Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 03:21
Behavioral task
behavioral1
Sample
GENERATE_SEASON.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
GENERATE_SEASON.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
GENERATE_SEASON.exe
-
Size
3.2MB
-
MD5
e7d072887645cbf0597dc6c8f682a4ce
-
SHA1
f44c400e706f8d201a5e393a441cf29f08247326
-
SHA256
36581f3e196c43eadec9987659e53639bb90f28f4ddac5640bce04de093ccfeb
-
SHA512
da11629a4546d33944c25991127c5db0acd6673fee92ff918c1e71317a6ec9eb85fefea2f50f10a7960aacc7533a38d42e6c2d0b330911c54dc4790d33f21468
-
SSDEEP
49152:avelL26AaNeWgPhlmVqvMQ7XSKWzc2WobvJ/9oGdN1zTHHB72eh2NTZ6u:avOL26AaNeWgPhlmVqkQ7XSKPo3/
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Orbx Downloader
C2
xeidaniyeu-37344.portmap.host:37344
Mutex
61861806-59ce-4798-82be-a1b654aa1c9e
Attributes
-
encryption_key
B87A6DBC29140772F82018FBEECE64D863C053A2
-
install_name
Orbx Downloader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
update
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/2720-1-0x0000000001110000-0x000000000143E000-memory.dmp family_quasar behavioral1/files/0x0008000000015d75-6.dat family_quasar behavioral1/memory/2840-9-0x00000000011F0000-0x000000000151E000-memory.dmp family_quasar behavioral1/memory/2416-12-0x0000000140000000-0x00000001405E8000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2840 Orbx Downloader.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe 2576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2416 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2720 GENERATE_SEASON.exe Token: SeDebugPrivilege 2840 Orbx Downloader.exe Token: SeDebugPrivilege 2416 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe 2416 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2840 Orbx Downloader.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2828 2720 GENERATE_SEASON.exe 31 PID 2720 wrote to memory of 2828 2720 GENERATE_SEASON.exe 31 PID 2720 wrote to memory of 2828 2720 GENERATE_SEASON.exe 31 PID 2720 wrote to memory of 2840 2720 GENERATE_SEASON.exe 33 PID 2720 wrote to memory of 2840 2720 GENERATE_SEASON.exe 33 PID 2720 wrote to memory of 2840 2720 GENERATE_SEASON.exe 33 PID 2840 wrote to memory of 2576 2840 Orbx Downloader.exe 34 PID 2840 wrote to memory of 2576 2840 Orbx Downloader.exe 34 PID 2840 wrote to memory of 2576 2840 Orbx Downloader.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GENERATE_SEASON.exe"C:\Users\Admin\AppData\Local\Temp\GENERATE_SEASON.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Orbx Downloader.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Orbx Downloader.exe"C:\Users\Admin\AppData\Roaming\SubDir\Orbx Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Orbx Downloader.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2576
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5e7d072887645cbf0597dc6c8f682a4ce
SHA1f44c400e706f8d201a5e393a441cf29f08247326
SHA25636581f3e196c43eadec9987659e53639bb90f28f4ddac5640bce04de093ccfeb
SHA512da11629a4546d33944c25991127c5db0acd6673fee92ff918c1e71317a6ec9eb85fefea2f50f10a7960aacc7533a38d42e6c2d0b330911c54dc4790d33f21468