Analysis
-
max time kernel
126s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 21:01
Behavioral task
behavioral1
Sample
MoonX.exe
Resource
win7-20240903-en
General
-
Target
MoonX.exe
-
Size
3.1MB
-
MD5
067797d057419e6750a73dbc9891abc6
-
SHA1
38d7ed247ce382277fae0a89ce2bba37d6562857
-
SHA256
30f2c33a8795270263434282d667e0510f57de3946c30df57ceb3f82d35f430b
-
SHA512
6eac5b1f361f7173715cba3660d43f06ca342c838d393bfd736e00bf4a4e4da37e95e7e74fbcf40393b9618c173b63221a4c314c3a26e1d21bf8eb880a8ad0a5
-
SSDEEP
49152:CvIt62XlaSFNWPjljiFa2RoUYIVoOEEqknk/8FvoGdATHHB72eh2NT:CvE62XlaSFNWPjljiFXRoUYIVoOHV
Malware Config
Extracted
quasar
1.4.1
MoonX
192.168.1.234:4782
4b0292ec-655c-4352-9fd0-766e48d4ced8
-
encryption_key
D553FD53C63DADADB0E2A70013878DFCCBFA988F
-
install_name
MoonX.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MoonX
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-1-0x0000000000E00000-0x0000000001124000-memory.dmp family_quasar behavioral1/files/0x0034000000015d5c-6.dat family_quasar behavioral1/memory/2236-9-0x00000000009E0000-0x0000000000D04000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
MoonX.exepid Process 2236 MoonX.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2808 schtasks.exe 2752 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MoonX.exeMoonX.exedescription pid Process Token: SeDebugPrivilege 2888 MoonX.exe Token: SeDebugPrivilege 2236 MoonX.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MoonX.exeMoonX.exedescription pid Process procid_target PID 2888 wrote to memory of 2808 2888 MoonX.exe 30 PID 2888 wrote to memory of 2808 2888 MoonX.exe 30 PID 2888 wrote to memory of 2808 2888 MoonX.exe 30 PID 2888 wrote to memory of 2236 2888 MoonX.exe 32 PID 2888 wrote to memory of 2236 2888 MoonX.exe 32 PID 2888 wrote to memory of 2236 2888 MoonX.exe 32 PID 2236 wrote to memory of 2752 2236 MoonX.exe 33 PID 2236 wrote to memory of 2752 2236 MoonX.exe 33 PID 2236 wrote to memory of 2752 2236 MoonX.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MoonX.exe"C:\Users\Admin\AppData\Local\Temp\MoonX.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "MoonX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MoonX.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Users\Admin\AppData\Roaming\SubDir\MoonX.exe"C:\Users\Admin\AppData\Roaming\SubDir\MoonX.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "MoonX" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MoonX.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5067797d057419e6750a73dbc9891abc6
SHA138d7ed247ce382277fae0a89ce2bba37d6562857
SHA25630f2c33a8795270263434282d667e0510f57de3946c30df57ceb3f82d35f430b
SHA5126eac5b1f361f7173715cba3660d43f06ca342c838d393bfd736e00bf4a4e4da37e95e7e74fbcf40393b9618c173b63221a4c314c3a26e1d21bf8eb880a8ad0a5