Analysis
-
max time kernel
76s -
max time network
168s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-11-2024 04:39
Static task
static1
General
-
Target
Roblox exploit 2024.7z
-
Size
922KB
-
MD5
b83419ff541c2f78be5921c4c150aa2f
-
SHA1
2b0a73d56cf4af03d0b1eb51d7e2092f320972f0
-
SHA256
0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
-
SHA512
d9faa15debc5bcae1d391f8cf6f713f2bf8996c64ca4b05f1bddb5f47a7c3980dbc5b784d4791f3a41739b8443fce6a224bcb7ee3654761698f02918b7c5f6a8
-
SSDEEP
24576:uc92iZi0TVp6x0W7GjN59lfzlPRdAeqoeTy4x3kNp6k:um2iZnV8x0W+Npko0ny1
Malware Config
Extracted
quasar
1.4.1
Office04
Inversin-43597.portmap.host:43597
80329fd2-f063-4b06-9c7e-8dbc6278c2a3
-
encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java updater
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0028000000045029-2.dat family_quasar behavioral1/memory/4328-5-0x0000000000410000-0x0000000000734000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 2 IoCs
pid Process 4328 Client-built.exe 3644 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings Client.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 1424 NOTEPAD.EXE 452 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1028 schtasks.exe 3292 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3108 7zFM.exe Token: 35 3108 7zFM.exe Token: SeSecurityPrivilege 3108 7zFM.exe Token: SeDebugPrivilege 4328 Client-built.exe Token: SeDebugPrivilege 3644 Client.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3108 7zFM.exe 3108 7zFM.exe 3644 Client.exe 3644 Client.exe 3644 Client.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3644 Client.exe 3644 Client.exe 3644 Client.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4328 wrote to memory of 1028 4328 Client-built.exe 90 PID 4328 wrote to memory of 1028 4328 Client-built.exe 90 PID 4328 wrote to memory of 3644 4328 Client-built.exe 93 PID 4328 wrote to memory of 3644 4328 Client-built.exe 93 PID 3644 wrote to memory of 3292 3644 Client.exe 95 PID 3644 wrote to memory of 3292 3644 Client.exe 95 PID 3644 wrote to memory of 4920 3644 Client.exe 101 PID 3644 wrote to memory of 4920 3644 Client.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3108
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3292
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\AddTest.rm"3⤵PID:4920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵PID:3712
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:17410 /prefetch:24⤵PID:4980
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:148482 /prefetch:24⤵PID:2888
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\CheckpointEdit.inf3⤵
- Opens file in notepad (likely ransom note)
PID:1424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\ConfirmRevoke.xsl3⤵PID:1064
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:17410 /prefetch:24⤵PID:1688
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\ConfirmTrace.dotm"3⤵PID:3452
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ConvertFromExit.css3⤵
- Opens file in notepad (likely ransom note)
PID:452
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\EditSend.wmf"3⤵PID:1204
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ExitUnblock.rm"3⤵PID:2804
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\AppData\Roaming\ImportDisable.xltm"3⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\InstallMount.mhtml3⤵PID:1104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffc43f746f8,0x7ffc43f74708,0x7ffc43f747184⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:24⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:34⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,9908901234595581444,4367690020873171540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:84⤵PID:4536
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4664
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2412
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1084
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:984
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵PID:3176
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵PID:4736
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵PID:5572
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:5408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5557df060b24d910f788843324c70707a
SHA1e5d15be40f23484b3d9b77c19658adcb6e1da45c
SHA25683cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b
SHA51278df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30F75644-9A67-11EF-8CBB-C6C8B2E6F645}.dat
Filesize5KB
MD5d04164fee9cabcfada8e2dd0f0f638ed
SHA1f0c2ddd394dfb2b79922d923a27a4eed32f50e17
SHA25663da2f0ff20ad058afa4c7045b5b5998d59e8a0b2315c548b374d16851398010
SHA5122a96cc1c1bcfaa610fa9b9efd0563c9c47863bfafd760dd9354bb34368543679d762568839096b850281069920576f5acaec2436057613b45518e92d19833475
-
Filesize
512KB
MD5946f3d332664c951e4220b6529c08cf4
SHA18cef2495aeb0b14c503c53fe51282e7bdfa487a1
SHA256def03bbc743e3f1f8e1e7c235e05180fd3501857547d59eac77034bb17f54d16
SHA512a6ed17d51b299c250d9b50385e5a0c7c35dc388062d3d448fd2d55a001928518fb18f84a38a692af85d8f4b40b5e3a767724a0060702c842ac0bf8f83f9a67bc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BEC75E29-4FE1-495B-B32C-81B0A1FC367A
Filesize174KB
MD5f8db7f09426ecc00ce324eaeecb2dff3
SHA1bd6b1a22699861d429c051cef88afc614470d604
SHA256d7610320553579e0e6674873feb1aa37fc0108037ae48dc22a1e408915c5647f
SHA512b42349aea2965dccb3ba427fa3bdb9c080029e3123d6d0d9a9492ff6ee580bb731021d9ef1bbc224a63d7992bd0da516d0077a01fc6d6ec81b0959d2a75ca1c8
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
3.1MB
MD5f5b93af3ee1b64dacd2bac9ba4af9b27
SHA11f2a038199a71a2b917dca4dff2f5fac5e840978
SHA25648d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA51283703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302