Analysis
-
max time kernel
15s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 11:22
Behavioral task
behavioral1
Sample
New folder.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
New folder.zip
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
New folder/Client-built - Copy.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
New folder/Client-built - Copy.exe
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
New folder/hamachi.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
New folder/hamachi.msi
Resource
win11-20240508-en
General
-
Target
New folder/Client-built - Copy.exe
-
Size
3.1MB
-
MD5
f3802bd8f99e5c9ca6c04a7addc2d0d8
-
SHA1
96c6b9feffe04c5fbefc48802ac0635f596c6a33
-
SHA256
6dc99f25c5f794d14323fa2ed8ec891ea2fd81c359d676052574585471984d06
-
SHA512
5eb55bf1c70c40124a4d4df4c20ece52d6ed060c874c01f1fe4b130056edead2dad3a3dd919a487f2dec03d7e5e684883770c48e53932ac7c44b8ab03dbb84ce
-
SSDEEP
49152:OvjI22SsaNYfdPBldt698dBcjHAd19LoGdGTHHB72eh2NT:Ovc22SsaNYfdPBldt6+dBcjHAd11
Malware Config
Extracted
quasar
1.4.1
Office04
10.240.115.45:4782
2cc201c7-b02e-4a34-8806-aa9a8d33ae2d
-
encryption_key
64024FEFC383421D2550E88D4DBE252B6BA53116
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/3740-1-0x0000000000FB0000-0x00000000012D4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2924 Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1220 schtasks.exe 4644 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built - Copy.exeClient.exedescription pid process Token: SeDebugPrivilege 3740 Client-built - Copy.exe Token: SeDebugPrivilege 2924 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2924 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client-built - Copy.exeClient.exedescription pid process target process PID 3740 wrote to memory of 4644 3740 Client-built - Copy.exe schtasks.exe PID 3740 wrote to memory of 4644 3740 Client-built - Copy.exe schtasks.exe PID 3740 wrote to memory of 2924 3740 Client-built - Copy.exe Client.exe PID 3740 wrote to memory of 2924 3740 Client-built - Copy.exe Client.exe PID 2924 wrote to memory of 1220 2924 Client.exe schtasks.exe PID 2924 wrote to memory of 1220 2924 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New folder\Client-built - Copy.exe"C:\Users\Admin\AppData\Local\Temp\New folder\Client-built - Copy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4016,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD5f3802bd8f99e5c9ca6c04a7addc2d0d8
SHA196c6b9feffe04c5fbefc48802ac0635f596c6a33
SHA2566dc99f25c5f794d14323fa2ed8ec891ea2fd81c359d676052574585471984d06
SHA5125eb55bf1c70c40124a4d4df4c20ece52d6ed060c874c01f1fe4b130056edead2dad3a3dd919a487f2dec03d7e5e684883770c48e53932ac7c44b8ab03dbb84ce
-
memory/2924-8-0x00007FFAAC520000-0x00007FFAACFE1000-memory.dmpFilesize
10.8MB
-
memory/2924-10-0x00007FFAAC520000-0x00007FFAACFE1000-memory.dmpFilesize
10.8MB
-
memory/2924-11-0x000000001B2F0000-0x000000001B340000-memory.dmpFilesize
320KB
-
memory/2924-12-0x000000001BC80000-0x000000001BD32000-memory.dmpFilesize
712KB
-
memory/3740-1-0x0000000000FB0000-0x00000000012D4000-memory.dmpFilesize
3.1MB
-
memory/3740-0-0x00007FFAAC523000-0x00007FFAAC525000-memory.dmpFilesize
8KB
-
memory/3740-2-0x00007FFAAC520000-0x00007FFAACFE1000-memory.dmpFilesize
10.8MB
-
memory/3740-9-0x00007FFAAC520000-0x00007FFAACFE1000-memory.dmpFilesize
10.8MB