Analysis
-
max time kernel
20s -
max time network
28s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09-12-2024 21:44
Static task
static1
General
-
Target
Panel Ejecutador MTA 3.14.zip
-
Size
1.1MB
-
MD5
d345c2eb24b0d3806865fda604ad1cc8
-
SHA1
6b813317f6108f2c242babda58097070503df242
-
SHA256
9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908
-
SHA512
76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74
-
SSDEEP
24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m
Malware Config
Extracted
quasar
1.4.1
Office04
azxq0ap.localto.net:3425
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
WindowsUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x002a000000045033-2.dat family_quasar behavioral1/memory/3840-5-0x0000000000770000-0x0000000000AC6000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3840 Panel Ejecutador MTA 3.14.exe 4424 WindowsUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2740 schtasks.exe 2360 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2364 7zFM.exe Token: 35 2364 7zFM.exe Token: SeSecurityPrivilege 2364 7zFM.exe Token: SeDebugPrivilege 3840 Panel Ejecutador MTA 3.14.exe Token: SeDebugPrivilege 4424 WindowsUpdate.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2364 7zFM.exe 2364 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4424 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3840 wrote to memory of 2740 3840 Panel Ejecutador MTA 3.14.exe 90 PID 3840 wrote to memory of 2740 3840 Panel Ejecutador MTA 3.14.exe 90 PID 3840 wrote to memory of 4424 3840 Panel Ejecutador MTA 3.14.exe 92 PID 3840 wrote to memory of 4424 3840 Panel Ejecutador MTA 3.14.exe 92 PID 4424 wrote to memory of 2360 4424 WindowsUpdate.exe 93 PID 4424 wrote to memory of 2360 4424 WindowsUpdate.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2364
-
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcheckappexec.microsoft.comIN AResponsecheckappexec.microsoft.comIN CNAMEprod-atm-wds-apprep.trafficmanager.netprod-atm-wds-apprep.trafficmanager.netIN CNAMEprod-agic-uw-3.ukwest.cloudapp.azure.comprod-agic-uw-3.ukwest.cloudapp.azure.comIN A51.11.108.188
-
Remote address:51.11.108.188:443RequestPOST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoic25qR3dUYUJWYU09Iiwia2V5IjoiNFBwb1JYNDhVU1JZTFNXbHJBMWpZZz09In0=
content-length: 1162
content-type: application/json; charset=utf-8
cache-control: no-cache
ResponseHTTP/2.0 200
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
-
Remote address:8.8.8.8:53Request188.108.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request203.197.79.204.in-addr.arpaIN PTRResponse203.197.79.204.in-addr.arpaIN PTRa-0003a-msedgenet
-
Remote address:8.8.8.8:53Requestazxq0ap.localto.netIN AResponseazxq0ap.localto.netIN A23.158.232.33
-
Remote address:8.8.8.8:53Request33.232.158.23.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestipwho.isIN AResponseipwho.isIN A195.201.57.90
-
Remote address:195.201.57.90:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Host: ipwho.is
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: ipwhois
Access-Control-Allow-Headers: *
X-Robots-Tag: noindex
-
Remote address:8.8.8.8:53Request90.57.201.195.in-addr.arpaIN PTRResponse90.57.201.195.in-addr.arpaIN PTRstatic9057201195clientsyour-serverde
-
2.8kB 7.6kB 20 15
HTTP Request
POST https://checkappexec.microsoft.com/windows/shell/actionsHTTP Response
200 -
78.8kB 4.5kB 75 55
-
831 B 6.2kB 8 8
HTTP Request
GET https://ipwho.is/HTTP Response
200
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 191 B 1 1
DNS Request
checkappexec.microsoft.com
DNS Response
51.11.108.188
-
72 B 158 B 1 1
DNS Request
188.108.11.51.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
203.197.79.204.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
azxq0ap.localto.net
DNS Response
23.158.232.33
-
72 B 152 B 1 1
DNS Request
33.232.158.23.in-addr.arpa
-
54 B 70 B 1 1
DNS Request
ipwho.is
DNS Response
195.201.57.90
-
72 B 129 B 1 1
DNS Request
90.57.201.195.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD55791d405ca0a97a89eeaeb4f2be628be
SHA1a012d40aaaa01db12a83b0e4408d012fd383dd0b
SHA2566c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d
SHA5123971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd