Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 14:46
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240611-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
bd22cd33208d9f613123693356b06a31
-
SHA1
30f84ab122328cbdbb0059f233056ef3e123c59c
-
SHA256
aeea5611efcebc1112055000624ea27dbd3d9a05dae851732a983e7ec287b190
-
SHA512
134ce387dab94c55a2d85b647d1eb65000b67184cb83d5c2486d777ba7729d4c7d99f59fabe8fde7bfde588b99d3149f847fed4a96cc6e085265eea2d5f55186
-
SSDEEP
49152:HvulL26AaNeWgPhlmVqvMQ7XSKUVm+mzghoGdSmTHHB72eh2NT:HveL26AaNeWgPhlmVqkQ7XSKUVmy
Malware Config
Extracted
quasar
1.4.1
Spoffer Fivem
pringelsy-53072.portmap.host:53072
c70aabf1-c896-42de-8406-22e4348930d6
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
alg.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1276-1-0x0000000000090000-0x00000000003B4000-memory.dmp family_quasar C:\Program Files\Common Files\alg.exe family_quasar behavioral1/memory/2948-9-0x0000000001270000-0x0000000001594000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
alg.exepid process 2948 alg.exe -
Drops file in Program Files directory 5 IoCs
Processes:
Client-built.exealg.exedescription ioc process File created C:\Program Files\Common Files\alg.exe Client-built.exe File opened for modification C:\Program Files\Common Files\alg.exe Client-built.exe File opened for modification C:\Program Files\Common Files Client-built.exe File opened for modification C:\Program Files\Common Files\alg.exe alg.exe File opened for modification C:\Program Files\Common Files alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2160 schtasks.exe 2684 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exealg.exedescription pid process Token: SeDebugPrivilege 1276 Client-built.exe Token: SeDebugPrivilege 2948 alg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
alg.exepid process 2948 alg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
alg.exepid process 2948 alg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
alg.exepid process 2948 alg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exealg.exedescription pid process target process PID 1276 wrote to memory of 2160 1276 Client-built.exe schtasks.exe PID 1276 wrote to memory of 2160 1276 Client-built.exe schtasks.exe PID 1276 wrote to memory of 2160 1276 Client-built.exe schtasks.exe PID 1276 wrote to memory of 2948 1276 Client-built.exe alg.exe PID 1276 wrote to memory of 2948 1276 Client-built.exe alg.exe PID 1276 wrote to memory of 2948 1276 Client-built.exe alg.exe PID 2948 wrote to memory of 2684 2948 alg.exe schtasks.exe PID 2948 wrote to memory of 2684 2948 alg.exe schtasks.exe PID 2948 wrote to memory of 2684 2948 alg.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\alg.exe"C:\Program Files\Common Files\alg.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\alg.exeFilesize
3.1MB
MD5bd22cd33208d9f613123693356b06a31
SHA130f84ab122328cbdbb0059f233056ef3e123c59c
SHA256aeea5611efcebc1112055000624ea27dbd3d9a05dae851732a983e7ec287b190
SHA512134ce387dab94c55a2d85b647d1eb65000b67184cb83d5c2486d777ba7729d4c7d99f59fabe8fde7bfde588b99d3149f847fed4a96cc6e085265eea2d5f55186
-
memory/1276-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmpFilesize
4KB
-
memory/1276-1-0x0000000000090000-0x00000000003B4000-memory.dmpFilesize
3.1MB
-
memory/1276-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB
-
memory/1276-8-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB
-
memory/2948-10-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB
-
memory/2948-9-0x0000000001270000-0x0000000001594000-memory.dmpFilesize
3.1MB
-
memory/2948-11-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB
-
memory/2948-12-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB
-
memory/2948-13-0x000007FEF5D80000-0x000007FEF676C000-memory.dmpFilesize
9.9MB