Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 19:00
Static task
static1
Behavioral task
behavioral1
Sample
fart.exe
Resource
win7-20240221-en
General
-
Target
fart.exe
-
Size
39.9MB
-
MD5
e1a72f7e4426c8d5e849459fa7c7e476
-
SHA1
e1101a053ebe7cf5dc44f4f4ea787be113cae10f
-
SHA256
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
-
SHA512
0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
-
SSDEEP
786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW
Malware Config
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
history-foo.gl.at.ply.gg:42349
2beddbf7-c691-4058-94c7-f54389b4a581
-
encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mshta.exe family_xworm behavioral1/memory/2556-21-0x0000000000850000-0x0000000000868000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\svchost.exe family_xworm behavioral1/memory/2604-27-0x0000000001230000-0x000000000124A000-memory.dmp family_xworm -
Quasar payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hat.exe family_quasar behavioral1/memory/2676-28-0x0000000001290000-0x00000000012FC000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\Client-built.exe family_quasar behavioral1/memory/2376-32-0x0000000000CF0000-0x0000000001014000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1660 powershell.exe 1220 powershell.exe 1420 powershell.exe 1348 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exepid process 2676 hat.exe 2556 mshta.exe 2492 ONPE.exe 2604 svchost.exe 2376 Client-built.exe 2384 index.exe -
Loads dropped DLL 2 IoCs
Processes:
fart.exepid process 2664 fart.exe 2744 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exemshta.exesvchost.exepid process 1220 powershell.exe 1660 powershell.exe 1348 powershell.exe 1420 powershell.exe 2556 mshta.exe 2604 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Client-built.exemshta.exeONPE.exesvchost.exehat.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2376 Client-built.exe Token: SeDebugPrivilege 2556 mshta.exe Token: SeDebugPrivilege 2492 ONPE.exe Token: SeDebugPrivilege 2604 svchost.exe Token: SeDebugPrivilege 2676 hat.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 2556 mshta.exe Token: SeDebugPrivilege 2604 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Client-built.exemshta.exesvchost.exehat.exepid process 2376 Client-built.exe 2556 mshta.exe 2604 svchost.exe 2676 hat.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
fart.exehat.exemshta.exesvchost.exedescription pid process target process PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2676 2664 fart.exe hat.exe PID 2664 wrote to memory of 2556 2664 fart.exe mshta.exe PID 2664 wrote to memory of 2556 2664 fart.exe mshta.exe PID 2664 wrote to memory of 2556 2664 fart.exe mshta.exe PID 2664 wrote to memory of 2492 2664 fart.exe ONPE.exe PID 2664 wrote to memory of 2492 2664 fart.exe ONPE.exe PID 2664 wrote to memory of 2492 2664 fart.exe ONPE.exe PID 2664 wrote to memory of 2604 2664 fart.exe svchost.exe PID 2664 wrote to memory of 2604 2664 fart.exe svchost.exe PID 2664 wrote to memory of 2604 2664 fart.exe svchost.exe PID 2664 wrote to memory of 2376 2664 fart.exe Client-built.exe PID 2664 wrote to memory of 2376 2664 fart.exe Client-built.exe PID 2664 wrote to memory of 2376 2664 fart.exe Client-built.exe PID 2664 wrote to memory of 2384 2664 fart.exe index.exe PID 2664 wrote to memory of 2384 2664 fart.exe index.exe PID 2664 wrote to memory of 2384 2664 fart.exe index.exe PID 2676 wrote to memory of 1360 2676 hat.exe schtasks.exe PID 2676 wrote to memory of 1360 2676 hat.exe schtasks.exe PID 2676 wrote to memory of 1360 2676 hat.exe schtasks.exe PID 2676 wrote to memory of 1360 2676 hat.exe schtasks.exe PID 2556 wrote to memory of 1660 2556 mshta.exe powershell.exe PID 2556 wrote to memory of 1660 2556 mshta.exe powershell.exe PID 2556 wrote to memory of 1660 2556 mshta.exe powershell.exe PID 2604 wrote to memory of 1220 2604 svchost.exe powershell.exe PID 2604 wrote to memory of 1220 2604 svchost.exe powershell.exe PID 2604 wrote to memory of 1220 2604 svchost.exe powershell.exe PID 2604 wrote to memory of 1420 2604 svchost.exe powershell.exe PID 2604 wrote to memory of 1420 2604 svchost.exe powershell.exe PID 2604 wrote to memory of 1420 2604 svchost.exe powershell.exe PID 2556 wrote to memory of 1348 2556 mshta.exe powershell.exe PID 2556 wrote to memory of 1348 2556 mshta.exe powershell.exe PID 2556 wrote to memory of 1348 2556 mshta.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fart.exe"C:\Users\Admin\AppData\Local\Temp\fart.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hat.exe"C:\Users\Admin\AppData\Local\Temp\hat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ONPE.exe"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\index.exe"C:\Users\Admin\AppData\Local\Temp\index.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeFilesize
3.1MB
MD53609d79a3bd384ec00861417a1795932
SHA11e2beac3970f2debf5376ed1c4197380d1b1ab39
SHA256ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80
SHA5129ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019
-
C:\Users\Admin\AppData\Local\Temp\ONPE.exeFilesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
C:\Users\Admin\AppData\Local\Temp\hat.exeFilesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
C:\Users\Admin\AppData\Local\Temp\index.exeFilesize
36.2MB
MD53c9563aff1bd31ffa1692db8bf1526a6
SHA1b9038ff03f20441170548f3910f141d58f46e46f
SHA256c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2
SHA5121ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b
-
C:\Users\Admin\AppData\Local\Temp\mshta.exeFilesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5819154cb4733035c32b4bd9c69ad789b
SHA1bcb2e8748716da518b106ef8172c1e6df252c493
SHA256e5eb16cab594c654beb2d5eed27f71a5aa6dda44b12e9f7dadb91e307ff11ab5
SHA512f01d06d47f727518244562375cf609228ac9c4389a03aee81f6fea5422584b7ee3a0c0ecc95af552183cc53c716e217dfc0848dcdd5615d203251ac0c181079d
-
memory/1220-43-0x000000001B7C0000-0x000000001BAA2000-memory.dmpFilesize
2.9MB
-
memory/1220-49-0x0000000001E60000-0x0000000001E68000-memory.dmpFilesize
32KB
-
memory/1348-61-0x0000000002970000-0x0000000002978000-memory.dmpFilesize
32KB
-
memory/1420-60-0x000000001B750000-0x000000001BA32000-memory.dmpFilesize
2.9MB
-
memory/2376-32-0x0000000000CF0000-0x0000000001014000-memory.dmpFilesize
3.1MB
-
memory/2492-19-0x0000000000800000-0x0000000000816000-memory.dmpFilesize
88KB
-
memory/2556-21-0x0000000000850000-0x0000000000868000-memory.dmpFilesize
96KB
-
memory/2604-27-0x0000000001230000-0x000000000124A000-memory.dmpFilesize
104KB
-
memory/2664-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmpFilesize
4KB
-
memory/2664-1-0x0000000000170000-0x000000000295E000-memory.dmpFilesize
39.9MB
-
memory/2676-28-0x0000000001290000-0x00000000012FC000-memory.dmpFilesize
432KB