Analysis
-
max time kernel
52s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2025, 19:00
Static task
static1
General
-
Target
a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe
-
Size
1.6MB
-
MD5
1e356cc44d9fafcd633b2e372a46ad53
-
SHA1
0d0a32521cad4cb38dc3c841a486ed21a5454943
-
SHA256
a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683
-
SHA512
91fa09c5be7543cbd4356370b2059521dc7ae2a47462f5871427a1ad5448249c9bf1e384c58c0966227a85574c913c09b9cff62f5bcae36ada9e8695b94e47cd
-
SSDEEP
24576:jngHKYfXTkXy0Z0UplCOlyyXEwlKhgoCY9X8jOlC3rocE/0sED5cHD:zgqKIXzryOMoBlKRCgvA5M
Malware Config
Extracted
quasar
1.4.1
Office04
102.41.58.213:5505
1e97a2db-0622-4c39-84ac-2f640c70aaf5
-
encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Extracted
asyncrat
0.5.8
Default
197.48.105.157:5505
41.233.14.164:5505
197.48.230.161:5505
102.41.58.213:5505
RW4mawavalFO
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000242b2-18.dat family_umbral behavioral1/memory/4420-34-0x0000012DB9110000-0x0000012DB9150000-memory.dmp family_umbral -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000242b1-8.dat family_quasar behavioral1/memory/6116-36-0x0000000000640000-0x0000000000964000-memory.dmp family_quasar -
Umbral family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00090000000242ad-27.dat family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe -
Executes dropped EXE 5 IoCs
pid Process 6116 v2.exe 4420 Umbral.exe 2156 svchost.exe 5016 svchost.exe 5856 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\SubDir\svchost.exe v2.exe File opened for modification C:\Windows\system32\SubDir\svchost.exe v2.exe File opened for modification C:\Windows\system32\SubDir v2.exe File opened for modification C:\Windows\system32\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\system32\SubDir svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3432 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4784 schtasks.exe 3872 schtasks.exe 4464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe 2156 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 6116 v2.exe Token: SeDebugPrivilege 4420 Umbral.exe Token: SeIncreaseQuotaPrivilege 4816 wmic.exe Token: SeSecurityPrivilege 4816 wmic.exe Token: SeTakeOwnershipPrivilege 4816 wmic.exe Token: SeLoadDriverPrivilege 4816 wmic.exe Token: SeSystemProfilePrivilege 4816 wmic.exe Token: SeSystemtimePrivilege 4816 wmic.exe Token: SeProfSingleProcessPrivilege 4816 wmic.exe Token: SeIncBasePriorityPrivilege 4816 wmic.exe Token: SeCreatePagefilePrivilege 4816 wmic.exe Token: SeBackupPrivilege 4816 wmic.exe Token: SeRestorePrivilege 4816 wmic.exe Token: SeShutdownPrivilege 4816 wmic.exe Token: SeDebugPrivilege 4816 wmic.exe Token: SeSystemEnvironmentPrivilege 4816 wmic.exe Token: SeRemoteShutdownPrivilege 4816 wmic.exe Token: SeUndockPrivilege 4816 wmic.exe Token: SeManageVolumePrivilege 4816 wmic.exe Token: 33 4816 wmic.exe Token: 34 4816 wmic.exe Token: 35 4816 wmic.exe Token: 36 4816 wmic.exe Token: SeIncreaseQuotaPrivilege 4816 wmic.exe Token: SeSecurityPrivilege 4816 wmic.exe Token: SeTakeOwnershipPrivilege 4816 wmic.exe Token: SeLoadDriverPrivilege 4816 wmic.exe Token: SeSystemProfilePrivilege 4816 wmic.exe Token: SeSystemtimePrivilege 4816 wmic.exe Token: SeProfSingleProcessPrivilege 4816 wmic.exe Token: SeIncBasePriorityPrivilege 4816 wmic.exe Token: SeCreatePagefilePrivilege 4816 wmic.exe Token: SeBackupPrivilege 4816 wmic.exe Token: SeRestorePrivilege 4816 wmic.exe Token: SeShutdownPrivilege 4816 wmic.exe Token: SeDebugPrivilege 4816 wmic.exe Token: SeSystemEnvironmentPrivilege 4816 wmic.exe Token: SeRemoteShutdownPrivilege 4816 wmic.exe Token: SeUndockPrivilege 4816 wmic.exe Token: SeManageVolumePrivilege 4816 wmic.exe Token: 33 4816 wmic.exe Token: 34 4816 wmic.exe Token: 35 4816 wmic.exe Token: 36 4816 