Analysis
-
max time kernel
103s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 18:53
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20240508-en
General
-
Target
svchost.exe
-
Size
409KB
-
MD5
499ab44b3be0e431ee482c016f423b2f
-
SHA1
8f3fc11724012b202a6e78211a7bf4e323edb53f
-
SHA256
6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
-
SHA512
54b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
-
SSDEEP
6144:xMs9p1kREG60olUijSoNDu3MH6FFIUk6SsFbP7UIYQkG19asz6+MQ6M:dpiREGJHijSomjIoft7UIYxGHdmQ6M
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
dating-mpegs.gl.at.ply.gg:6566
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
Nj2uU7r8zbApMgWfD7rz
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4848-1-0x0000000000500000-0x000000000056C000-memory.dmp family_quasar C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$sxr-powershell.exepid process 4852 $sxr-powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exe$sxr-powershell.exedescription ioc process File created C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe svchost.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe svchost.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe $sxr-powershell.exe File opened for modification C:\Windows\SysWOW64\$sxr-seroxen2 $sxr-powershell.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 2928 schtasks.exe 2592 SCHTASKS.exe 4144 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exe$sxr-powershell.exedescription pid process Token: SeDebugPrivilege 4848 svchost.exe Token: SeDebugPrivilege 4852 $sxr-powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 4852 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
svchost.exe$sxr-powershell.exedescription pid process target process PID 4848 wrote to memory of 2928 4848 svchost.exe schtasks.exe PID 4848 wrote to memory of 2928 4848 svchost.exe schtasks.exe PID 4848 wrote to memory of 2928 4848 svchost.exe schtasks.exe PID 4848 wrote to memory of 4852 4848 svchost.exe $sxr-powershell.exe PID 4848 wrote to memory of 4852 4848 svchost.exe $sxr-powershell.exe PID 4848 wrote to memory of 4852 4848 svchost.exe $sxr-powershell.exe PID 4848 wrote to memory of 2592 4848 svchost.exe SCHTASKS.exe PID 4848 wrote to memory of 2592 4848 svchost.exe SCHTASKS.exe PID 4848 wrote to memory of 2592 4848 svchost.exe SCHTASKS.exe PID 4852 wrote to memory of 4144 4852 $sxr-powershell.exe schtasks.exe PID 4852 wrote to memory of 4144 4852 $sxr-powershell.exe schtasks.exe PID 4852 wrote to memory of 4144 4852 $sxr-powershell.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD5499ab44b3be0e431ee482c016f423b2f
SHA18f3fc11724012b202a6e78211a7bf4e323edb53f
SHA2566f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
SHA51254b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
-
memory/4848-6-0x00000000067D0000-0x000000000680C000-memory.dmpFilesize
240KB
-
memory/4848-2-0x0000000005BB0000-0x0000000006154000-memory.dmpFilesize
5.6MB
-
memory/4848-3-0x00000000056B0000-0x0000000005742000-memory.dmpFilesize
584KB
-
memory/4848-4-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/4848-5-0x00000000063B0000-0x00000000063C2000-memory.dmpFilesize
72KB
-
memory/4848-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmpFilesize
4KB
-
memory/4848-1-0x0000000000500000-0x000000000056C000-memory.dmpFilesize
432KB
-
memory/4852-12-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/4852-13-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/4852-16-0x0000000006560000-0x000000000656A000-memory.dmpFilesize
40KB
-
memory/4852-19-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/4852-20-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB