Analysis
-
max time kernel
46s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 22:08
Static task
static1
General
-
Target
index.exe
-
Size
36.2MB
-
MD5
aa55396d7df072973d0ea88ec505579d
-
SHA1
8a9b057a859cee6ca3053dc0ef05089bbf2ac4ab
-
SHA256
375f99f85beb8bc69029429b3c5317543957ffa7ba559da6fd4b930ce48bfc7c
-
SHA512
969b634ed5aa5075b9b48ebabcf0e9093c530578ec292e67582db16f84437f4a2823130e354b0054f909ec361b145dc4236b57a9991d4974738924f44e06a2ff
-
SSDEEP
393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfG:fMguj8Q4VfvvqFTrYmi
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.20:47638
$Sxr-GV6wZsGZZMeZ3qfenc
-
encryption_key
pCYwpdVg3UP8ZY0FIEl9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Anti-Malware Disable Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\89435a09aea852638faa0bf902e7b347.bat family_quasar -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2576 powershell.exe 2576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2576 powershell.exe Token: 33 4984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4984 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
index.execmd.exepowershell.execsc.exedescription pid process target process PID 1392 wrote to memory of 4408 1392 index.exe cmd.exe PID 1392 wrote to memory of 4408 1392 index.exe cmd.exe PID 1392 wrote to memory of 2672 1392 index.exe cmd.exe PID 1392 wrote to memory of 2672 1392 index.exe cmd.exe PID 4408 wrote to memory of 2576 4408 cmd.exe powershell.exe PID 4408 wrote to memory of 2576 4408 cmd.exe powershell.exe PID 2576 wrote to memory of 4788 2576 powershell.exe csc.exe PID 2576 wrote to memory of 4788 2576 powershell.exe csc.exe PID 4788 wrote to memory of 1864 4788 csc.exe cvtres.exe PID 4788 wrote to memory of 1864 4788 csc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\index.exe"C:\Users\Admin\AppData\Local\Temp\index.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\cmd.execmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5ernzza\w5ernzza.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5488.tmp" "c:\Users\Admin\AppData\Local\Temp\w5ernzza\CSC808AADA0C2A643ABAD93D3BE1FCE7556.TMP"5⤵PID:1864
-
C:\Windows\system32\cmd.execmd.exe /C call C:\Users\Admin\AppData\Local\Temp\89435a09aea852638faa0bf902e7b347.bat2⤵PID:2672
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f4 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD5ef652484dc356b0bc87741f24f2ade24
SHA1f988ef8700c1ed15fa42f9a5756471d6bc18c9c8
SHA256e5e973ff9fe9b009638fc6f8e3b10ca9acad76d2c6cf887f82b018e5a39aa225
SHA512fae5a830fc64a0599686368ca0d3826e4ada1ec383f6faae19054d61bee285442b7471c8f18faf4d378ea025128cab974c50a0cd8f8daf892c6107d812662fec
-
Filesize
1KB
MD5e8fbce5cb3f452f9bdad29785f4af75d
SHA11d734d8d725a7fddaf8abbcb3ed2af0e7338e123
SHA25695f96635012f4e4c66df86351487b7b455e52cb9f18089724fdf42fdb7fb0911
SHA51215c89c8bcae74bb7d4a484e2989097bacb01e72efc8cf07bd8409ebb38098eb487012574168f83fa8e77caa3d94018dd25ea733f7bd7aba4a89ee7e0b8a4ac76
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59d73fd69910e61f5a779c7e45127c2be
SHA15c748cc20b59529d48c78623f0c70b42d606a0b4
SHA256ff7ecf4fffcbc7aaf5dfa298848133c8ddbc466ac94e29092a67492d3a8a5fa3
SHA5120ca26d35814bc55122e7b49fd9169c5a19f4c62bb02168c14ff0ab59b7496f6c40324b3335a8069548c2fb4cacc5cde9e9183cb38e4fe2dc86fdccac8ace5abb
-
Filesize
652B
MD5fc092f455f3420295b86406a80f31cb4
SHA19bc85b9df1492a34d832574075f6db29db5457d1
SHA256c0553a8e7cf57fcb064c09f3e3af2f09ed4c85a6b588e4535a4ee13dc5ed05f9
SHA51228723da747a0f689c6ed9ed73ee19dbb3fc1b6b3a480eafa3d3f16287a0ab81c9b9d6b22959a5088b341f08085b9f5a6a46b285012f8d74ccd8ecb76bccf49eb
-
Filesize
737B
MD53d57f8f44297464baafa6aeecd3bf4bc
SHA1f370b4b9f8dba01fbcad979bd663d341f358a509
SHA256415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1
SHA5124052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798
-
Filesize
369B
MD5d6ab557c3f66efbc15f1c5d250dc9d38
SHA1475ced6474c560dc423da3eaebe243533fb8688c
SHA2569957dab2b558e4acc5fab3104ec610b35ee18935353cf0d189f4d8f4051c4ef1
SHA512d438b68eee954f329743be149baa5e6b4e4db568a62f550052f1b4e06192715047cd223ac2385d754e6ad15c97aa3a830615e9e93b3441a9ebcbee299c412e18