Analysis
-
max time kernel
8s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 21:52
General
-
Target
anotherport.exe
-
Size
3.1MB
-
MD5
886cbf1c76a1c72243b8b5b09d8130bf
-
SHA1
294ec2078c9d08f907f8c7bfb5559e5748949c9f
-
SHA256
af68c805613ad9d44fe9e4bc4ccd30ba8d374b6faf129a7210c6384416be3ef9
-
SHA512
afa34cbda23d4be19c8cb940f2708eee6c3eb67c98cf2a3264a8f6b33b7ed2989be150eb62ef396eaabd73105bd5be1ea3bdc5b5834d772e5342a5f3c083fc34
-
SSDEEP
49152:DvGI22SsaNYfdPBldt698dBcjH4Q8RJ6KbR3LoGdpKTHHB72eh2NT:DvL22SsaNYfdPBldt6+dBcjH4Q8RJ6k
Malware Config
Extracted
quasar
1.4.1
Axotrojan
193.161.193.99:46972
26f86d86-6a8f-46ae-bb91-fc1127efd3f6
-
encryption_key
4B13DC71783277444E966E1D66F9171ABFC15E88
-
install_name
Clientformyslut.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Axo startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/2112-1-0x00000000003B0000-0x00000000006D4000-memory.dmp family_quasar behavioral1/files/0x0007000000023c92-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3724 Clientformyslut.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Clientformyslut.exe anotherport.exe File opened for modification C:\Windows\system32\SubDir\Clientformyslut.exe anotherport.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 916 schtasks.exe 2324 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 anotherport.exe Token: SeDebugPrivilege 3724 Clientformyslut.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3724 Clientformyslut.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2112 wrote to memory of 916 2112 anotherport.exe 83 PID 2112 wrote to memory of 916 2112 anotherport.exe 83 PID 2112 wrote to memory of 3724 2112 anotherport.exe 85 PID 2112 wrote to memory of 3724 2112 anotherport.exe 85 PID 3724 wrote to memory of 2324 3724 Clientformyslut.exe 86 PID 3724 wrote to memory of 2324 3724 Clientformyslut.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\anotherport.exe"C:\Users\Admin\AppData\Local\Temp\anotherport.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Axo startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Clientformyslut.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:916
-
-
C:\Windows\system32\SubDir\Clientformyslut.exe"C:\Windows\system32\SubDir\Clientformyslut.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Axo startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Clientformyslut.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5886cbf1c76a1c72243b8b5b09d8130bf
SHA1294ec2078c9d08f907f8c7bfb5559e5748949c9f
SHA256af68c805613ad9d44fe9e4bc4ccd30ba8d374b6faf129a7210c6384416be3ef9
SHA512afa34cbda23d4be19c8cb940f2708eee6c3eb67c98cf2a3264a8f6b33b7ed2989be150eb62ef396eaabd73105bd5be1ea3bdc5b5834d772e5342a5f3c083fc34