Analysis
-
max time kernel
99s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29-11-2024 03:29
General
-
Target
Virus.exe
-
Size
348KB
-
MD5
325f748d4e40fd993021c4a39e60384d
-
SHA1
665c5980233d2081ecb638a5601950da52aec632
-
SHA256
f3d4f0a9c0f837998e9ac15b067a74fa15cea74db186e1067fd55eea657ae3f3
-
SHA512
5dfadcb320f93d8990e70f219cb6ecfeb0e8dc0bb90e3dbdbe4977e0ce8b029a1aeab91f272476f1dbab16191be287d072d8cfedd550893c9bdde268b1e02f95
-
SSDEEP
6144:s16bPXhLApfp07Dbj82MGlfCtfb5vJtTamdYxM4HX2vuJrq:QmhApSPeFKmd4rHXXrq
Malware Config
Extracted
quasar
1.3.0.0
hackeado papu
dbxs31c.localto.net:5853
QSR_MUTEX_Da9VX0BUJqFSTadPhi
-
encryption_key
jmEyWTm6K6eGLE8Q3C6X
-
install_name
Windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/3716-1-0x0000000000DF0000-0x0000000000E4E000-memory.dmp family_quasar behavioral1/files/0x002a000000045034-8.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4216 Windows.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4188 schtasks.exe 4104 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3716 Virus.exe Token: SeDebugPrivilege 4216 Windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4216 Windows.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4188 3716 Virus.exe 84 PID 3716 wrote to memory of 4188 3716 Virus.exe 84 PID 3716 wrote to memory of 4188 3716 Virus.exe 84 PID 3716 wrote to memory of 4216 3716 Virus.exe 86 PID 3716 wrote to memory of 4216 3716 Virus.exe 86 PID 3716 wrote to memory of 4216 3716 Virus.exe 86 PID 4216 wrote to memory of 4104 4216 Windows.exe 90 PID 4216 wrote to memory of 4104 4216 Windows.exe 90 PID 4216 wrote to memory of 4104 4216 Windows.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Virus.exe"C:\Users\Admin\AppData\Local\Temp\Virus.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Virus.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4188
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5325f748d4e40fd993021c4a39e60384d
SHA1665c5980233d2081ecb638a5601950da52aec632
SHA256f3d4f0a9c0f837998e9ac15b067a74fa15cea74db186e1067fd55eea657ae3f3
SHA5125dfadcb320f93d8990e70f219cb6ecfeb0e8dc0bb90e3dbdbe4977e0ce8b029a1aeab91f272476f1dbab16191be287d072d8cfedd550893c9bdde268b1e02f95