Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:30
Behavioral task
behavioral1
Sample
SGVP Client program.exe
Resource
win7-20241023-en
General
-
Target
SGVP Client program.exe
-
Size
3.1MB
-
MD5
1ece671b499dd687e3154240e73ff8a0
-
SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc
-
SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
-
SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
-
SSDEEP
49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ
Malware Config
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
eeeb55fc-ba05-43e4-97f6-732f35b891b4
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3112-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cbc-5.dat family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation User Application Data.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation User Application Data.exe -
Executes dropped EXE 3 IoCs
pid Process 4900 User Application Data.exe 1952 User Application Data.exe 3768 User Application Data.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files\Quasar SGVP Client program.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File created C:\Program Files\Quasar\User Application Data.exe SGVP Client program.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe SGVP Client program.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe File opened for modification C:\Program Files\Quasar User Application Data.exe File opened for modification C:\Program Files\Quasar\User Application Data.exe User Application Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3320 PING.EXE 3028 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3320 PING.EXE 3028 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3332 schtasks.exe 3204 schtasks.exe 4424 schtasks.exe 4348 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3112 SGVP Client program.exe Token: SeDebugPrivilege 4900 User Application Data.exe Token: SeDebugPrivilege 1952 User Application Data.exe Token: SeDebugPrivilege 3768 User Application Data.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4900 User Application Data.exe 1952 User Application Data.exe 3768 User Application Data.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3112 wrote to memory of 3332 3112 SGVP Client program.exe 83 PID 3112 wrote to memory of 3332 3112 SGVP Client program.exe 83 PID 3112 wrote to memory of 4900 3112 SGVP Client program.exe 85 PID 3112 wrote to memory of 4900 3112 SGVP Client program.exe 85 PID 4900 wrote to memory of 3204 4900 User Application Data.exe 86 PID 4900 wrote to memory of 3204 4900 User Application Data.exe 86 PID 4900 wrote to memory of 4392 4900 User Application Data.exe 106 PID 4900 wrote to memory of 4392 4900 User Application Data.exe 106 PID 4392 wrote to memory of 1384 4392 cmd.exe 108 PID 4392 wrote to memory of 1384 4392 cmd.exe 108 PID 4392 wrote to memory of 3320 4392 cmd.exe 109 PID 4392 wrote to memory of 3320 4392 cmd.exe 109 PID 4392 wrote to memory of 1952 4392 cmd.exe 111 PID 4392 wrote to memory of 1952 4392 cmd.exe 111 PID 1952 wrote to memory of 4424 1952 User Application Data.exe 112 PID 1952 wrote to memory of 4424 1952 User Application Data.exe 112 PID 1952 wrote to memory of 2380 1952 User Application Data.exe 115 PID 1952 wrote to memory of 2380 1952 User Application Data.exe 115 PID 2380 wrote to memory of 1064 2380 cmd.exe 117 PID 2380 wrote to memory of 1064 2380 cmd.exe 117 PID 2380 wrote to memory of 3028 2380 cmd.exe 118 PID 2380 wrote to memory of 3028 2380 cmd.exe 118 PID 2380 wrote to memory of 3768 2380 cmd.exe 120 PID 2380 wrote to memory of 3768 2380 cmd.exe 120 PID 3768 wrote to memory of 4348 3768 User Application Data.exe 121 PID 3768 wrote to memory of 4348 3768 User Application Data.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"C:\Users\Admin\AppData\Local\Temp\SGVP Client program.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3332
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZBfRBDy2fifR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3320
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozHGLl9mBqud.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028
-
-
C:\Program Files\Quasar\User Application Data.exe"C:\Program Files\Quasar\User Application Data.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4348
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD51ece671b499dd687e3154240e73ff8a0
SHA1f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA5120cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
208B
MD51846241831915f968fee83d74f7feb2d
SHA127557ba23b72c1e2db5abc74089d2bb98a65155b
SHA2560012449802ceb115e6ce56c88ff99d9ba87f562dcdd9bfd6544fb1c5ea489df9
SHA5126091a6a66acf6cad8e8876f9ecefdfb46db54fd007f7912c8de2e9791345e6af3f06a956ebb2305292d5b1ad7a369dd62ff67d8143178d2744b0f703d28c8925
-
Filesize
208B
MD57c00677cf97ef0a1c509b15dba14f0e1
SHA1d72ffab1a3b4cb8b0df44e4ff21c1a92bc2a01b3
SHA2563704861734c65dc99fc101e277d1e4dcd789d23fc1931ac14d1954b7d2a86d95
SHA512bce708f694ffdebc12af5bfa193c3359ca0e16e6f58e1648ae53bb2b05f780eb3b1b4b7ac926d32c481745dfb6c8e9a1e2d829ce0ae3be9bbe4a867442acc11a