Analysis
-
max time kernel
1797s -
max time network
1495s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 01:30
General
-
Target
player tracker source.exe
-
Size
3.1MB
-
MD5
79b23f9700c2cfe1180cc94dd0ed2d31
-
SHA1
951e79cf051fb128b667266ab1341e620b980173
-
SHA256
a2b88e25b1626cbfac4f4d6734becfecd655a89da195e81e26ae729200043fd8
-
SHA512
e819baf8ecd86d58d486ce53ebb6598c0e436220d422e14b3945c63d869bfca299c9069f18b57231c7d2788d10ad419787cfd093976a4882da8208bc9b7bffa7
-
SSDEEP
49152:HvDI22SsaNYfdPBldt698dBcjHkx6TBxEsoGdRTHHB72eh2NT:Hv822SsaNYfdPBldt6+dBcjHK61
Malware Config
Extracted
quasar
1.4.1
Office04
255.255.255.0:4782
c5c0225f-92c8-45a3-8b4e-43c9383703ba
-
encryption_key
2C9AF81488324786F38644244B002DFBC04966DB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2792-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3584 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
player tracker source.exeClient.exedescription pid process Token: SeDebugPrivilege 2792 player tracker source.exe Token: SeDebugPrivilege 3584 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3584 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
player tracker source.exedescription pid process target process PID 2792 wrote to memory of 3584 2792 player tracker source.exe Client.exe PID 2792 wrote to memory of 3584 2792 player tracker source.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\player tracker source.exe"C:\Users\Admin\AppData\Local\Temp\player tracker source.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD579b23f9700c2cfe1180cc94dd0ed2d31
SHA1951e79cf051fb128b667266ab1341e620b980173
SHA256a2b88e25b1626cbfac4f4d6734becfecd655a89da195e81e26ae729200043fd8
SHA512e819baf8ecd86d58d486ce53ebb6598c0e436220d422e14b3945c63d869bfca299c9069f18b57231c7d2788d10ad419787cfd093976a4882da8208bc9b7bffa7
-
memory/2792-0-0x00007FFAE87E3000-0x00007FFAE87E5000-memory.dmpFilesize
8KB
-
memory/2792-1-0x0000000000BF0000-0x0000000000F14000-memory.dmpFilesize
3.1MB
-
memory/2792-2-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmpFilesize
10.8MB
-
memory/2792-10-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmpFilesize
10.8MB
-
memory/3584-9-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmpFilesize
10.8MB
-
memory/3584-11-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmpFilesize
10.8MB
-
memory/3584-12-0x000000001BA80000-0x000000001BAD0000-memory.dmpFilesize
320KB
-
memory/3584-13-0x000000001BB90000-0x000000001BC42000-memory.dmpFilesize
712KB
-
memory/3584-14-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmpFilesize
10.8MB