Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 15:20
Behavioral task
behavioral1
Sample
Updater.exe
Resource
win7-20240903-en
General
-
Target
Updater.exe
-
Size
3.2MB
-
MD5
bde27400071e8114a50e49c7a7d5aca3
-
SHA1
e8ba2d9c033467c5b9bc68f3646da6d24ab18bec
-
SHA256
cf69d61f1cba5ad3feb85ba91931d37ae5862eb2a7d5d9f5ab10b8817139cdcc
-
SHA512
13be08ea18cc1859f5bcc2f8346d1772e232ab9380a80e20116183f880fc21999b520e91c1206faffbbd60111b12567e99ed4807d219d409f9848cd7c5596cbf
-
SSDEEP
49152:zvTI22SsaNYfdPBldt698dBcjH01xY1v4LoG2Y8THHB72eh2NT:zvs22SsaNYfdPBldt6+dBcjH01xj
Malware Config
Extracted
quasar
1.4.1
Office04
nukedrust-59850.portmap.host:59850
e18b24bb-41a4-4371-91a7-7a5c163c4d80
-
encryption_key
D1BE981B0A025276CA1B60203BDCB46D48C43278
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
modules
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/640-1-0x0000000000E50000-0x0000000001190000-memory.dmp family_quasar behavioral2/files/0x0007000000023ca6-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1756 svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\modules svchost.exe File created C:\Windows\system32\modules\svchost.exe Updater.exe File opened for modification C:\Windows\system32\modules\svchost.exe Updater.exe File opened for modification C:\Windows\system32\modules Updater.exe File opened for modification C:\Windows\system32\modules\svchost.exe svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 828 schtasks.exe 3672 schtasks.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 640 Updater.exe Token: SeDebugPrivilege 1756 svchost.exe Token: 33 1664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1664 AUDIODG.EXE Token: SeManageVolumePrivilege 808 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1756 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 640 wrote to memory of 828 640 Updater.exe 82 PID 640 wrote to memory of 828 640 Updater.exe 82 PID 640 wrote to memory of 1756 640 Updater.exe 84 PID 640 wrote to memory of 1756 640 Updater.exe 84 PID 1756 wrote to memory of 3672 1756 svchost.exe 85 PID 1756 wrote to memory of 3672 1756 svchost.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\modules\svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:828
-
-
C:\Windows\system32\modules\svchost.exe"C:\Windows\system32\modules\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\modules\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3672
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2896
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x4581⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5daa41265bdfadd9277e8cdffe11e18e0
SHA1993316f215a701a2d946a2529b911997c461c2a2
SHA256b5e1c6fc3cb8b71a990f5c2735114cf29829f9775d785e05e11abefde0427a89
SHA5127c19f0247f7b7bad3e3b8328406d1f349dc820f0a7cab494a8b8cdd574c3c2efa38abcfc89a2e1d25b4f6523814a031322f86dfd91bcf1bf1f81908f3e3bab2b
-
Filesize
3.2MB
MD5bde27400071e8114a50e49c7a7d5aca3
SHA1e8ba2d9c033467c5b9bc68f3646da6d24ab18bec
SHA256cf69d61f1cba5ad3feb85ba91931d37ae5862eb2a7d5d9f5ab10b8817139cdcc
SHA51213be08ea18cc1859f5bcc2f8346d1772e232ab9380a80e20116183f880fc21999b520e91c1206faffbbd60111b12567e99ed4807d219d409f9848cd7c5596cbf