Analysis
-
max time kernel
1071s -
max time network
1170s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 21:07
General
-
Target
512.exe
-
Size
3.1MB
-
MD5
317a46786b73fccfafa5b5678c1a21a1
-
SHA1
e72c0001fb47a477514f5abdb348ae489de65f72
-
SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
-
SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
-
SSDEEP
49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-51954.portmap.host:51954
ed30a1b2-d1a0-4e30-a860-b77fa3f71c40
-
encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
-
install_name
Opera GX.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
OperaVPN
-
subdirectory
common Files
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4724-1-0x00000000008B0000-0x0000000000BD4000-memory.dmp family_quasar C:\Program Files\Common Files\Opera GX.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Opera GX.exepid process 3744 Opera GX.exe -
Drops file in Program Files directory 5 IoCs
Processes:
512.exeOpera GX.exedescription ioc process File created C:\Program Files\common Files\Opera GX.exe 512.exe File opened for modification C:\Program Files\common Files\Opera GX.exe 512.exe File opened for modification C:\Program Files\common Files 512.exe File opened for modification C:\Program Files\common Files\Opera GX.exe Opera GX.exe File opened for modification C:\Program Files\common Files Opera GX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1296 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3624 schtasks.exe 3448 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
512.exeOpera GX.exedescription pid process Token: SeDebugPrivilege 4724 512.exe Token: SeDebugPrivilege 3744 Opera GX.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Opera GX.exepid process 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
Opera GX.exepid process 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe 3744 Opera GX.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Opera GX.exepid process 3744 Opera GX.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
512.exeOpera GX.execmd.execmd.exedescription pid process target process PID 4724 wrote to memory of 3624 4724 512.exe schtasks.exe PID 4724 wrote to memory of 3624 4724 512.exe schtasks.exe PID 4724 wrote to memory of 3744 4724 512.exe Opera GX.exe PID 4724 wrote to memory of 3744 4724 512.exe Opera GX.exe PID 3744 wrote to memory of 3448 3744 Opera GX.exe schtasks.exe PID 3744 wrote to memory of 3448 3744 Opera GX.exe schtasks.exe PID 3744 wrote to memory of 2900 3744 Opera GX.exe cmd.exe PID 3744 wrote to memory of 2900 3744 Opera GX.exe cmd.exe PID 2900 wrote to memory of 3712 2900 cmd.exe chcp.com PID 2900 wrote to memory of 3712 2900 cmd.exe chcp.com PID 2900 wrote to memory of 1296 2900 cmd.exe ipconfig.exe PID 2900 wrote to memory of 1296 2900 cmd.exe ipconfig.exe PID 3744 wrote to memory of 2500 3744 Opera GX.exe schtasks.exe PID 3744 wrote to memory of 2500 3744 Opera GX.exe schtasks.exe PID 3744 wrote to memory of 2924 3744 Opera GX.exe cmd.exe PID 3744 wrote to memory of 2924 3744 Opera GX.exe cmd.exe PID 2924 wrote to memory of 3872 2924 cmd.exe chcp.com PID 2924 wrote to memory of 3872 2924 cmd.exe chcp.com PID 2924 wrote to memory of 3264 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 3264 2924 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\512.exe"C:\Users\Admin\AppData\Local\Temp\512.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\common Files\Opera GX.exe"C:\Program Files\common Files\Opera GX.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /K CHCP 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comCHCP 4374⤵
-
C:\Windows\system32\ipconfig.exeipconfig4⤵
- Gathers network information
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "OperaVPN" /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tVwe2zFAeSwh.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Opera GX.exeFilesize
3.1MB
MD5317a46786b73fccfafa5b5678c1a21a1
SHA1e72c0001fb47a477514f5abdb348ae489de65f72
SHA2561dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
-
C:\Users\Admin\AppData\Local\Temp\tVwe2zFAeSwh.batFilesize
205B
MD5ac667bea46da2000aad75e57054c72da
SHA1c86d621ebb74d8adb6fbb41b49de3922d4c47716
SHA256c0922c352dd8cb81c8369a7fbe27c619c5afb616c4beea7bcc20d11a9b783297
SHA512e800f46a762ee4d227a8b8241adfd392df4b33c31e5174055be54fd965f42f2eb7b3bad1875a5a3c8ce76b2f430ee679ac8560e685277db687f5e8a3237a1daf
-
memory/3744-11-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/3744-9-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/3744-12-0x000000001C310000-0x000000001C360000-memory.dmpFilesize
320KB
-
memory/3744-13-0x000000001C420000-0x000000001C4D2000-memory.dmpFilesize
712KB
-
memory/3744-16-0x000000001C3B0000-0x000000001C3C2000-memory.dmpFilesize
72KB
-
memory/3744-17-0x000000001CF30000-0x000000001CF6C000-memory.dmpFilesize
240KB
-
memory/3744-18-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/3744-19-0x000000001D7A0000-0x000000001DCC8000-memory.dmpFilesize
5.2MB
-
memory/3744-33-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/4724-2-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/4724-10-0x00007FF837590000-0x00007FF838052000-memory.dmpFilesize
10.8MB
-
memory/4724-0-0x00007FF837593000-0x00007FF837595000-memory.dmpFilesize
8KB
-
memory/4724-1-0x00000000008B0000-0x0000000000BD4000-memory.dmpFilesize
3.1MB