General
-
Target
MWIII Chair + Blocker.exe
-
Size
47.7MB
-
Sample
240711-gfvaza1hrq
-
MD5
479f465034137af69c31b1ba25752ddf
-
SHA1
1a437d072149e6a09ef81336e571ad7c6348fa6e
-
SHA256
72880513939d8b52af76c8796bf066a7d3e7df97e9ef5a1a5076e9178016867b
-
SHA512
f7eaf698eddc3b7f28a1c5d416a7332e20203c56109cd5fc709eea1f7f3d6500f7ac587bc969418d911563b26541cb95cc9de690b62fc5ecd8997a9d1927690d
-
SSDEEP
786432:NlHDtuFgKqlUdKijEIzQviTQ5nGgcPkdzteBG3NAfhO2nlSZYptRZOHOhC+dj:3DtuFbB7fUaTQ5GidBdCh7nLptpC+
Static task
static1
Behavioral task
behavioral1
Sample
MWIII Chair + Blocker.exe
Resource
win11-20240709-en
Malware Config
Extracted
quasar
1.4.1
Server
193.37.254.35:60553
08e34576-f933-4fe1-9756-64a65f86dc05
-
encryption_key
8DED0FEFCB0F93A016A6DAD812C6D6D58DEE8547
-
install_name
services86.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
services86
-
subdirectory
Files
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
MWIII Chair + Blocker.exe
-
Size
47.7MB
-
MD5
479f465034137af69c31b1ba25752ddf
-
SHA1
1a437d072149e6a09ef81336e571ad7c6348fa6e
-
SHA256
72880513939d8b52af76c8796bf066a7d3e7df97e9ef5a1a5076e9178016867b
-
SHA512
f7eaf698eddc3b7f28a1c5d416a7332e20203c56109cd5fc709eea1f7f3d6500f7ac587bc969418d911563b26541cb95cc9de690b62fc5ecd8997a9d1927690d
-
SSDEEP
786432:NlHDtuFgKqlUdKijEIzQviTQ5nGgcPkdzteBG3NAfhO2nlSZYptRZOHOhC+dj:3DtuFbB7fUaTQ5GidBdCh7nLptpC+
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1152) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1