Analysis
-
max time kernel
138s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 01:05
Behavioral task
behavioral1
Sample
1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe
Resource
win7-20240419-en
General
-
Target
1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe
-
Size
3.1MB
-
MD5
aa5da5d211dd6b3c5e9404520ebeec1f
-
SHA1
037e6d5fa8398a3f95df469d60debe6fc8c93f89
-
SHA256
1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7
-
SHA512
9a02a50c2534ece296d183bd712f8be240f4e5d989842656e28392af41036d29dc30cf205fe3526b980a480c54c3d9a4de7f5ef35103dec2d29fb513d2e83b72
-
SSDEEP
49152:PvSI22SsaNYfdPBldt698dBcjHod/oKT2fOTmZPKoGANtTHHB72eh2NT:Pv/22SsaNYfdPBldt6+dBcjHE/oKDg
Malware Config
Extracted
quasar
1.4.1
Office04
91.92.242.80:4782
e88cd5c3-d3f7-4cbb-94a7-7136e3bc6ab9
-
encryption_key
B1F363CB165B4ADD4702FD386A0A1054BFED678C
-
install_name
WindowsUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows.Update
-
subdirectory
Update
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/228-1-0x00000000000C0000-0x00000000003E4000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/228-1-0x00000000000C0000-0x00000000003E4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/228-1-0x00000000000C0000-0x00000000003E4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/228-1-0x00000000000C0000-0x00000000003E4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exedescription pid process Token: SeDebugPrivilege 228 1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exedescription pid process target process PID 228 wrote to memory of 2500 228 1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe schtasks.exe PID 228 wrote to memory of 2500 228 1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe"C:\Users\Admin\AppData\Local\Temp\1b586bfe3423ef03ecba497e90fd31b42022dd8e1f325e212c1e23cc58ba7be7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows.Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Update\WindowsUpdate.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/228-0-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmpFilesize
8KB
-
memory/228-1-0x00000000000C0000-0x00000000003E4000-memory.dmpFilesize
3.1MB
-
memory/228-2-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmpFilesize
10.8MB
-
memory/228-3-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmpFilesize
8KB
-
memory/228-4-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmpFilesize
10.8MB