Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 15:19
Behavioral task
behavioral1
Sample
alg.exe
Resource
win10v2004-20240226-en
General
-
Target
alg.exe
-
Size
3.1MB
-
MD5
87c7c65dacaffa73b2c72c88fcd7f035
-
SHA1
efadd3da8ac15975e828e92b8fdd05923c8f9731
-
SHA256
fe89c93b688241af31c6d0e4603a354c842cbfec353dfce1dbd4561b1649988e
-
SHA512
f0cf89e78e97df22958e064cd5ab842be0c11adf093875af98888f62eb99b625818512359ea268f116b00c9ed3ba6199cfcb94867e7bdf154ab8ce45dc8c4c21
-
SSDEEP
49152:/vulL26AaNeWgPhlmVqvMQ7XSKSCRJ6ibR3LoGd2THHB72eh2NT:/veL26AaNeWgPhlmVqkQ7XSKSCRJ6c
Malware Config
Extracted
quasar
1.4.1
Spoffer Fivem
pringelsy-53072.portmap.host:53072
c70aabf1-c896-42de-8406-22e4348930d6
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
alg.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/536-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar C:\Program Files\Common Files\alg.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
alg.exepid process 692 alg.exe -
Drops file in Program Files directory 5 IoCs
Processes:
alg.exealg.exedescription ioc process File created C:\Program Files\Common Files\alg.exe alg.exe File opened for modification C:\Program Files\Common Files\alg.exe alg.exe File opened for modification C:\Program Files\Common Files alg.exe File opened for modification C:\Program Files\Common Files\alg.exe alg.exe File opened for modification C:\Program Files\Common Files alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1064 schtasks.exe 4512 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
alg.exealg.exedescription pid process Token: SeDebugPrivilege 536 alg.exe Token: SeDebugPrivilege 692 alg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
alg.exepid process 692 alg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
alg.exepid process 692 alg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
alg.exepid process 692 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
alg.exealg.exedescription pid process target process PID 536 wrote to memory of 1064 536 alg.exe schtasks.exe PID 536 wrote to memory of 1064 536 alg.exe schtasks.exe PID 536 wrote to memory of 692 536 alg.exe alg.exe PID 536 wrote to memory of 692 536 alg.exe alg.exe PID 692 wrote to memory of 4512 692 alg.exe schtasks.exe PID 692 wrote to memory of 4512 692 alg.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\alg.exe"C:\Users\Admin\AppData\Local\Temp\alg.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\alg.exe"C:\Program Files\Common Files\alg.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\alg.exeFilesize
3.1MB
MD587c7c65dacaffa73b2c72c88fcd7f035
SHA1efadd3da8ac15975e828e92b8fdd05923c8f9731
SHA256fe89c93b688241af31c6d0e4603a354c842cbfec353dfce1dbd4561b1649988e
SHA512f0cf89e78e97df22958e064cd5ab842be0c11adf093875af98888f62eb99b625818512359ea268f116b00c9ed3ba6199cfcb94867e7bdf154ab8ce45dc8c4c21
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\alg.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
memory/536-0-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmpFilesize
8KB
-
memory/536-1-0x00000000001E0000-0x0000000000504000-memory.dmpFilesize
3.1MB
-
memory/536-2-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB
-
memory/536-10-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB
-
memory/692-11-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB
-
memory/692-12-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB
-
memory/692-13-0x000000001D6C0000-0x000000001D710000-memory.dmpFilesize
320KB
-
memory/692-14-0x000000001D7D0000-0x000000001D882000-memory.dmpFilesize
712KB
-
memory/692-15-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB
-
memory/692-16-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmpFilesize
10.8MB