Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 19:15
Behavioral task
behavioral1
Sample
VaporWaveX2.1/VaporWave2-1.exe
Resource
win7-20240708-en
General
-
Target
VaporWaveX2.1/VaporWave2-1.exe
-
Size
72.5MB
-
MD5
af85b5d9c237ea75d4a307d5157c847f
-
SHA1
84ad14e5d89bd85f0ef1bb5f3269c0d6929c6a53
-
SHA256
3e7fe3f421b50a884cc30ac892a739e895f4243ed554183deebc7415593ee2d2
-
SHA512
bf2e7414f1e00d69aaf3dab61a938c3051f429b712d8dcccd3f7a7a32226d42dc66477c1fac7cbb67a326dd05b33de7afbc176ce4280405ac69e2e8dcbdabca3
-
SSDEEP
6144:UI6bPXhLApfpo8CL1g1N1ZflpUwGbeCqgHcFi9vNnoGjlhjl7k4:lmhAp5CL1g1N1ZfXxpi9vhHl1l7k4
Malware Config
Extracted
quasar
1.3.0.0
general1
servicehos.zapto.org:4444
QSR_MUTEX_ksxWAP4ziOqMlreofU
-
encryption_key
i9HUVkY4QNExDOHIMtIX
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2984-1-0x00000000002A0000-0x00000000002FE000-memory.dmp family_quasar behavioral1/memory/2068-10-0x0000000001220000-0x000000000127E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid Process 2068 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
VaporWave2-1.exepid Process 2984 VaporWave2-1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chcp.comPING.EXEVaporWave2-1.exeschtasks.exesvchost.exeschtasks.exeschtasks.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VaporWave2-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2456 schtasks.exe 2244 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VaporWave2-1.exesvchost.exedescription pid Process Token: SeDebugPrivilege 2984 VaporWave2-1.exe Token: SeDebugPrivilege 2068 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid Process 2068 svchost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
VaporWave2-1.exesvchost.execmd.exedescription pid Process procid_target PID 2984 wrote to memory of 2456 2984 VaporWave2-1.exe 31 PID 2984 wrote to memory of 2456 2984 VaporWave2-1.exe 31 PID 2984 wrote to memory of 2456 2984 VaporWave2-1.exe 31 PID 2984 wrote to memory of 2456 2984 VaporWave2-1.exe 31 PID 2984 wrote to memory of 2068 2984 VaporWave2-1.exe 33 PID 2984 wrote to memory of 2068 2984 VaporWave2-1.exe 33 PID 2984 wrote to memory of 2068 2984 VaporWave2-1.exe 33 PID 2984 wrote to memory of 2068 2984 VaporWave2-1.exe 33 PID 2068 wrote to memory of 2244 2068 svchost.exe 34 PID 2068 wrote to memory of 2244 2068 svchost.exe 34 PID 2068 wrote to memory of 2244 2068 svchost.exe 34 PID 2068 wrote to memory of 2244 2068 svchost.exe 34 PID 2068 wrote to memory of 2624 2068 svchost.exe 37 PID 2068 wrote to memory of 2624 2068 svchost.exe 37 PID 2068 wrote to memory of 2624 2068 svchost.exe 37 PID 2068 wrote to memory of 2624 2068 svchost.exe 37 PID 2068 wrote to memory of 1552 2068 svchost.exe 39 PID 2068 wrote to memory of 1552 2068 svchost.exe 39 PID 2068 wrote to memory of 1552 2068 svchost.exe 39 PID 2068 wrote to memory of 1552 2068 svchost.exe 39 PID 1552 wrote to memory of 688 1552 cmd.exe 41 PID 1552 wrote to memory of 688 1552 cmd.exe 41 PID 1552 wrote to memory of 688 1552 cmd.exe 41 PID 1552 wrote to memory of 688 1552 cmd.exe 41 PID 1552 wrote to memory of 1808 1552 cmd.exe 42 PID 1552 wrote to memory of 1808 1552 cmd.exe 42 PID 1552 wrote to memory of 1808 1552 cmd.exe 42 PID 1552 wrote to memory of 1808 1552 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "svchost" /f3⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8rzX5rJdA8bI.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263B
MD53b131a9a7d8f3778836dc44e58e04f13
SHA1f282199650901f19baf5472d3b9a7005156ce420
SHA2561dc33e29f7a4a17c60b324f51fca129319c26d95de0a7cc2c1235c47083ca3a4
SHA51227c0b59df8199da3d2ce044d5e0072910c320d0d3593997e915d94936ae0e85f58184a0eb02032a260d3815cd2e7c5be76e17f5fd4f02c3cef3bb262691fc2b5
-
Filesize
224B
MD5895ff633adbfc7236b5cfab8fc99d4b2
SHA1b80848d972413b9d693e3f163952865bd404b02b
SHA2563c4eeb4ff4e77d54a65dea18a40be7f72fd3af48134067a06bdd94725885dce0
SHA5123a604ca38587af7c167fc4f7143456887bdadcf56e64bbf86cfe4e4ae1aaaad29d0c9e7dfc589b771e9e78acf6c412f71f86925524835530222d13dcb521ab55