Analysis
-
max time kernel
383s -
max time network
871s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
05-08-2024 08:06
General
-
Target
skibidirat.exe
-
Size
3.1MB
-
MD5
797c5548befc52f7b0dbedc8e6172184
-
SHA1
05e5fd623d589e9790e648348f05e317d926b8c4
-
SHA256
62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260
-
SHA512
2ed20953b97ae2a2dfad7735dcef327f69cd08e9d2acaefd7a23dec0890463dd5a97c5cb1fb54634a052613b55752fc3ce624939dd89ef85bcdae5d46a19e0b5
-
SSDEEP
49152:xHobtR1o2PmNXo7WCr5Ft4Rw8FcXrYd+THHB72eh2NT:xHmRvmNXo7WCr5+w8A
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.18:42996
147.185.221.18:1770
c2e1b18a-ce93-436d-ad8b-21bf89015e19
-
encryption_key
9E968F05BD874BA1BE086FD1774A027473823F49
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4604-1-0x0000000000660000-0x0000000000984000-memory.dmp family_quasar -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
skibidirat.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4604 skibidirat.exe Token: 33 3556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3556 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
skibidirat.exepid process 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
skibidirat.exepid process 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe 4604 skibidirat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
skibidirat.execmd.exedescription pid process target process PID 4604 wrote to memory of 2148 4604 skibidirat.exe cmd.exe PID 4604 wrote to memory of 2148 4604 skibidirat.exe cmd.exe PID 2148 wrote to memory of 848 2148 cmd.exe chcp.com PID 2148 wrote to memory of 848 2148 cmd.exe chcp.com PID 2148 wrote to memory of 5032 2148 cmd.exe PING.EXE PID 2148 wrote to memory of 5032 2148 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YR9i5XlPZll8.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:848
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5032
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3481⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD5deb5cff509a70397e291ad7588bda5fe
SHA1d128225c0716c1d597d6c82979fcf47030a2c9f9
SHA2563c2801cde3050ba20e697fa767df08c5e4fdd1d79479fc5ab18f9fe813ed31c8
SHA512096d11e292c9a1474678f01e352d5e56fbfd1a62d967a2aa9b9dadcf43b7b16167cd9d10ed4a803c3b863d5d7133045dcd6cf6fa20ea07bcba728c33329e6902