Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 23:51
General
-
Target
Remove.exe
-
Size
409KB
-
MD5
feb685a6bc5600e4e3e5b291432e2071
-
SHA1
2073252bc7b2ceb812d3fc0ecb0f6c7d32089523
-
SHA256
bcc8bd5e2381123b28409b8281612d2f3be649e4d4b8d998a9e397db109f631d
-
SHA512
d87e0e384e79943de4e581b5b505f05b2e0dc3463279f03ceb6cfc54699c5f9e79bab7a0e277176be4eab7b7eadc450bf230af4163f65714a0d456d9288fc4dc
-
SSDEEP
6144:rMyPp5S6M1Xy0a+agLFaSoVWy/ItKlPb2LH0yDCG4vZ3UiOi9vXna56:Hpg6M1iuagLFB4WxAlKLGjhui9v3a56
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SeroXen
C2
147.185.221.20:47638
Mutex
$Sxr-5wL6M6vfG3ZS45okGB
Attributes
-
encryption_key
Ss9r1xb2AT8fXYK3H0Z6
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Update32
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4860-1-0x0000000000490000-0x00000000004FC000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exepid process 3604 schtasks.exe 4232 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Remove.exedescription pid process Token: SeDebugPrivilege 4860 Remove.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Remove.exepid process 4860 Remove.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Remove.exedescription pid process target process PID 4860 wrote to memory of 3604 4860 Remove.exe schtasks.exe PID 4860 wrote to memory of 3604 4860 Remove.exe schtasks.exe PID 4860 wrote to memory of 3604 4860 Remove.exe schtasks.exe PID 4860 wrote to memory of 4232 4860 Remove.exe SCHTASKS.exe PID 4860 wrote to memory of 4232 4860 Remove.exe SCHTASKS.exe PID 4860 wrote to memory of 4232 4860 Remove.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remove.exe"C:\Users\Admin\AppData\Local\Temp\Remove.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Update32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Remove.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3604 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Remove.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Remove.exe'" /sc onlogon /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4232