Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
Resource
win7-20240611-en
General
-
Target
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
-
Size
39.9MB
-
MD5
e1a72f7e4426c8d5e849459fa7c7e476
-
SHA1
e1101a053ebe7cf5dc44f4f4ea787be113cae10f
-
SHA256
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
-
SHA512
0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
-
SSDEEP
786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW
Malware Config
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
history-foo.gl.at.ply.gg:42349
2beddbf7-c691-4058-94c7-f54389b4a581
-
encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mshta.exe family_xworm C:\Users\Admin\AppData\Local\Temp\svchost.exe family_xworm behavioral1/memory/2756-25-0x0000000000960000-0x000000000097A000-memory.dmp family_xworm behavioral1/memory/2648-21-0x0000000001040000-0x0000000001058000-memory.dmp family_xworm -
Quasar payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hat.exe family_quasar C:\Users\Admin\AppData\Local\Temp\Client-built.exe family_quasar behavioral1/memory/2916-31-0x0000000000C50000-0x0000000000F74000-memory.dmp family_quasar behavioral1/memory/2332-32-0x0000000000E70000-0x0000000000EDC000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat -
Detects Windows executables referencing non-Windows User-Agents 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hat.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Local\Temp\mshta.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Local\Temp\svchost.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2756-25-0x0000000000960000-0x000000000097A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2648-21-0x0000000001040000-0x0000000001058000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Local\Temp\Client-built.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2916-31-0x0000000000C50000-0x0000000000F74000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2332-32-0x0000000000E70000-0x0000000000EDC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Client-built.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2916-31-0x0000000000C50000-0x0000000000F74000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables attemping to enumerate video devices using WMI 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ONPE.exe INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/2668-23-0x0000000000DE0000-0x0000000000DF6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Client-built.exe INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2916-31-0x0000000000C50000-0x0000000000F74000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Detects executables containing the string DcRatBy 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ONPE.exe INDICATOR_SUSPICIOUS_EXE_DcRatBy behavioral1/memory/2668-23-0x0000000000DE0000-0x0000000000DF6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1884 powershell.exe 2740 powershell.exe 2120 powershell.exe 2936 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exepid process 2332 hat.exe 2648 mshta.exe 2668 ONPE.exe 2756 svchost.exe 2916 Client-built.exe 2612 index.exe -
Loads dropped DLL 2 IoCs
Processes:
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exepid process 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe 2568 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exemshta.exepowershell.exepowershell.exesvchost.exepid process 1884 powershell.exe 2740 powershell.exe 2648 mshta.exe 2120 powershell.exe 2936 powershell.exe 2756 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
Client-built.exemshta.exeONPE.exehat.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2916 Client-built.exe Token: SeDebugPrivilege 2648 mshta.exe Token: SeDebugPrivilege 2668 ONPE.exe Token: SeDebugPrivilege 2332 hat.exe Token: SeDebugPrivilege 2756 svchost.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2648 mshta.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2756 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Client-built.exemshta.exehat.exesvchost.exepid process 2916 Client-built.exe 2648 mshta.exe 2332 hat.exe 2756 svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exehat.exemshta.exesvchost.exedescription pid process target process PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2332 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe hat.exe PID 816 wrote to memory of 2648 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe mshta.exe PID 816 wrote to memory of 2648 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe mshta.exe PID 816 wrote to memory of 2648 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe mshta.exe PID 816 wrote to memory of 2668 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe