Analysis
-
max time kernel
360s -
max time network
365s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 21:07
Behavioral task
behavioral1
Sample
512.exe
Resource
win7-20240611-en
General
-
Target
512.exe
-
Size
3.1MB
-
MD5
317a46786b73fccfafa5b5678c1a21a1
-
SHA1
e72c0001fb47a477514f5abdb348ae489de65f72
-
SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
-
SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
-
SSDEEP
49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-51954.portmap.host:51954
ed30a1b2-d1a0-4e30-a860-b77fa3f71c40
-
encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
-
install_name
Opera GX.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
OperaVPN
-
subdirectory
common Files
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-1-0x0000000000C30000-0x0000000000F54000-memory.dmp family_quasar -
Drops file in Program Files directory 2 IoCs
Processes:
512.exedescription ioc process File created C:\Program Files\common Files\Opera GX.exe 512.exe File opened for modification C:\Program Files\common Files\Opera GX.exe 512.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
512.exedescription pid process Token: SeDebugPrivilege 2232 512.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
512.exedescription pid process target process PID 2232 wrote to memory of 2200 2232 512.exe schtasks.exe PID 2232 wrote to memory of 2200 2232 512.exe schtasks.exe PID 2232 wrote to memory of 2200 2232 512.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\512.exe"C:\Users\Admin\AppData\Local\Temp\512.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2232-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmpFilesize
4KB
-
memory/2232-1-0x0000000000C30000-0x0000000000F54000-memory.dmpFilesize
3.1MB
-
memory/2232-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmpFilesize
9.9MB
-
memory/2232-4-0x000007FEF5363000-0x000007FEF5364000-memory.dmpFilesize
4KB
-
memory/2232-5-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmpFilesize
9.9MB