Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:30
Behavioral task
behavioral1
Sample
SGVP Client program.exe
Resource
win7-20241023-en
General
-
Target
SGVP Client program.exe
-
Size
3.1MB
-
MD5
1ece671b499dd687e3154240e73ff8a0
-
SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc
-
SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
-
SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
-
SSDEEP
49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ
Malware Config
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
eeeb55fc-ba05-43e4-97f6-732f35b891b4
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Signatures
-
Quasar family
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/1672-1-0x0000000000280000-0x00000000005A4000-memory.dmp family_quasar behavioral1/files/0x0009000000015d2a-6.dat family_quasar behavioral1/memory/2280-10-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/memory/3060-24-0x0000000000040000-0x0000000000364000-memory.dmp family_quasar behavioral1/memory/664-35-0x00000000013D0000-0x00000000016F4000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2280 User Application Data.exe 3060 User Application Data.exe 664 User Application Data.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Quasar\User Application Data.exe SGVP Client program.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe SGVP Client program.exe File opened for modification C:\Program Files\Quasar SGVP Client program.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1416 PING.EXE 2580 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1416 PING.EXE 2580 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2220 schtasks.exe 948 schtasks.exe 2044 schtasks.exe 3056 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1672 SGVP Client program.exe Token: SeDebugPrivilege 2280 User Application Data.exe Token: SeDebugPrivilege 3060 User Application Data.exe Token: SeDebugPrivilege 664 User Application Data.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2280 User Application Data.exe 3060 User Application Data.exe 664 User Application Data.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1672 wrote to memory of 3056 1672 SGVP Client program.exe 30 PID 1672 wrote to memory of 3056 1672 SGVP Client program.exe 30 PID 1672 wrote to memory of 3056 1672 SGVP Client program.exe 30 PID 1672 wrote to memory of 2280 1672 SGVP Client program.exe 32 PID 1672 wrote to memory of 2280 1672 SGVP Client program.exe 32 PID 1672 wrote to memory of 2280 1672 SGVP Client program.exe 32 PID 2280 wrote to memory of 2220 2280 User Application Data.exe 33 PID 2280 wrote to memory of 2220 2280 User Application Data.exe 33 PID 2280 wrote to memory of 2220 2280 User Application Data.exe 33 PID 2280 wrote to memory of 2536 2280 User Application Data.exe 36 PID 2280 wrote to memory of 2536 2280 User Application Data.exe 36 PID 2280 wrote to memory of 2536 2280 User Application Data.exe 36 PID 2536 wrote to memory of 1760 2536 cmd.exe 38 PID 2536 wrote to memory of 1760 2536 cmd.exe 38 PID 2536 wrote to memory of 1760 2536 cmd.exe 38 PID 2536 wrote to memory of 1416 2536 cmd.exe 39 PID 2536 wrote to memory of 1416 2536 cmd.exe 39 PID 2536 wrote to memory of 1416 2536 cmd.exe 39 PID 2536 wrote to memory of 3060 2536 cmd.exe 40 PID 2536 wrote to memory of 3060 2536 cmd.exe 40 PID 2536 wrote to memory of 3060 2536 cmd.exe 40 PID 3060 wrote to memory of 948 3060 User Application Data.exe 41 PID 3060 wrote to memory of 948 3060 User Application Data.exe 41 PID 3060 wrote to memory of 948 3060 User Application Data.exe 41 PID 3060 wrote to memory of 2052 3060 User Application Data.exe 43 PID 3060 wrote to memory of 2052 3060 User Application Data.exe 43 PID 3060 wrote to memory of 2052 3060 User Application Data.exe 43 PID 2052 wrote to memory of 3008 2052 cmd.exe 45 PID 2052 wrote to memory of 3008 2052 cmd.exe 45 PID 2052 wrote to memory of 3008 2052 cmd.exe 45 PID 2052 wrote to memory of 2580 2052 cmd.exe 46 PID 2052 wrote to memory of 2580 2052 cmd.exe 46 PID 2052 wrote to memory of 2580 2052 cmd.exe 46 PID 2052 wrote to memory of 664 2052 cmd.exe 47 PID 2052 wrote to memory of 664 2052 cmd.exe 47 PID 2052 wrote to memory of 664 2052 cmd.exe 47 PID 664 wrote to memory of 2044 664 User Application Data.exe 48 PID 664 wrote to memory of 2044 664 User Application Data.exe 48 PID 664 wrote to memory of 2044 664 User Application Data.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3056
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2220
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Lrttbvw24mwN.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1416
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pwz6dbqo6rKg.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2580
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2044
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD51ece671b499dd687e3154240e73ff8a0
SHA1f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA5120cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
-
Filesize
208B
MD5ec416fb1742be00376914ee7cc1de866
SHA1d28983ec321dbe7aa5b0b6f37a761986c4247192
SHA2568848aeead975a03a8f2751d8796e99fd74d377ba57bddeee03ff3e2fcb0ab387
SHA512d956dcfc2ade3d3e5c4c8400be57abe466bfdac7a06435ee745b200f9f22d2c338c1f23b8320d2159cd60e13fa91d2d46207081eb4a6a01514ff14d60068f70c
-
Filesize
208B
MD5362d8d19f66d737c0725127d9ba01f27
SHA144d0b8a26dde685180fad034657a1027e7d8031e
SHA256b1c77cdecc076b18e0f8d511f81e968c7486a548734ac8752650ddb1a110924a
SHA512d8d6cf45fe8c158ce7e432154ef17a30aa55889a78332d47a7544f9ae33acf34f8c8a8ee1a19401b7bd24e5b70ffc6b0fd804881e6eb52fccc064a86f1a354e5