Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/08/2024, 21:16
Static task
static1
General
-
Target
Zula Spacex Hack.exe
-
Size
3.0MB
-
MD5
9ea8a4ae340433b891d28439c307c3f1
-
SHA1
f8bb6e9961ccf4c6f0d340a715ec418d777a20b4
-
SHA256
eb8ac22cb3171099ce9f453185e1c66484a4bddbf612d463365c4bc7c66d73c5
-
SHA512
7af61339a94a10c9406c99e84df20568e9020e1719e2ab0b903baa1b17f4dbbad61065963ce432a4bec5155347ba606b0e8005e985e842e3b285f68061207c86
-
SSDEEP
49152:91TOLmD6u8xp/4DU8Kb2N5hFkYQFJPWOcFzU4PjGmfJFwHTcEVBmk1nT9:9tp8xpwMSFkYacVl779FYZ
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Spacex
darkerzm.duckdns.org:443
9d0cae87-20bd-4a2e-b07e-e89f7d6ed7d3
-
encryption_key
5C5FC8D86E7AFAAF0B65EA7319B4546128D20904
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
Windows
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/5520-8-0x0000000006ED0000-0x0000000007376000-memory.dmp family_quasar behavioral1/files/0x000300000002aacb-13.dat family_quasar behavioral1/memory/3224-22-0x00000000007D0000-0x0000000000AF4000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3224 svchost.exe 3976 svchost.exe 2044 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zula Spacex Hack.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6020 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6020 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1408 schtasks.exe 1196 schtasks.exe 6108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe 5520 Zula Spacex Hack.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3224 svchost.exe Token: SeDebugPrivilege 3976 svchost.exe Token: SeDebugPrivilege 5520 Zula Spacex Hack.exe Token: SeDebugPrivilege 2044 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3976 svchost.exe 2044 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5520 wrote to memory of 3224 5520 Zula Spacex Hack.exe 82 PID 5520 wrote to memory of 3224 5520 Zula Spacex Hack.exe 82 PID 3224 wrote to memory of 1408 3224 svchost.exe 83 PID 3224 wrote to memory of 1408 3224 svchost.exe 83 PID 3224 wrote to memory of 3976 3224 svchost.exe 85 PID 3224 wrote to memory of 3976 3224 svchost.exe 85 PID 3976 wrote to memory of 1196 3976 svchost.exe 87 PID 3976 wrote to memory of 1196 3976 svchost.exe 87 PID 3976 wrote to memory of 6088 3976 svchost.exe 101 PID 3976 wrote to memory of 6088 3976 svchost.exe 101 PID 6088 wrote to memory of 3168 6088 cmd.exe 103 PID 6088 wrote to memory of 3168 6088 cmd.exe 103 PID 6088 wrote to memory of 6020 6088 cmd.exe 104 PID 6088 wrote to memory of 6020 6088 cmd.exe 104 PID 6088 wrote to memory of 2044 6088 cmd.exe 105 PID 6088 wrote to memory of 2044 6088 cmd.exe 105 PID 2044 wrote to memory of 6108 2044 svchost.exe 106 PID 2044 wrote to memory of 6108 2044 svchost.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zula Spacex Hack.exe"C:\Users\Admin\AppData\Local\Temp\Zula Spacex Hack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5520 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SrjMgTjNUfCe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3168
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6020
-
-
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:6108
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
209B
MD5e2eb260e4ed3f7f6e2046fed48abeafc
SHA1790e0bc06901e32f99fa08dd504e6187e63118c8
SHA2563027254df23163f5c180580331050c238204481e563f20e296183302e2470b81
SHA5120c00534a23cf8e8e09782604cd660375bac93344ca3130a126f8d70a7d421bd4b17aa729555f0fd874ea67d251e1a294c1855eee3cc378ae1cf20d18711e12fb
-
Filesize
3.1MB
MD5e7e1387343960784b9026fb567f5d0ac
SHA17dfee24cd6d0d08b730b63bf970e8b91adaf6b6e
SHA25643ce2ef57cefbae98d64239f8d8010c30f8ae65fe74308711bb2480c1558fa2a
SHA5120182c3b97ba28de71b6e2e2b05ce41195623f7705d800e24bed20addee4946c4ef01498a676c8cdcc78a05505bf52e0d732f9eb8cf2c7ae46b528ac9f35e22c5