Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 22:18
Behavioral task
behavioral1
Sample
Seroxen.exe
Resource
win7-20240704-en
General
-
Target
Seroxen.exe
-
Size
3.2MB
-
MD5
ecd1d786fb4e8d2fdd9fde6d5ad3f5d3
-
SHA1
bea4d57cb8cc632b0074bfd1ef3739ee11399df1
-
SHA256
f5dccd02d415f96bbde7cdcd9afa5376911166e795486e772a3ffa124fe45302
-
SHA512
123086110b392ab14ca99b91b246266b93b21e0036cde9919649edcd83751cf163688a7795a781c6c3190cc3dcdc272ff7b3b9bc6c617cbac0cbc18908a46f1e
-
SSDEEP
49152:oei8dGFjxJFp/DGoye3Z4LVoc96cppQI2VlUTHHB72eh2NTf:oeCFjxJTbGor3Z4LVocx+b
Malware Config
Extracted
quasar
1.4.1
SKIDS
147.185.221.22:10340
9b51d4f5-bfe4-4a06-ba47-dcfbf9fe8529
-
encryption_key
AEAE9E349BB922A243A5FF22FF4A80613533B71B
-
install_name
Windows Host Process.exe
-
log_directory
Windows-Logs
-
reconnect_delay
3000
-
startup_key
Windows Host Process
-
subdirectory
Windows
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2200-1-0x0000000000D30000-0x000000000105C000-memory.dmp family_quasar behavioral1/files/0x0008000000015d10-7.dat family_quasar behavioral1/memory/672-10-0x00000000000F0000-0x000000000041C000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 672 Windows Host Process.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\Windows\Windows Host Process.exe Seroxen.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Seroxen.exe File opened for modification C:\Windows\system32\Windows Seroxen.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Windows Host Process.exe File opened for modification C:\Windows\system32\Windows Windows Host Process.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 2296 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 Seroxen.exe Token: SeDebugPrivilege 672 Windows Host Process.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 672 Windows Host Process.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2296 2200 Seroxen.exe 28 PID 2200 wrote to memory of 2296 2200 Seroxen.exe 28 PID 2200 wrote to memory of 2296 2200 Seroxen.exe 28 PID 2200 wrote to memory of 672 2200 Seroxen.exe 30 PID 2200 wrote to memory of 672 2200 Seroxen.exe 30 PID 2200 wrote to memory of 672 2200 Seroxen.exe 30 PID 672 wrote to memory of 1916 672 Windows Host Process.exe 31 PID 672 wrote to memory of 1916 672 Windows Host Process.exe 31 PID 672 wrote to memory of 1916 672 Windows Host Process.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seroxen.exe"C:\Users\Admin\AppData\Local\Temp\Seroxen.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2296
-
-
C:\Windows\system32\Windows\Windows Host Process.exe"C:\Windows\system32\Windows\Windows Host Process.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ecd1d786fb4e8d2fdd9fde6d5ad3f5d3
SHA1bea4d57cb8cc632b0074bfd1ef3739ee11399df1
SHA256f5dccd02d415f96bbde7cdcd9afa5376911166e795486e772a3ffa124fe45302
SHA512123086110b392ab14ca99b91b246266b93b21e0036cde9919649edcd83751cf163688a7795a781c6c3190cc3dcdc272ff7b3b9bc6c617cbac0cbc18908a46f1e