Analysis
-
max time kernel
599s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 23:04
Behavioral task
behavioral1
Sample
Sp00fer.exe
Resource
win7-20240221-en
General
-
Target
Sp00fer.exe
-
Size
3.1MB
-
MD5
ff468df2fde593962c6cdb3bdb4614ce
-
SHA1
870daa4279fa830d1f555f82ad8ac49789a6e31c
-
SHA256
c8e42ac2cdd0927bb4278a4cc154e8c768e8e1b0b5d5a02f04f9b9a16e6a7bf1
-
SHA512
e3ce71ee59b3ff3cd989d73b1c59255135bbdff53d6e50695cb24445a4ba1ad3626623e3f39dc4ece1ebae9b82547555cc726e20c5b093926bf9b459c5c7ce0a
-
SSDEEP
49152:jvulL26AaNeWgPhlmVqvMQ7XSKDy6Rk0vGYLoG2JquTHHB72eh2NT:jveL26AaNeWgPhlmVqkQ7XSKdk4
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-53072.portmap.host:53072
6dc28d35-3024-44a7-a559-f9991015fa39
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3024-1-0x0000000001290000-0x00000000015B4000-memory.dmp family_quasar C:\Program Files\Common Files\Client.exe family_quasar behavioral1/memory/2756-8-0x0000000000920000-0x0000000000C44000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2756 Client.exe -
Drops file in Program Files directory 5 IoCs
Processes:
Sp00fer.exeClient.exedescription ioc process File opened for modification C:\Program Files\Common Files\Client.exe Sp00fer.exe File opened for modification C:\Program Files\Common Files Sp00fer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File created C:\Program Files\Common Files\Client.exe Sp00fer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1160 schtasks.exe 2572 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Sp00fer.exeClient.exedescription pid process Token: SeDebugPrivilege 3024 Sp00fer.exe Token: SeDebugPrivilege 2756 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2756 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2756 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2756 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Sp00fer.exeClient.exedescription pid process target process PID 3024 wrote to memory of 1160 3024 Sp00fer.exe schtasks.exe PID 3024 wrote to memory of 1160 3024 Sp00fer.exe schtasks.exe PID 3024 wrote to memory of 1160 3024 Sp00fer.exe schtasks.exe PID 3024 wrote to memory of 2756 3024 Sp00fer.exe Client.exe PID 3024 wrote to memory of 2756 3024 Sp00fer.exe Client.exe PID 3024 wrote to memory of 2756 3024 Sp00fer.exe Client.exe PID 2756 wrote to memory of 2572 2756 Client.exe schtasks.exe PID 2756 wrote to memory of 2572 2756 Client.exe schtasks.exe PID 2756 wrote to memory of 2572 2756 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sp00fer.exe"C:\Users\Admin\AppData\Local\Temp\Sp00fer.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Client.exeFilesize
3.1MB
MD5ff468df2fde593962c6cdb3bdb4614ce
SHA1870daa4279fa830d1f555f82ad8ac49789a6e31c
SHA256c8e42ac2cdd0927bb4278a4cc154e8c768e8e1b0b5d5a02f04f9b9a16e6a7bf1
SHA512e3ce71ee59b3ff3cd989d73b1c59255135bbdff53d6e50695cb24445a4ba1ad3626623e3f39dc4ece1ebae9b82547555cc726e20c5b093926bf9b459c5c7ce0a
-
memory/2756-8-0x0000000000920000-0x0000000000C44000-memory.dmpFilesize
3.1MB
-
memory/2756-10-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB
-
memory/2756-9-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB
-
memory/2756-13-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB
-
memory/2756-14-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB
-
memory/3024-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmpFilesize
4KB
-
memory/3024-1-0x0000000001290000-0x00000000015B4000-memory.dmpFilesize
3.1MB
-
memory/3024-2-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB
-
memory/3024-11-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmpFilesize
9.9MB