Analysis
-
max time kernel
449s -
max time network
448s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20/12/2024, 18:04
General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
01b593d42afdc4c563d829eedbd0b8d1
-
SHA1
42eb59ab234af1438967e89d19e9e7bfed709f81
-
SHA256
0976dd6bd5b60f14458df0a909f7013ccd2d21b509d105dfe7c9f12b14152420
-
SHA512
67fdf8ea3be4709cd897fb7f7b0dc62b64ec1d52fadfaee5baa934191325cb91a8f7d42dd154c44962a2ccdd0ebd552711fb71d65fdba699a78c32d10a204ca1
-
SSDEEP
49152:gv/go2QSaNpzyPllgamb0CZof/J3CY1JnpoGdxTHHB72eh2NT:gvoo2QSaNpzyPllgamYCZof/J3Cm
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
svchost
C2
air-specials.gl.at.ply.gg:4782
air-specials.gl.at.ply.gg:38318
kalewone-55458.portmap.host:55458
kalewone-55458.portmap.host:4782
Mutex
d251c3ed-b70d-4ab6-b393-9de80125c75e
Attributes
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
System32
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/4652-1-0x0000000000A70000-0x0000000000D94000-memory.dmp family_quasar behavioral1/files/0x0028000000046187-3.dat family_quasar -
Executes dropped EXE 2 IoCs
pid Process 3496 svchost.exe 4576 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\System32 svchost.exe File created C:\Windows\system32\System32\svchost.exe FlashingSoftwarePRO.exe File opened for modification C:\Windows\system32\System32 FlashingSoftwarePRO.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4248 schtasks.exe 3060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1256 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4652 FlashingSoftwarePRO.exe Token: SeDebugPrivilege 3496 svchost.exe Token: SeDebugPrivilege 1256 taskmgr.exe Token: SeSystemProfilePrivilege 1256 taskmgr.exe Token: SeCreateGlobalPrivilege 1256 taskmgr.exe Token: SeDebugPrivilege 4576 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe 1256 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3496 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4652 wrote to memory of 4248 4652 FlashingSoftwarePRO.exe 84 PID 4652 wrote to memory of 4248 4652 FlashingSoftwarePRO.exe 84 PID 4652 wrote to memory of 3496 4652 FlashingSoftwarePRO.exe 86 PID 4652 wrote to memory of 3496 4652 FlashingSoftwarePRO.exe 86 PID 3496 wrote to memory of 3060 3496 svchost.exe 87 PID 3496 wrote to memory of 3060 3496 svchost.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4248
-
-
C:\Windows\system32\System32\svchost.exe"C:\Windows\system32\System32\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3060
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2088
-
C:\Windows\System32\System32\svchost.exe"C:\Windows\System32\System32\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD501b593d42afdc4c563d829eedbd0b8d1
SHA142eb59ab234af1438967e89d19e9e7bfed709f81
SHA2560976dd6bd5b60f14458df0a909f7013ccd2d21b509d105dfe7c9f12b14152420
SHA51267fdf8ea3be4709cd897fb7f7b0dc62b64ec1d52fadfaee5baa934191325cb91a8f7d42dd154c44962a2ccdd0ebd552711fb71d65fdba699a78c32d10a204ca1