Analysis
-
max time kernel
5s -
max time network
5s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-06-2024 13:14
General
-
Target
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
-
Size
348KB
-
MD5
11767ecb9deb6b80bf781e6f47b859d5
-
SHA1
7eabf94ea15bef9d48100159ff54e5117d7ead77
-
SHA256
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797
-
SHA512
849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd
-
SSDEEP
6144:PyUhIvTCqL/0+Ad3zEGMcQbzGD5VeKyvh1UGoAhQqwO:qNTCKxANEKemqsGoAqqwO
Malware Config
Extracted
quasar
1.3.0.0
Office04
127.0.0.1:4782
QSR_MUTEX_Qfx1LgLjDrqR2O9eT4
-
encryption_key
1UqQuJicXDNgw96Qw7o7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
winlogon.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4228-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4840 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3752 schtasks.exe 4064 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exeClient.exedescription pid process Token: SeDebugPrivilege 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe Token: SeDebugPrivilege 4840 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4840 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exeClient.exedescription pid process target process PID 4228 wrote to memory of 3752 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe schtasks.exe PID 4228 wrote to memory of 3752 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe schtasks.exe PID 4228 wrote to memory of 3752 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe schtasks.exe PID 4228 wrote to memory of 4840 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe Client.exe PID 4228 wrote to memory of 4840 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe Client.exe PID 4228 wrote to memory of 4840 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe Client.exe PID 4840 wrote to memory of 4064 4840 Client.exe schtasks.exe PID 4840 wrote to memory of 4064 4840 Client.exe schtasks.exe PID 4840 wrote to memory of 4064 4840 Client.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe"C:\Users\Admin\AppData\Local\Temp\c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "winlogon.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "winlogon.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD511767ecb9deb6b80bf781e6f47b859d5
SHA17eabf94ea15bef9d48100159ff54e5117d7ead77
SHA256c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797
SHA512849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd
-
memory/4228-6-0x0000000006250000-0x0000000006262000-memory.dmpFilesize
72KB
-
memory/4228-2-0x0000000005AF0000-0x0000000005FEE000-memory.dmpFilesize
5.0MB
-
memory/4228-3-0x00000000055F0000-0x0000000005682000-memory.dmpFilesize
584KB
-
memory/4228-4-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4228-5-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/4228-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmpFilesize
4KB
-
memory/4228-7-0x0000000006640000-0x000000000667E000-memory.dmpFilesize
248KB
-
memory/4228-1-0x0000000000D20000-0x0000000000D7E000-memory.dmpFilesize
376KB
-
memory/4228-15-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4840-14-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4840-16-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4840-18-0x00000000060C0000-0x00000000060CA000-memory.dmpFilesize
40KB