wmic.exe Token: SeDebugPrivilege 5016 svchost.exe Token: SeDebugPrivilege 2156 svchost.exe Token: SeDebugPrivilege 5856 svchost.exe Token: SeDebugPrivilege 5856 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5016 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 536 wrote to memory of 6116 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 86 PID 536 wrote to memory of 6116 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 86 PID 536 wrote to memory of 4420 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 88 PID 536 wrote to memory of 4420 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 88 PID 536 wrote to memory of 2156 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 89 PID 536 wrote to memory of 2156 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 89 PID 536 wrote to memory of 2156 536 a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe 89 PID 4420 wrote to memory of 4816 4420 Umbral.exe 91 PID 4420 wrote to memory of 4816 4420 Umbral.exe 91 PID 6116 wrote to memory of 4784 6116 v2.exe 95 PID 6116 wrote to memory of 4784 6116 v2.exe 95 PID 6116 wrote to memory of 5016 6116 v2.exe 97 PID 6116 wrote to memory of 5016 6116 v2.exe 97 PID 5016 wrote to memory of 3872 5016 svchost.exe 99 PID 5016 wrote to memory of 3872 5016 svchost.exe 99 PID 2156 wrote to memory of 4484 2156 svchost.exe 107 PID 2156 wrote to memory of 4484 2156 svchost.exe 107 PID 2156 wrote to memory of 4484 2156 svchost.exe 107 PID 2156 wrote to memory of 5480 2156 svchost.exe 109 PID 2156 wrote to memory of 5480 2156 svchost.exe 109 PID 2156 wrote to memory of 5480 2156 svchost.exe 109 PID 5480 wrote to memory of 3432 5480 cmd.exe 112 PID 5480 wrote to memory of 3432 5480 cmd.exe 112 PID 5480 wrote to memory of 3432 5480 cmd.exe 112 PID 4484 wrote to memory of 4464 4484 cmd.exe 113 PID 4484 wrote to memory of 4464 4484 cmd.exe 113 PID 4484 wrote to memory of 4464 4484 cmd.exe 113 PID 5480 wrote to memory of 5856 5480 cmd.exe 115 PID 5480 wrote to memory of 5856 5480 cmd.exe 115 PID 5480 wrote to memory of 5856 5480 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe"C:\Users\Admin\AppData\Local\Temp\a729ddb411ab2f5a818be693d12b245215e5eb6ea79fad2fa87d85ea3e2cf683.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4784
-
-
C:\Windows\system32\SubDir\svchost.exe"C:\Windows\system32\SubDir\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3432
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD554920f388010333559bdff225040761d
SHA1040972bf1fc83014f10c45832322c094f883ce30
SHA2569ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359
SHA512e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c
-
Filesize
231KB
MD5cb74e74c04357a7f8c0df2277c4248f0
SHA11bc3fedce9f5e6a71b7e493699cb3774b8042c18
SHA256d1734e1266ee9ae362168458054123674211b0bd40ca93732114735886a12895
SHA512c62322e61bcec1f2efe4736f73df73fd256c8a2361599b7c270521966cdba38a800a8f30b67748a06753c46904f470c087f748c85f1251ace0cab888e5b4af31
-
Filesize
45KB
MD5c4484c446e4151680918c3564a6e7eca
SHA1ad142d75ffd178efbf556726392d69f735506466
SHA256f4d8d8829ff73a9c12e508a6f37d8a2e97f8cd9673d2d471d2c9c7af843db3a0
SHA5121726d8493d8897c8165c2e1aeee1df699e1cc3b42836345af0f9b4e486daaea679421f26908518d57bb5ca3c7ff7460c914233847719909119519fa9175de247
-
Filesize
151B
MD5fea75abe4119afeac864760de1fe1aec
SHA11d87ac19ec2e53457ef81d9456019bb43214a61d
SHA25637c5e06d5486043e2ef9825fb1e56cf9ab9696c24c3d9d7f754ec4dd57f24b03
SHA512d07656b5d0c8f1f5b2d951e0e1b6528aac0f76e101dceacc4f457db421e345881615c0ffdd3b5c3f93409f569912373b1eae677dd59d801c9d922078d055a790
-
Filesize
3.1MB
MD544bf522a553e8fde9a377f75fde20442
SHA10f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e
SHA2561467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7
SHA512f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879