Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 17:02
Behavioral task
behavioral1
Sample
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe
Resource
win7-20240704-en
General
-
Target
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe
-
Size
3.1MB
-
MD5
9a4f3b0223e0bcb90d5a08afdae6a169
-
SHA1
b8ea3a64121a47f7a7abc73fc9a39d912b31a724
-
SHA256
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104
-
SHA512
38ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601
-
SSDEEP
49152:SvHI22SsaNYfdPBldt698dBcjHJwRJ6cbR3LoGdFgTHHB72eh2NT:Svo22SsaNYfdPBldt6+dBcjHJwRJ6m
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.70:4782
34828de8-c350-4dd4-85c9-16051c0443f7
-
encryption_key
2F1B645695C7578786A6BD1B6CD3966DFF24BC11
-
install_name
sigmaexecutor.exe.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WIndows Updater
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2244-1-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar C:\Windows\System32\SubDir\sigmaexecutor.exe.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
sigmaexecutor.exe.exepid process 1268 sigmaexecutor.exe.exe -
Drops file in System32 directory 5 IoCs
Processes:
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exesigmaexecutor.exe.exedescription ioc process File created C:\Windows\system32\SubDir\sigmaexecutor.exe.exe 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe File opened for modification C:\Windows\system32\SubDir\sigmaexecutor.exe.exe 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe File opened for modification C:\Windows\system32\SubDir 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe File opened for modification C:\Windows\system32\SubDir\sigmaexecutor.exe.exe sigmaexecutor.exe.exe File opened for modification C:\Windows\system32\SubDir sigmaexecutor.exe.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4220 schtasks.exe 2408 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exesigmaexecutor.exe.exedescription pid process Token: SeDebugPrivilege 2244 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe Token: SeDebugPrivilege 1268 sigmaexecutor.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sigmaexecutor.exe.exepid process 1268 sigmaexecutor.exe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exesigmaexecutor.exe.exedescription pid process target process PID 2244 wrote to memory of 4220 2244 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe schtasks.exe PID 2244 wrote to memory of 4220 2244 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe schtasks.exe PID 2244 wrote to memory of 1268 2244 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe sigmaexecutor.exe.exe PID 2244 wrote to memory of 1268 2244 031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe sigmaexecutor.exe.exe PID 1268 wrote to memory of 2408 1268 sigmaexecutor.exe.exe schtasks.exe PID 1268 wrote to memory of 2408 1268 sigmaexecutor.exe.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe"C:\Users\Admin\AppData\Local\Temp\031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4220 -
C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"C:\Windows\system32\SubDir\sigmaexecutor.exe.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WIndows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\sigmaexecutor.exe.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59a4f3b0223e0bcb90d5a08afdae6a169
SHA1b8ea3a64121a47f7a7abc73fc9a39d912b31a724
SHA256031b3b1935b0eac9273bafb8b20484be97a1c3f9ea1bb611315042b32168f104
SHA51238ab6b70078807bc8c56f5c004ae4ef4a40690ec26bc896213a158765530caec5812b556a5555037ac986175fb1d4d588f1a982dd5e383a8c5734783507f6601