Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
nitro gen.sfx.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
nitro gen.sfx.exe
Resource
win10v2004-20240730-en
General
-
Target
nitro gen.sfx.exe
-
Size
1.4MB
-
MD5
463190548a0b924375fea732967d2dcf
-
SHA1
f4c69c752671f7466b9c60023ecbbb61dc264998
-
SHA256
bd0a7542a724d699799858acaf694cbfc2f281fa8bb0641698d23bdc5454dc38
-
SHA512
b1cad73fd8282b25045a762780cbcaa5a522e458dd86135be91d4f9a42240de0ffa883f951f5d32d184a7b7323b0fea939400d7c5d49a24d0c530ce65b59a0a2
-
SSDEEP
24576:xuDXTIGaPhEYzUzA0/0gqmW7NKGNHUJQ3UP4A4hJNuLMeqQVCJlT:kDjlabwz9Mm0UuW4RvwdqQ6T
Malware Config
Extracted
quasar
1.4.1
Office04
fauhfuhfdrga-54679.portmap.host:54679
6ab6e759-61c1-415f-aa2e-b5aa5487acb9
-
encryption_key
EB75A1B85E642DFE711921DF85E99E6D4BC6CC19
-
install_name
nitro gen.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nitro gen.exe family_quasar behavioral1/memory/2724-22-0x0000000001090000-0x00000000013B4000-memory.dmp family_quasar behavioral1/memory/2608-29-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
nitro gen.exenitro gen.exepid process 2724 nitro gen.exe 2608 nitro gen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
nitro gen.sfx.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main nitro gen.sfx.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2596 schtasks.exe 2580 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
nitro gen.exenitro gen.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2724 nitro gen.exe Token: SeDebugPrivilege 2608 nitro gen.exe Token: 33 748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 748 AUDIODG.EXE Token: 33 748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 748 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
nitro gen.exepid process 2608 nitro gen.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
nitro gen.exepid process 2608 nitro gen.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
nitro gen.sfx.exenitro gen.exepid process 1976 nitro gen.sfx.exe 1976 nitro gen.sfx.exe 2608 nitro gen.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
nitro gen.sfx.exenitro gen.exenitro gen.exedescription pid process target process PID 1976 wrote to memory of 2724 1976 nitro gen.sfx.exe nitro gen.exe PID 1976 wrote to memory of 2724 1976 nitro gen.sfx.exe nitro gen.exe PID 1976 wrote to memory of 2724 1976 nitro gen.sfx.exe nitro gen.exe PID 2724 wrote to memory of 2596 2724 nitro gen.exe schtasks.exe PID 2724 wrote to memory of 2596 2724 nitro gen.exe schtasks.exe PID 2724 wrote to memory of 2596 2724 nitro gen.exe schtasks.exe PID 2724 wrote to memory of 2608 2724 nitro gen.exe nitro gen.exe PID 2724 wrote to memory of 2608 2724 nitro gen.exe nitro gen.exe PID 2724 wrote to memory of 2608 2724 nitro gen.exe nitro gen.exe PID 2608 wrote to memory of 2580 2608 nitro gen.exe schtasks.exe PID 2608 wrote to memory of 2580 2608 nitro gen.exe schtasks.exe PID 2608 wrote to memory of 2580 2608 nitro gen.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"C:\Users\Admin\AppData\Local\Temp\nitro gen.sfx.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2596 -
C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe"C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nitro gen.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2964
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4bc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5a7ffd511af0df48e69375566bde8cb74
SHA1eaf0f135d686471da2f63df031d5d869f0865062
SHA256643cb37d115ad66aa776b615e57c2bb11c7d413c593232c1515e2463ce95b7e9
SHA512c0e347a2515aeaa56351cf55414ac6f9ef547972ca0126c0b7b51e8a8397df0837ba22033da745eb1f435ea9214dc8920edc1683ada2575cf8ac602d06d4293f