Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 17:21
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
General
-
Target
GoogleChrome.exe
-
Size
690KB
-
MD5
5818f4fecb0dcc52227035dc0d88830b
-
SHA1
ccda411e1e7c643308f8c643b384ec979c185787
-
SHA256
1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894
-
SHA512
b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f
-
SSDEEP
12288:jTEgdfY8l6hdV6l4et8klwIdctVdrcdirMBgJS9UOIK3:8UwBD6lbt8ufcVrcdiMCJSuOIK3
Malware Config
Extracted
quasar
1.4.0
Test
scambaiting2022.ddns.net:25565
192.168.1.3:25565
41845399-4858-4791-bd1c-b2526f38e8cc
-
encryption_key
77693888CF811B44AE75658ADBCA8897192A96FF
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Chrome Update
-
subdirectory
Chrome
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral9/memory/1660-1-0x0000000000D00000-0x0000000000DB2000-memory.dmp family_quasar behavioral9/files/0x000500000001952b-6.dat family_quasar behavioral9/memory/2656-7-0x0000000000020000-0x00000000000D2000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2656 update.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3040 schtasks.exe 2820 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1660 GoogleChrome.exe Token: SeDebugPrivilege 2656 update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2656 update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3040 1660 GoogleChrome.exe 29 PID 1660 wrote to memory of 3040 1660 GoogleChrome.exe 29 PID 1660 wrote to memory of 3040 1660 GoogleChrome.exe 29 PID 1660 wrote to memory of 2656 1660 GoogleChrome.exe 31 PID 1660 wrote to memory of 2656 1660 GoogleChrome.exe 31 PID 1660 wrote to memory of 2656 1660 GoogleChrome.exe 31 PID 2656 wrote to memory of 2820 2656 update.exe 32 PID 2656 wrote to memory of 2820 2656 update.exe 32 PID 2656 wrote to memory of 2820 2656 update.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe"C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Chrome Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\Chrome\update.exe"C:\Users\Admin\AppData\Roaming\Chrome\update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Chrome Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Chrome\update.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690KB
MD55818f4fecb0dcc52227035dc0d88830b
SHA1ccda411e1e7c643308f8c643b384ec979c185787
SHA2561416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894
SHA512b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f