Analysis
-
max time kernel
13s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 00:11
General
-
Target
Client-built.exe
-
Size
3.3MB
-
MD5
d5228d8272c425d9aa1af3a1ab93d9fd
-
SHA1
f88b9a56ed8377a277a8a6b7b09d01779824fae8
-
SHA256
f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b
-
SHA512
d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741
-
SSDEEP
49152:0v8go2QSaNpzyPllgamb0CZof/JZXxNESEuk/iWLoGdqITHHB72eh2NT:0vNo2QSaNpzyPllgamYCZof/JBxdY6
Malware Config
Extracted
quasar
1.4.1
FajnyGosc
none-vocals.gl.at.ply.gg:47745
none-vocals.gl.at.ply.gg:2137
147.185.221.17:2137
147.185.221.17:47745
a43b504c-d3c0-453a-96d2-1e0097cafb65
-
encryption_key
AD8872181A3CA4A71BFAE37CA853D97218D094EE
-
install_name
NewCheats.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Miicrosoft Security
-
subdirectory
Miicrosoft Security
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4548-1-0x0000000000630000-0x000000000097E000-memory.dmp family_quasar C:\Program Files\Miicrosoft Security\NewCheats.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
NewCheats.exepid process 2168 NewCheats.exe -
Drops file in Program Files directory 5 IoCs
Processes:
NewCheats.exeClient-built.exedescription ioc process File opened for modification C:\Program Files\Miicrosoft Security\NewCheats.exe NewCheats.exe File opened for modification C:\Program Files\Miicrosoft Security NewCheats.exe File created C:\Program Files\Miicrosoft Security\NewCheats.exe Client-built.exe File opened for modification C:\Program Files\Miicrosoft Security\NewCheats.exe Client-built.exe File opened for modification C:\Program Files\Miicrosoft Security Client-built.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4600 schtasks.exe 1676 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeNewCheats.exedescription pid process Token: SeDebugPrivilege 4548 Client-built.exe Token: SeDebugPrivilege 2168 NewCheats.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NewCheats.exepid process 2168 NewCheats.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built.exeNewCheats.exedescription pid process target process PID 4548 wrote to memory of 1676 4548 Client-built.exe schtasks.exe PID 4548 wrote to memory of 1676 4548 Client-built.exe schtasks.exe PID 4548 wrote to memory of 2168 4548 Client-built.exe NewCheats.exe PID 4548 wrote to memory of 2168 4548 Client-built.exe NewCheats.exe PID 2168 wrote to memory of 4600 2168 NewCheats.exe schtasks.exe PID 2168 wrote to memory of 4600 2168 NewCheats.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Miicrosoft Security\NewCheats.exe"C:\Program Files\Miicrosoft Security\NewCheats.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BO2GwlJGBHlf.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Miicrosoft Security\NewCheats.exeFilesize
3.3MB
MD5d5228d8272c425d9aa1af3a1ab93d9fd
SHA1f88b9a56ed8377a277a8a6b7b09d01779824fae8
SHA256f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b
SHA512d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741
-
C:\Users\Admin\AppData\Local\Temp\BO2GwlJGBHlf.batFilesize
209B
MD52ae8b3b89b7346e491acc6bbdf3ef67c
SHA1ac2bb7a0f4f5d679760d929af03b211a6ed9fd0d
SHA2562c27e04caabfbc5831401adaeb814d604ba98690ab2b3c7cc1b83805ba0c8b21
SHA512ac6e346c7c517c88149c058de85e1a3c71ab3613a4bee7eca43d94d93ff2278352771512e54b69bc25af84d7b151598335c24aed12053686748e146a423397f8
-
memory/2168-10-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmpFilesize
10.8MB
-
memory/2168-11-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmpFilesize
10.8MB
-
memory/2168-13-0x000000001DC40000-0x000000001DCF2000-memory.dmpFilesize
712KB
-
memory/2168-12-0x000000001BC70000-0x000000001BCC0000-memory.dmpFilesize
320KB
-
memory/2168-18-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmpFilesize
10.8MB
-
memory/4548-1-0x0000000000630000-0x000000000097E000-memory.dmpFilesize
3.3MB
-
memory/4548-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmpFilesize
8KB
-
memory/4548-2-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmpFilesize
10.8MB
-
memory/4548-9-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmpFilesize
10.8MB