Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 14:09
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20240221-en
General
-
Target
svchost.exe
-
Size
3.1MB
-
MD5
26959ef393fbd309059d5e43041c4fb6
-
SHA1
c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
-
SHA256
900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
-
SHA512
8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
-
SSDEEP
49152:Ov8t62XlaSFNWPjljiFa2RoUYITUZ3larzLoGdOTHHB72eh2NT:OvA62XlaSFNWPjljiFXRoUYIK3G
Malware Config
Extracted
quasar
1.4.1
Office04
5.tcp.eu.ngrok.io:10972
b028487a-6e45-4b66-9e91-3d4903e32b6c
-
encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
-
install_name
DRIVER32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
DRIVER32
-
subdirectory
SYSWOW
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-1-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar C:\Windows\System32\SYSWOW\DRIVER32.exe family_quasar behavioral1/memory/2604-8-0x0000000000BD0000-0x0000000000EF4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
DRIVER32.exepid process 2604 DRIVER32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\SYSWOW\DRIVER32.exe svchost.exe File opened for modification C:\Windows\system32\SYSWOW\DRIVER32.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2516 schtasks.exe 2584 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exeDRIVER32.exedescription pid process Token: SeDebugPrivilege 2168 svchost.exe Token: SeDebugPrivilege 2604 DRIVER32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
svchost.exeDRIVER32.exedescription pid process target process PID 2168 wrote to memory of 2516 2168 svchost.exe schtasks.exe PID 2168 wrote to memory of 2516 2168 svchost.exe schtasks.exe PID 2168 wrote to memory of 2516 2168 svchost.exe schtasks.exe PID 2168 wrote to memory of 2604 2168 svchost.exe DRIVER32.exe PID 2168 wrote to memory of 2604 2168 svchost.exe DRIVER32.exe PID 2168 wrote to memory of 2604 2168 svchost.exe DRIVER32.exe PID 2604 wrote to memory of 2584 2604 DRIVER32.exe schtasks.exe PID 2604 wrote to memory of 2584 2604 DRIVER32.exe schtasks.exe PID 2604 wrote to memory of 2584 2604 DRIVER32.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SYSWOW\DRIVER32.exe"C:\Windows\system32\SYSWOW\DRIVER32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\SYSWOW\DRIVER32.exeFilesize
3.1MB
MD526959ef393fbd309059d5e43041c4fb6
SHA1c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
SHA256900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
SHA5128f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
-
memory/2168-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmpFilesize
4KB
-
memory/2168-1-0x0000000000240000-0x0000000000564000-memory.dmpFilesize
3.1MB
-
memory/2168-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB
-
memory/2168-10-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB
-
memory/2604-7-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB
-
memory/2604-8-0x0000000000BD0000-0x0000000000EF4000-memory.dmpFilesize
3.1MB
-
memory/2604-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB
-
memory/2604-11-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB
-
memory/2604-12-0x000007FEF5C50000-0x000007FEF663C000-memory.dmpFilesize
9.9MB