Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 18:07
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10-20240404-en
General
-
Target
Loader.exe
-
Size
3.1MB
-
MD5
7cf415ae8a6c6be91e8fcd0f2d6534d7
-
SHA1
c64843774046483a32903e1ec4b033f6c792f07c
-
SHA256
bb2c55fbda1e7da044b43bbe6ed8b371064746f5bbb4b0ad3585e8c1227abd02
-
SHA512
9e96e547c9610ba90d6af06584bc23a360f99e936b3895062a2eee77bf78e2bf6a11e7b9d3e826446b921f90205cec481d1d71f1f8be491ba478a89b77178d77
-
SSDEEP
49152:Ovkt62XlaSFNWPjljiFa2RoUYIZAHJ07Yy5LoGvDTHHB72eh2NT:Ov462XlaSFNWPjljiFXRoUYIZAH8
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.141:4782
c627ff01-20b9-42d1-9f7d-842cfcff3909
-
encryption_key
3FD82075D8A6F76003D5B98222F0DD0458E54B61
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
explorer
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3484-1-0x0000000000730000-0x0000000000A54000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3472 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1160 schtasks.exe 3508 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Loader.exeClient.exedescription pid process Token: SeDebugPrivilege 3484 Loader.exe Token: SeDebugPrivilege 3472 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3472 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Loader.exeClient.exedescription pid process target process PID 3484 wrote to memory of 1160 3484 Loader.exe schtasks.exe PID 3484 wrote to memory of 1160 3484 Loader.exe schtasks.exe PID 3484 wrote to memory of 3472 3484 Loader.exe Client.exe PID 3484 wrote to memory of 3472 3484 Loader.exe Client.exe PID 3472 wrote to memory of 3508 3472 Client.exe schtasks.exe PID 3472 wrote to memory of 3508 3472 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD57cf415ae8a6c6be91e8fcd0f2d6534d7
SHA1c64843774046483a32903e1ec4b033f6c792f07c
SHA256bb2c55fbda1e7da044b43bbe6ed8b371064746f5bbb4b0ad3585e8c1227abd02
SHA5129e96e547c9610ba90d6af06584bc23a360f99e936b3895062a2eee77bf78e2bf6a11e7b9d3e826446b921f90205cec481d1d71f1f8be491ba478a89b77178d77
-
memory/3472-10-0x00007FFAC40E0000-0x00007FFAC4BA1000-memory.dmpFilesize
10.8MB
-
memory/3472-11-0x00007FFAC40E0000-0x00007FFAC4BA1000-memory.dmpFilesize
10.8MB
-
memory/3472-12-0x000000001C330000-0x000000001C380000-memory.dmpFilesize
320KB
-
memory/3472-13-0x000000001C440000-0x000000001C4F2000-memory.dmpFilesize
712KB
-
memory/3472-14-0x00007FFAC40E0000-0x00007FFAC4BA1000-memory.dmpFilesize
10.8MB
-
memory/3484-0-0x00007FFAC40E3000-0x00007FFAC40E5000-memory.dmpFilesize
8KB
-
memory/3484-1-0x0000000000730000-0x0000000000A54000-memory.dmpFilesize
3.1MB
-
memory/3484-2-0x00007FFAC40E0000-0x00007FFAC4BA1000-memory.dmpFilesize
10.8MB
-
memory/3484-9-0x00007FFAC40E0000-0x00007FFAC4BA1000-memory.dmpFilesize
10.8MB