Analysis
-
max time kernel
444s -
max time network
448s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 22:18
Behavioral task
behavioral1
Sample
Seroxen.exe
Resource
win7-20240704-en
General
-
Target
Seroxen.exe
-
Size
3.2MB
-
MD5
ecd1d786fb4e8d2fdd9fde6d5ad3f5d3
-
SHA1
bea4d57cb8cc632b0074bfd1ef3739ee11399df1
-
SHA256
f5dccd02d415f96bbde7cdcd9afa5376911166e795486e772a3ffa124fe45302
-
SHA512
123086110b392ab14ca99b91b246266b93b21e0036cde9919649edcd83751cf163688a7795a781c6c3190cc3dcdc272ff7b3b9bc6c617cbac0cbc18908a46f1e
-
SSDEEP
49152:oei8dGFjxJFp/DGoye3Z4LVoc96cppQI2VlUTHHB72eh2NTf:oeCFjxJTbGor3Z4LVocx+b
Malware Config
Extracted
quasar
1.4.1
SKIDS
147.185.221.22:10340
9b51d4f5-bfe4-4a06-ba47-dcfbf9fe8529
-
encryption_key
AEAE9E349BB922A243A5FF22FF4A80613533B71B
-
install_name
Windows Host Process.exe
-
log_directory
Windows-Logs
-
reconnect_delay
3000
-
startup_key
Windows Host Process
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2208-1-0x0000000000EB0000-0x00000000011DC000-memory.dmp family_quasar behavioral2/files/0x000700000002345a-7.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2636 Windows Host Process.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\Windows Seroxen.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Windows Host Process.exe File opened for modification C:\Windows\system32\Windows Windows Host Process.exe File created C:\Windows\system32\Windows\Windows Host Process.exe Seroxen.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Seroxen.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4384 schtasks.exe 3104 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2208 Seroxen.exe Token: SeDebugPrivilege 2636 Windows Host Process.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2636 Windows Host Process.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2208 wrote to memory of 4384 2208 Seroxen.exe 88 PID 2208 wrote to memory of 4384 2208 Seroxen.exe 88 PID 2208 wrote to memory of 2636 2208 Seroxen.exe 90 PID 2208 wrote to memory of 2636 2208 Seroxen.exe 90 PID 2636 wrote to memory of 3104 2636 Windows Host Process.exe 91 PID 2636 wrote to memory of 3104 2636 Windows Host Process.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seroxen.exe"C:\Users\Admin\AppData\Local\Temp\Seroxen.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4384
-
-
C:\Windows\system32\Windows\Windows Host Process.exe"C:\Windows\system32\Windows\Windows Host Process.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ecd1d786fb4e8d2fdd9fde6d5ad3f5d3
SHA1bea4d57cb8cc632b0074bfd1ef3739ee11399df1
SHA256f5dccd02d415f96bbde7cdcd9afa5376911166e795486e772a3ffa124fe45302
SHA512123086110b392ab14ca99b91b246266b93b21e0036cde9919649edcd83751cf163688a7795a781c6c3190cc3dcdc272ff7b3b9bc6c617cbac0cbc18908a46f1e