ONPE.exe PID 816 wrote to memory of 2668 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe ONPE.exe PID 816 wrote to memory of 2668 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe ONPE.exe PID 816 wrote to memory of 2756 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe svchost.exe PID 816 wrote to memory of 2756 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe svchost.exe PID 816 wrote to memory of 2756 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe svchost.exe PID 816 wrote to memory of 2916 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe Client-built.exe PID 816 wrote to memory of 2916 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe Client-built.exe PID 816 wrote to memory of 2916 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe Client-built.exe PID 816 wrote to memory of 2612 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe index.exe PID 816 wrote to memory of 2612 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe index.exe PID 816 wrote to memory of 2612 816 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe index.exe PID 2332 wrote to memory of 2884 2332 hat.exe schtasks.exe PID 2332 wrote to memory of 2884 2332 hat.exe schtasks.exe PID 2332 wrote to memory of 2884 2332 hat.exe schtasks.exe PID 2332 wrote to memory of 2884 2332 hat.exe schtasks.exe PID 2648 wrote to memory of 1884 2648 mshta.exe powershell.exe PID 2648 wrote to memory of 1884 2648 mshta.exe powershell.exe PID 2648 wrote to memory of 1884 2648 mshta.exe powershell.exe PID 2648 wrote to memory of 2740 2648 mshta.exe powershell.exe PID 2648 wrote to memory of 2740 2648 mshta.exe powershell.exe PID 2648 wrote to memory of 2740 2648 mshta.exe powershell.exe PID 2756 wrote to memory of 2120 2756 svchost.exe powershell.exe PID 2756 wrote to memory of 2120 2756 svchost.exe powershell.exe PID 2756 wrote to memory of 2120 2756 svchost.exe powershell.exe PID 2756 wrote to memory of 2936 2756 svchost.exe powershell.exe PID 2756 wrote to memory of 2936 2756 svchost.exe powershell.exe PID 2756 wrote to memory of 2936 2756 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe"C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hat.exe"C:\Users\Admin\AppData\Local\Temp\hat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ONPE.exe"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\index.exe"C:\Users\Admin\AppData\Local\Temp\index.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exeFilesize
3.1MB
MD53609d79a3bd384ec00861417a1795932
SHA11e2beac3970f2debf5376ed1c4197380d1b1ab39
SHA256ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80
SHA5129ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019
-
C:\Users\Admin\AppData\Local\Temp\ONPE.exeFilesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
C:\Users\Admin\AppData\Local\Temp\hat.exeFilesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
C:\Users\Admin\AppData\Local\Temp\mshta.exeFilesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51c8935465da1d5e92acb475b6b9f0087
SHA1d2fdd65453e8e3d8874870c5917f16420740d5b8
SHA2562429629b3e7c2187b9779a23b7bae4806506b33b1cfa761cc16a865e714c3ba4
SHA512f97edb3ea82a7868d129ca6edd5b38771eeefce208d72467481be3dd842a08b40025745a3cc01c0a04d25fae15bfe265d055f5d184a2f77f86893770901dae70
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\index.exeFilesize
36.2MB
MD53c9563aff1bd31ffa1692db8bf1526a6
SHA1b9038ff03f20441170548f3910f141d58f46e46f
SHA256c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2
SHA5121ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b
-
memory/816-0-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmpFilesize
4KB
-
memory/816-1-0x0000000000D50000-0x000000000353E000-memory.dmpFilesize
39.9MB
-
memory/1884-44-0x0000000002860000-0x0000000002868000-memory.dmpFilesize
32KB
-
memory/1884-43-0x000000001B590000-0x000000001B872000-memory.dmpFilesize
2.9MB
-
memory/2120-59-0x000000001B740000-0x000000001BA22000-memory.dmpFilesize
2.9MB
-
memory/2120-60-0x0000000001E80000-0x0000000001E88000-memory.dmpFilesize
32KB
-
memory/2332-32-0x0000000000E70000-0x0000000000EDC000-memory.dmpFilesize
432KB
-
memory/2648-21-0x0000000001040000-0x0000000001058000-memory.dmpFilesize
96KB
-
memory/2668-23-0x0000000000DE0000-0x0000000000DF6000-memory.dmpFilesize
88KB
-
memory/2740-50-0x000000001B5A0000-0x000000001B882000-memory.dmpFilesize
2.9MB
-
memory/2740-51-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2756-25-0x0000000000960000-0x000000000097A000-memory.dmpFilesize
104KB
-
memory/2916-31-0x0000000000C50000-0x0000000000F74000-memory.dmpFilesize
3.1MB
-
memory/2936-66-0x000000001B700000-0x000000001B9E2000-memory.dmpFilesize
2.9MB
-
memory/2936-67-0x0000000001D80000-0x0000000001D88000-memory.dmpFilesize
32KB