Analysis
-
max time kernel
74s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 15:47
Behavioral task
behavioral1
Sample
IncognitoExecutorPro.exe
Resource
win7-20240221-en
Errors
General
-
Target
IncognitoExecutorPro.exe
-
Size
10.1MB
-
MD5
31bf96839daa9a6040bc08cdb08a14fb
-
SHA1
61b1b04ad917615bba369b269792df863c12658e
-
SHA256
2760a9f7cf2f6173b214a2309e2875a4ee1b6d301e2781ed1033dfbdc367e059
-
SHA512
f369cdf20cb44b0824f9a9ad2ade55c2eb068074af6470700d526a24f7b738062de67e7f05ee40a0641c5f193769502d59dd5167a4cf0e8f9c6f01ebeeddf56a
-
SSDEEP
196608:y6wZYKg9Sw7sghUuE1R1R9iVTdRUo/Rf7KG0ZLK+4eCA6Pt7R:5kwDh10RsFzUURTclC5t7
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:14456
2aabc0d2-2673-4473-9d8e-30b4863e718a
-
encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
-
install_name
DRIVER32.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
DRIVER32
-
subdirectory
SYSWOW
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE family_quasar behavioral1/memory/2848-40-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar behavioral1/memory/1032-52-0x0000000000D60000-0x0000000001084000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
INCOGNITOEXEC.EXESIGMAHACKS0.2.EXEtest.exeDRIVER32.exepid process 2848 INCOGNITOEXEC.EXE 3012 SIGMAHACKS0.2.EXE 2496 test.exe 1032 DRIVER32.exe -
Loads dropped DLL 5 IoCs
Processes:
IncognitoExecutorPro.exeSIGMAHACKS0.2.EXEtest.exepid process 3064 IncognitoExecutorPro.exe 3064 IncognitoExecutorPro.exe 2488 3012 SIGMAHACKS0.2.EXE 2496 test.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
INCOGNITOEXEC.EXEdescription ioc process File created C:\Windows\system32\SYSWOW\DRIVER32.exe INCOGNITOEXEC.EXE File opened for modification C:\Windows\system32\SYSWOW\DRIVER32.exe INCOGNITOEXEC.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2188 schtasks.exe 324 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INCOGNITOEXEC.EXEDRIVER32.exedescription pid process Token: SeDebugPrivilege 2848 INCOGNITOEXEC.EXE Token: SeDebugPrivilege 1032 DRIVER32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
IncognitoExecutorPro.exeSIGMAHACKS0.2.EXEINCOGNITOEXEC.EXEDRIVER32.exedescription pid process target process PID 3064 wrote to memory of 2848 3064 IncognitoExecutorPro.exe INCOGNITOEXEC.EXE PID 3064 wrote to memory of 2848 3064 IncognitoExecutorPro.exe INCOGNITOEXEC.EXE PID 3064 wrote to memory of 2848 3064 IncognitoExecutorPro.exe INCOGNITOEXEC.EXE PID 3064 wrote to memory of 2848 3064 IncognitoExecutorPro.exe INCOGNITOEXEC.EXE PID 3064 wrote to memory of 3012 3064 IncognitoExecutorPro.exe SIGMAHACKS0.2.EXE PID 3064 wrote to memory of 3012 3064 IncognitoExecutorPro.exe SIGMAHACKS0.2.EXE PID 3064 wrote to memory of 3012 3064 IncognitoExecutorPro.exe SIGMAHACKS0.2.EXE PID 3064 wrote to memory of 3012 3064 IncognitoExecutorPro.exe SIGMAHACKS0.2.EXE PID 3012 wrote to memory of 2496 3012 SIGMAHACKS0.2.EXE test.exe PID 3012 wrote to memory of 2496 3012 SIGMAHACKS0.2.EXE test.exe PID 3012 wrote to memory of 2496 3012 SIGMAHACKS0.2.EXE test.exe PID 2848 wrote to memory of 2188 2848 INCOGNITOEXEC.EXE schtasks.exe PID 2848 wrote to memory of 2188 2848 INCOGNITOEXEC.EXE schtasks.exe PID 2848 wrote to memory of 2188 2848 INCOGNITOEXEC.EXE schtasks.exe PID 2848 wrote to memory of 1032 2848 INCOGNITOEXEC.EXE DRIVER32.exe PID 2848 wrote to memory of 1032 2848 INCOGNITOEXEC.EXE DRIVER32.exe PID 2848 wrote to memory of 1032 2848 INCOGNITOEXEC.EXE DRIVER32.exe PID 1032 wrote to memory of 324 1032 DRIVER32.exe schtasks.exe PID 1032 wrote to memory of 324 1032 DRIVER32.exe schtasks.exe PID 1032 wrote to memory of 324 1032 DRIVER32.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\IncognitoExecutorPro.exe"C:\Users\Admin\AppData\Local\Temp\IncognitoExecutorPro.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE"C:\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXE"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SYSWOW\DRIVER32.exe"C:\Windows\system32\SYSWOW\DRIVER32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE"C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\test.exe"C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SIGMAHACKS0.2.EXEFilesize
6.9MB
MD510bbd38c21ebf84fea97c3812d57d9c6
SHA1293cec0d7f44151ffbf88dfe408265825f8bca9b
SHA25683c4e5947870b7b9f06044624b420ddc9fbae6898a5c9b4420c3dbeaca508bb9
SHA512a00ec8ed84b806c4aca8564354a6687da64b999d255df7fea4c38e6026c8a4cee665414e96d5e28904d051f4c1a6956193a96c12e52286d6d7f58f39bae8ac31
-
C:\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
\Users\Admin\AppData\Local\Temp\INCOGNITOEXEC.EXEFilesize
3.1MB
MD58a1bea902cd41d9d01b105daea8bc646
SHA1034680adb1168f398801b02e919dc8a5a5dc39a0
SHA25689ecbadbbeadf5e68d13e5ba7ab917d4829e684333e096cbb0d3550a08688418
SHA512e8c5fbb6caedc2cfb34a53b10509722d1b04da592993a630c878a61d0bbee7c8afe779caa6d2307eac117110d38277da6ffa7f9353b08c4fb6b81e03c62587fb
-
\Users\Admin\AppData\Local\Temp\onefile_3012_133619033529946000\test.exeFilesize
9.6MB
MD55244aa93f4209963f6c63e1ef9dde0b9
SHA1642219eec726127fe7fbe9ceb5e223dcf46fbe46
SHA256aeca166d5d3da9e76957686ca8753e95b930d8508f825f3cc6b4bac28da6e142
SHA512e510165f98b070ad3c202734833230779fd95585d28b0a9873afbb5022f488c85e935b7f366a92b89449b42106f4ed76997cac16994386560bd45021d368e28c
-
memory/1032-52-0x0000000000D60000-0x0000000001084000-memory.dmpFilesize
3.1MB
-
memory/2848-40-0x0000000000120000-0x0000000000444000-memory.dmpFilesize
3.1MB