Analysis
-
max time kernel
36s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 21:49
Behavioral task
behavioral1
Sample
friends forever.exe
Resource
win10v2004-20241007-en
General
-
Target
friends forever.exe
-
Size
3.1MB
-
MD5
ea836fb4533514a9a0e7e1b79378844d
-
SHA1
efda5af5b9ee2d3c6f799e23435a1a4b741232e3
-
SHA256
6f7eb9b82b545931d07d4763a819578e3161f3df295dfcbf6c831be04ee2e61d
-
SHA512
c116e25c1c4550b4ba66137b442d2b7f372a0ac0f27f016e4e86e81b7c0d3f43c964fac5e8fe611690ea44d3caf27911a135ee3f4e44d8b872ec48576f68623a
-
SSDEEP
98304:nvSL26AaNeWgPhlmVqkQ7XSKctFxwnys:vC4SR3x0y
Malware Config
Extracted
quasar
1.4.1
Click Lover
193.161.193.99:44422
98bd51bf-11bf-416b-a912-36f489dfdd26
-
encryption_key
2E11DF8B2B2BF1F6C123C50C37AB3BD9FF752BD5
-
install_name
Video Application.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Video Application
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/5020-1-0x0000000000E00000-0x0000000001124000-memory.dmp family_quasar behavioral1/files/0x0008000000023cc1-6.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2652 Video Application.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Video Application.exe friends forever.exe File opened for modification C:\Windows\system32\SubDir\Video Application.exe friends forever.exe File opened for modification C:\Windows\system32\SubDir friends forever.exe File opened for modification C:\Windows\system32\SubDir\Video Application.exe Video Application.exe File opened for modification C:\Windows\system32\SubDir Video Application.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4328 schtasks.exe 2740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5020 friends forever.exe Token: SeDebugPrivilege 2652 Video Application.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2652 Video Application.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4328 5020 friends forever.exe 83 PID 5020 wrote to memory of 4328 5020 friends forever.exe 83 PID 5020 wrote to memory of 2652 5020 friends forever.exe 85 PID 5020 wrote to memory of 2652 5020 friends forever.exe 85 PID 2652 wrote to memory of 2740 2652 Video Application.exe 86 PID 2652 wrote to memory of 2740 2652 Video Application.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\friends forever.exe"C:\Users\Admin\AppData\Local\Temp\friends forever.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Video Application" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Video Application.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4328
-
-
C:\Windows\system32\SubDir\Video Application.exe"C:\Windows\system32\SubDir\Video Application.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Video Application" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Video Application.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ea836fb4533514a9a0e7e1b79378844d
SHA1efda5af5b9ee2d3c6f799e23435a1a4b741232e3
SHA2566f7eb9b82b545931d07d4763a819578e3161f3df295dfcbf6c831be04ee2e61d
SHA512c116e25c1c4550b4ba66137b442d2b7f372a0ac0f27f016e4e86e81b7c0d3f43c964fac5e8fe611690ea44d3caf27911a135ee3f4e44d8b872ec48576f68623a