Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 20:29
Behavioral task
behavioral1
Sample
Vyper.exe
Resource
win7-20240903-en
General
-
Target
Vyper.exe
-
Size
3.1MB
-
MD5
bc8ff64cac1ae0bc4f1ae65075f6c26a
-
SHA1
11ce47e3f7a25add1ed9fd54ce25878106b82db9
-
SHA256
55c022e23bde36f465a1ac4e0c0558f4f6118a2df180c08ecd1afc1529d4c15f
-
SHA512
270b3b94fbfc734740907c303a2d4a4f0cf30d23d9e7a76c9535c80a92d427e20061c48e8eabfe523405058c75e79b9d10561e855fa06f0c02fef938641f17bd
-
SSDEEP
49152:eveI22SsaNYfdPBldt698dBcjHkfNlmGmzgsoGd2THHB72eh2NT:evT22SsaNYfdPBldt6+dBcjH8lmh
Malware Config
Extracted
quasar
1.4.1
Office04
411db-59874.portmap.host:1333
8d945983-5644-413f-bb5d-4f7a064e793c
-
encryption_key
6382B85CDCFFEEDACE064DDD30D7729DCE176C73
-
install_name
Discord Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord Updater
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3976-1-0x0000000000010000-0x0000000000334000-memory.dmp family_quasar behavioral2/files/0x000a000000023b6c-6.dat family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Discord Updater.exepid Process 4024 Discord Updater.exe -
Drops file in System32 directory 5 IoCs
Processes:
Vyper.exeDiscord Updater.exedescription ioc Process File created C:\Windows\system32\SubDir\Discord Updater.exe Vyper.exe File opened for modification C:\Windows\system32\SubDir\Discord Updater.exe Vyper.exe File opened for modification C:\Windows\system32\SubDir Vyper.exe File opened for modification C:\Windows\system32\SubDir\Discord Updater.exe Discord Updater.exe File opened for modification C:\Windows\system32\SubDir Discord Updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4752 schtasks.exe 884 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Vyper.exeDiscord Updater.exedescription pid Process Token: SeDebugPrivilege 3976 Vyper.exe Token: SeDebugPrivilege 4024 Discord Updater.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Discord Updater.exepid Process 4024 Discord Updater.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Discord Updater.exepid Process 4024 Discord Updater.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Vyper.exeDiscord Updater.exedescription pid Process procid_target PID 3976 wrote to memory of 4752 3976 Vyper.exe 87 PID 3976 wrote to memory of 4752 3976 Vyper.exe 87 PID 3976 wrote to memory of 4024 3976 Vyper.exe 89 PID 3976 wrote to memory of 4024 3976 Vyper.exe 89 PID 4024 wrote to memory of 884 4024 Discord Updater.exe 90 PID 4024 wrote to memory of 884 4024 Discord Updater.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vyper.exe"C:\Users\Admin\AppData\Local\Temp\Vyper.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Discord Updater.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4752
-
-
C:\Windows\system32\SubDir\Discord Updater.exe"C:\Windows\system32\SubDir\Discord Updater.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Discord Updater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5bc8ff64cac1ae0bc4f1ae65075f6c26a
SHA111ce47e3f7a25add1ed9fd54ce25878106b82db9
SHA25655c022e23bde36f465a1ac4e0c0558f4f6118a2df180c08ecd1afc1529d4c15f
SHA512270b3b94fbfc734740907c303a2d4a4f0cf30d23d9e7a76c9535c80a92d427e20061c48e8eabfe523405058c75e79b9d10561e855fa06f0c02fef938641f17bd