Analysis
-
max time kernel
599s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 22:50
Behavioral task
behavioral1
Sample
sp0ofer.exe
Resource
win7-20240221-en
General
-
Target
sp0ofer.exe
-
Size
3.1MB
-
MD5
c5dc60ebad720c8a08e21c08db1d2dfa
-
SHA1
268f1aace8a48248d58de344bd1dfd2eb5e2c2a8
-
SHA256
cbac5d6488d2b1655aff14f498060b3a0f752bc26291a34c39ff76da2866de9a
-
SHA512
9930d8208b8bba24bd0d70d9491a302c8efefea5ff195711eee0f725f39b83070e624474de990cd0dc14c80ba0bd27a343cfc31fcee4104e49a76e637cd829f7
-
SSDEEP
49152:DvulL26AaNeWgPhlmVqvMQ7XSKPPxNESEfk/ioLoGdfxTHHB72eh2NT:DveL26AaNeWgPhlmVqkQ7XSKHxCG
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-53072.portmap.host:53072
6dc28d35-3024-44a7-a559-f9991015fa39
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2436-1-0x0000000000960000-0x0000000000C84000-memory.dmp family_quasar C:\Program Files\Common Files\Client.exe family_quasar behavioral1/memory/2508-9-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2508 Client.exe -
Drops file in Program Files directory 5 IoCs
Processes:
sp0ofer.exeClient.exedescription ioc process File created C:\Program Files\Common Files\Client.exe sp0ofer.exe File opened for modification C:\Program Files\Common Files\Client.exe sp0ofer.exe File opened for modification C:\Program Files\Common Files sp0ofer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2944 schtasks.exe 2072 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sp0ofer.exeClient.exedescription pid process Token: SeDebugPrivilege 2436 sp0ofer.exe Token: SeDebugPrivilege 2508 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2508 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2508 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2508 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
sp0ofer.exeClient.exedescription pid process target process PID 2436 wrote to memory of 2944 2436 sp0ofer.exe schtasks.exe PID 2436 wrote to memory of 2944 2436 sp0ofer.exe schtasks.exe PID 2436 wrote to memory of 2944 2436 sp0ofer.exe schtasks.exe PID 2436 wrote to memory of 2508 2436 sp0ofer.exe Client.exe PID 2436 wrote to memory of 2508 2436 sp0ofer.exe Client.exe PID 2436 wrote to memory of 2508 2436 sp0ofer.exe Client.exe PID 2508 wrote to memory of 2072 2508 Client.exe schtasks.exe PID 2508 wrote to memory of 2072 2508 Client.exe schtasks.exe PID 2508 wrote to memory of 2072 2508 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sp0ofer.exe"C:\Users\Admin\AppData\Local\Temp\sp0ofer.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Client.exeFilesize
3.1MB
MD5c5dc60ebad720c8a08e21c08db1d2dfa
SHA1268f1aace8a48248d58de344bd1dfd2eb5e2c2a8
SHA256cbac5d6488d2b1655aff14f498060b3a0f752bc26291a34c39ff76da2866de9a
SHA5129930d8208b8bba24bd0d70d9491a302c8efefea5ff195711eee0f725f39b83070e624474de990cd0dc14c80ba0bd27a343cfc31fcee4104e49a76e637cd829f7
-
memory/2436-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmpFilesize
4KB
-
memory/2436-1-0x0000000000960000-0x0000000000C84000-memory.dmpFilesize
3.1MB
-
memory/2436-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2436-10-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2508-8-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2508-9-0x00000000012C0000-0x00000000015E4000-memory.dmpFilesize
3.1MB
-
memory/2508-11-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2508-12-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB
-
memory/2508-13-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmpFilesize
9.9MB