Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15-12-2024 20:01
Static task
static1
General
-
Target
Panel Ejecutador MTA 3.14.zip
-
Size
1.1MB
-
MD5
d345c2eb24b0d3806865fda604ad1cc8
-
SHA1
6b813317f6108f2c242babda58097070503df242
-
SHA256
9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908
-
SHA512
76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74
-
SSDEEP
24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m
Malware Config
Extracted
quasar
1.4.1
Office04
azxq0ap.localto.net:3425
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
WindowsUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0028000000046158-3.dat family_quasar behavioral1/memory/3304-6-0x0000000000020000-0x0000000000376000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3304 Panel Ejecutador MTA 3.14.exe 3816 WindowsUpdate.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133787665372296932" chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe 1172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 644 chrome.exe 644 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1596 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeRestorePrivilege 1596 7zFM.exe Token: 35 1596 7zFM.exe Token: SeSecurityPrivilege 1596 7zFM.exe Token: SeSecurityPrivilege 1596 7zFM.exe Token: SeDebugPrivilege 3304 Panel Ejecutador MTA 3.14.exe Token: SeDebugPrivilege 3816 WindowsUpdate.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe Token: SeShutdownPrivilege 644 chrome.exe Token: SeCreatePagefilePrivilege 644 chrome.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1596 7zFM.exe 1596 7zFM.exe 1596 7zFM.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3816 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3304 wrote to memory of 560 3304 Panel Ejecutador MTA 3.14.exe 86 PID 3304 wrote to memory of 560 3304 Panel Ejecutador MTA 3.14.exe 86 PID 3304 wrote to memory of 3816 3304 Panel Ejecutador MTA 3.14.exe 88 PID 3304 wrote to memory of 3816 3304 Panel Ejecutador MTA 3.14.exe 88 PID 644 wrote to memory of 4692 644 chrome.exe 90 PID 644 wrote to memory of 4692 644 chrome.exe 90 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2420 644 chrome.exe 91 PID 644 wrote to memory of 2472 644 chrome.exe 92 PID 644 wrote to memory of 2472 644 chrome.exe 92 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 PID 644 wrote to memory of 3500 644 chrome.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1596
-
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:560
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1172
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff992d2cc40,0x7ff992d2cc4c,0x7ff992d2cc582⤵PID:4692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2228 /prefetch:32⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2240 /prefetch:82⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4564 /prefetch:12⤵PID:2004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4356,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4476 /prefetch:12⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4992,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5036 /prefetch:82⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,11505760719051758780,2828342631622809608,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3344 /prefetch:82⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD582867470f2d2e828e1b18ac93e1fa914
SHA1bd8f3e2a7270f9d38216fb530a5ec547ef6664c6
SHA2564c91c2f5387e98721937e417e54ad072dd28add059bdb5e3a14b0842cb45b20b
SHA51281e38aedcc291fe79740f190e590ed6adca722baf82055b8713e7f6fec2f9c58d89bc76fa8dd9ef4f97a09ea9310f14dc9e7f5637f06f1686f66f435261213b0
-
Filesize
8KB
MD5fcb500a6e48bef3c7762f4174978b9c4
SHA19fce5c2c8a3f939ac26fba45a29f11b48aebb9b6
SHA25644af1f0f40b4b06a7663696231ce7427e47b0caf9612379faa64e6f6f9bff560
SHA512e3e04490fc88f3ad9cbd74e9a186de15f60baca88b8d42f1d713422c90d0b0f8bce9715dbfda621020d7038acf82206e0a8271359c9d3e38bbc4e4b73511ca2f
-
Filesize
234KB
MD5cab35ae428b1322b48725d65e34501b4
SHA17fc405b3ea55ec489b8e59f2e8f65d5c446492e1
SHA2563678e4c489ee5012b9dac24252a69856c868c88fd6e2c8685fc483f1ce043cd6
SHA51255f07ec6c4eb0fef51a4786d452dccea849908233aaff7f45a6bade022fcccb2c7483283f81d896a576831f332d2b3587e2b17055020f07dc24e13856f391807
-
Filesize
3.3MB
MD55791d405ca0a97a89eeaeb4f2be628be
SHA1a012d40aaaa01db12a83b0e4408d012fd383dd0b
SHA2566c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d
SHA5123971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd