Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 06:44
General
-
Target
smss.exe
-
Size
3.1MB
-
MD5
e892f6b514297ffa73a5271d66d5180b
-
SHA1
10f5886d28d48454581af2e05bf3fe3d6fd9b763
-
SHA256
c65baefaf8047a324638ae5f04d3a0a5557c02ff7e65d99ebd25754272bab2e0
-
SHA512
a74874e3d909c71c0a458b940b37cece4ffea85af4ad34ec7421289a61eb547955333358e46c4be5ba38d93469226ae264cee2b0a26191c0b1be45a89beb8f33
-
SSDEEP
49152:LvilL26AaNeWgPhlmVqvMQ7XSKh4RJ6HbR3LoGdafTHHB72eh2NT:LvaL26AaNeWgPhlmVqkQ7XSKh4RJ6Z
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
carolina-reverse.gl.at.ply.gg:34609
Mutex
255a7afd-a9a3-4b9f-b4bc-647ca1724a1a
Attributes
-
encryption_key
524892BD8A433CE8E6A342E36737F573CEF5D252
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4384-0-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
smss.exedescription pid process Token: SeDebugPrivilege 4384 smss.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4384-0-0x00000000002E0000-0x0000000000604000-memory.dmpFilesize
3.1MB
-
memory/4384-1-0x00007FF95A543000-0x00007FF95A544000-memory.dmpFilesize
4KB
-
memory/4384-2-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmpFilesize
9.9MB
-
memory/4384-3-0x0000000000E70000-0x0000000000EC0000-memory.dmpFilesize
320KB
-
memory/4384-4-0x000000001B910000-0x000000001B9C2000-memory.dmpFilesize
712KB
-
memory/4384-7-0x0000000000E30000-0x0000000000E42000-memory.dmpFilesize
72KB
-
memory/4384-8-0x000000001B080000-0x000000001B0BE000-memory.dmpFilesize
248KB
-
memory/4384-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmpFilesize
9.9MB