Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe
Resource
win7-20240708-en
General
-
Target
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe
-
Size
3.0MB
-
MD5
25ae2a8e59da886dbc3192b12e000ffa
-
SHA1
c384fbee5a29be18571d293c1e20a36d044bd86a
-
SHA256
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4
-
SHA512
246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736
-
SSDEEP
49152:auZju5PuuzE2wJMTFuUPHghJW5eqdCMuWnLBuU5ZHWIcCm:xjuFumw0Fu2gho5e4nLB5L
Malware Config
Extracted
quasar
1.4.1
Office04
45.200.148.155:6060
4b3820e0-d123-49d9-b51e-3c4daa4f6874
-
encryption_key
F8879E9B26846C57C99B6F152F74703E1CC15B8B
-
install_name
SecurityHealthSystray.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SecurityHealthSystray.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/1976-1-0x0000000000960000-0x00000000010F6000-memory.dmp family_quasar behavioral1/memory/1976-2-0x0000000000960000-0x00000000010F6000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2740 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe 30 PID 1976 wrote to memory of 2740 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe 30 PID 1976 wrote to memory of 2740 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe 30 PID 1976 wrote to memory of 2740 1976 d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe"C:\Users\Admin\AppData\Local\Temp\d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SecurityHealthSystray.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SecurityHealthSystray.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2740
-