Analysis
-
max time kernel
359s -
max time network
359s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 23:01
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240508-en
General
-
Target
Client-built.exe
-
Size
288KB
-
MD5
612513b20674942d2bcf4d0732e0b726
-
SHA1
26e71467d042ccc4ade033a000a1febac73170d7
-
SHA256
d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
-
SHA512
ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
-
SSDEEP
6144:6KJuiyEnCGnhJlMP5Kq+SMv0VGb7bDcllbkUC:pzCGL69zVGkllbkp
Malware Config
Extracted
quasar
1.4.0.0
Office04
Ratrat2-53904.portmap.host:53904
KvGe0Q07bhebNCip9c
-
encryption_key
urBKaVmkbLbNrQbAkgkI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-1-0x0000000000100000-0x000000000014E000-memory.dmp family_quasar \Program Files (x86)\SubDir\Client.exe family_quasar behavioral1/memory/2484-14-0x0000000000070000-0x00000000000BE000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 2484 Client.exe 2132 Client.exe -
Loads dropped DLL 7 IoCs
Processes:
Client-built.exeWerFault.execmd.exepid process 2008 Client-built.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 1860 cmd.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com 6 api.ipify.org 7 ip-api.com 9 api.ipify.org -
Drops file in Program Files directory 4 IoCs
Processes:
Client.exeClient-built.exedescription ioc process File opened for modification C:\Program Files (x86)\SubDir Client.exe File created C:\Program Files (x86)\SubDir\Client.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2112 2484 WerFault.exe Client.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2792 schtasks.exe 1528 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 2008 Client-built.exe Token: SeDebugPrivilege 2484 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2484 Client.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
Client-built.exeClient.execmd.exedescription pid process target process PID 2008 wrote to memory of 2792 2008 Client-built.exe schtasks.exe PID 2008 wrote to memory of 2792 2008 Client-built.exe schtasks.exe PID 2008 wrote to memory of 2792 2008 Client-built.exe schtasks.exe PID 2008 wrote to memory of 2792 2008 Client-built.exe schtasks.exe PID 2008 wrote to memory of 2484 2008 Client-built.exe Client.exe PID 2008 wrote to memory of 2484 2008 Client-built.exe Client.exe PID 2008 wrote to memory of 2484 2008 Client-built.exe Client.exe PID 2008 wrote to memory of 2484 2008 Client-built.exe Client.exe PID 2484 wrote to memory of 1528 2484 Client.exe schtasks.exe PID 2484 wrote to memory of 1528 2484 Client.exe schtasks.exe PID 2484 wrote to memory of 1528 2484 Client.exe schtasks.exe PID 2484 wrote to memory of 1528 2484 Client.exe schtasks.exe PID 2484 wrote to memory of 1860 2484 Client.exe cmd.exe PID 2484 wrote to memory of 1860 2484 Client.exe cmd.exe PID 2484 wrote to memory of 1860 2484 Client.exe cmd.exe PID 2484 wrote to memory of 1860 2484 Client.exe cmd.exe PID 2484 wrote to memory of 2112 2484 Client.exe WerFault.exe PID 2484 wrote to memory of 2112 2484 Client.exe WerFault.exe PID 2484 wrote to memory of 2112 2484 Client.exe WerFault.exe PID 2484 wrote to memory of 2112 2484 Client.exe WerFault.exe PID 1860 wrote to memory of 1676 1860 cmd.exe chcp.com PID 1860 wrote to memory of 1676 1860 cmd.exe chcp.com PID 1860 wrote to memory of 1676 1860 cmd.exe chcp.com PID 1860 wrote to memory of 1676 1860 cmd.exe chcp.com PID 1860 wrote to memory of 316 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 316 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 316 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 316 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 2132 1860 cmd.exe Client.exe PID 1860 wrote to memory of 2132 1860 cmd.exe Client.exe PID 1860 wrote to memory of 2132 1860 cmd.exe Client.exe PID 1860 wrote to memory of 2132 1860 cmd.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\phpnOs7WwoZV.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 14123⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\phpnOs7WwoZV.batFilesize
199B
MD537492236864cab5cb1446d405ff5665b
SHA1f36b6db713473008af2b8fea94a777512beb2b54
SHA256dc06a69c7373eeb0060765c0f8fddaecf246256ee2b1f904df39209355264f8c
SHA51274780b7dfa37dedb573d055c6c4a2aadefec08f22ba88453678a5901a3f745975299070474a8ffc671679ed14d3214bc0bb950fb79f0a2816a11879e3bc349d4
-
\Program Files (x86)\SubDir\Client.exeFilesize
288KB
MD5612513b20674942d2bcf4d0732e0b726
SHA126e71467d042ccc4ade033a000a1febac73170d7
SHA256d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
SHA512ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
-
memory/2008-0-0x000000007495E000-0x000000007495F000-memory.dmpFilesize
4KB
-
memory/2008-1-0x0000000000100000-0x000000000014E000-memory.dmpFilesize
312KB
-
memory/2008-2-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/2008-3-0x000000007495E000-0x000000007495F000-memory.dmpFilesize
4KB
-
memory/2008-4-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/2008-13-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/2484-12-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/2484-14-0x0000000000070000-0x00000000000BE000-memory.dmpFilesize
312KB
-
memory/2484-15-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB
-
memory/2484-16-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6.9MB