Analysis
-
max time kernel
187s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 21:02
Behavioral task
behavioral1
Sample
41241.exe
Resource
win7-20240508-en
General
-
Target
41241.exe
-
Size
3.1MB
-
MD5
e22eded04f63ee8412924d986e3a522f
-
SHA1
ca0b817a54f1401b43b412013c0a948a03155619
-
SHA256
cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db
-
SHA512
6ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e
-
SSDEEP
49152:Dv6I22SsaNYfdPBldt698dBcjHa++PJH1LoGdDTTHHB72eh2NT:Dv322SsaNYfdPBldt6+dBcjHa++Pz
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-44550.portmap.host:44550
ed30a1b2-d1a0-4e30-a860-b77fa3f71c40
-
encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
-
install_name
Opera GX.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
OperaVPN
-
subdirectory
common Files
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-1-0x0000000000910000-0x0000000000C34000-memory.dmp family_quasar C:\Program Files\Common Files\Opera GX.exe family_quasar behavioral1/memory/2652-9-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Opera GX.exepid process 2652 Opera GX.exe -
Drops file in Program Files directory 5 IoCs
Processes:
Opera GX.exe41241.exedescription ioc process File opened for modification C:\Program Files\common Files\Opera GX.exe Opera GX.exe File opened for modification C:\Program Files\common Files Opera GX.exe File created C:\Program Files\common Files\Opera GX.exe 41241.exe File opened for modification C:\Program Files\common Files\Opera GX.exe 41241.exe File opened for modification C:\Program Files\common Files 41241.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2352 schtasks.exe 2676 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
41241.exeOpera GX.exedescription pid process Token: SeDebugPrivilege 2552 41241.exe Token: SeDebugPrivilege 2652 Opera GX.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Opera GX.exepid process 2652 Opera GX.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Opera GX.exepid process 2652 Opera GX.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Opera GX.exepid process 2652 Opera GX.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
41241.exeOpera GX.exedescription pid process target process PID 2552 wrote to memory of 2352 2552 41241.exe schtasks.exe PID 2552 wrote to memory of 2352 2552 41241.exe schtasks.exe PID 2552 wrote to memory of 2352 2552 41241.exe schtasks.exe PID 2552 wrote to memory of 2652 2552 41241.exe Opera GX.exe PID 2552 wrote to memory of 2652 2552 41241.exe Opera GX.exe PID 2552 wrote to memory of 2652 2552 41241.exe Opera GX.exe PID 2652 wrote to memory of 2676 2652 Opera GX.exe schtasks.exe PID 2652 wrote to memory of 2676 2652 Opera GX.exe schtasks.exe PID 2652 wrote to memory of 2676 2652 Opera GX.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41241.exe"C:\Users\Admin\AppData\Local\Temp\41241.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\common Files\Opera GX.exe"C:\Program Files\common Files\Opera GX.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Opera GX.exeFilesize
3.1MB
MD5e22eded04f63ee8412924d986e3a522f
SHA1ca0b817a54f1401b43b412013c0a948a03155619
SHA256cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db
SHA5126ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e
-
memory/2552-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmpFilesize
4KB
-
memory/2552-1-0x0000000000910000-0x0000000000C34000-memory.dmpFilesize
3.1MB
-
memory/2552-2-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB
-
memory/2552-8-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB
-
memory/2652-11-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB
-
memory/2652-10-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB
-
memory/2652-9-0x0000000000FC0000-0x00000000012E4000-memory.dmpFilesize
3.1MB
-
memory/2652-12-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB
-
memory/2652-13-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmpFilesize
9.9MB