Analysis
-
max time kernel
1799s -
max time network
1160s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 01:35
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
38072c09609f9d5d18728038a64d619a
-
SHA1
04b8e50360b870a987ee245965f037cd64f6dab6
-
SHA256
398abac5d259fce710f2ed5da055de32759e61524f1968a900ecf6dbb8bda3dd
-
SHA512
b3b8bec866daa77d1ea87a6b8875a7e9e1e2a934eba4e096a23d295fb804f95dd088fe14e7ded863abe00e5bc57bedb2d7c39934dafa51952f2ae887b2aa6a94
-
SSDEEP
49152:LvnI22SsaNYfdPBldt698dBcjHAhOEEfsek/HYBoGdPTHHB72eh2NT:LvI22SsaNYfdPBldt6+dBcjHAhOAK
Malware Config
Extracted
quasar
1.4.1
Office04
255.255.255.0:4782
562d2243-0363-49ab-b547-810cd136b950
-
encryption_key
2802AB6175F0B038574EF96E3018A9284A075BAB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1688-1-0x0000000000B40000-0x0000000000E64000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 5044 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 1688 Client-built.exe Token: SeDebugPrivilege 5044 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 5044 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 5044 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 5044 Client.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Client-built.exedescription pid process target process PID 1688 wrote to memory of 5044 1688 Client-built.exe Client.exe PID 1688 wrote to memory of 5044 1688 Client-built.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD538072c09609f9d5d18728038a64d619a
SHA104b8e50360b870a987ee245965f037cd64f6dab6
SHA256398abac5d259fce710f2ed5da055de32759e61524f1968a900ecf6dbb8bda3dd
SHA512b3b8bec866daa77d1ea87a6b8875a7e9e1e2a934eba4e096a23d295fb804f95dd088fe14e7ded863abe00e5bc57bedb2d7c39934dafa51952f2ae887b2aa6a94
-
memory/1688-0-0x00007FFCABD73000-0x00007FFCABD75000-memory.dmpFilesize
8KB
-
memory/1688-1-0x0000000000B40000-0x0000000000E64000-memory.dmpFilesize
3.1MB
-
memory/1688-2-0x00007FFCABD70000-0x00007FFCAC832000-memory.dmpFilesize
10.8MB
-
memory/1688-9-0x00007FFCABD70000-0x00007FFCAC832000-memory.dmpFilesize
10.8MB
-
memory/5044-8-0x00007FFCABD70000-0x00007FFCAC832000-memory.dmpFilesize
10.8MB
-
memory/5044-10-0x00007FFCABD70000-0x00007FFCAC832000-memory.dmpFilesize
10.8MB
-
memory/5044-11-0x000000001BFF0000-0x000000001C040000-memory.dmpFilesize
320KB
-
memory/5044-12-0x000000001C100000-0x000000001C1B2000-memory.dmpFilesize
712KB
-
memory/5044-13-0x00007FFCABD70000-0x00007FFCAC832000-memory.dmpFilesize
10.8MB