x0000000005BC6000-memory.dmpFilesize
5.6MB
-
memory/1280-16-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB
-
memory/2732-14-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB
-
memory/2732-13-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB
-
memory/2732-18-0x00000000068B0000-0x00000000068BA000-memory.dmpFilesize
40KB
-
memory/2732-19-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB
-
memory/2732-20-0x0000000074CA0000-0x0000000075451000-memory.dmpFilesize
7.7MB