Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 16:10
Behavioral task
behavioral1
Sample
Client-built (1).exe
Resource
win7-20240611-en
General
-
Target
Client-built (1).exe
-
Size
3.1MB
-
MD5
acae78b76f4b990b86e2d2d5edfbb6fe
-
SHA1
0407bc802c64787ffd2baf35f6ef6c186e88d1dc
-
SHA256
afaf1fafdbbd222021f2d6dc870e4026866a2be055654207be312d6d9cbf3bf4
-
SHA512
8ff3124fa36c76ee7da622cf6faa6e992369dd6211e9808896afb32b677dadbbf65ed36748c8b7edfd0d01a706b3e38e293053f10e2d983017061f82fc426ee3
-
SSDEEP
49152:SvnI22SsaNYfdPBldt698dBcjHBuRJ6dbR3LoGdKITHHB72eh2NT:SvI22SsaNYfdPBldt6+dBcjHBuRJ6v6
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.150:4782
adc301f6-35ca-4636-b286-ad2aef63f877
-
encryption_key
54B7AB1A151267275EF24D335CE7E3B6ABDDC53E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Launcher Task Manager
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-1-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/1328-9-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1328 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1364 schtasks.exe 2764 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built (1).exeClient.exedescription pid process Token: SeDebugPrivilege 1176 Client-built (1).exe Token: SeDebugPrivilege 1328 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 1328 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 1328 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1328 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built (1).exeClient.exedescription pid process target process PID 1176 wrote to memory of 1364 1176 Client-built (1).exe schtasks.exe PID 1176 wrote to memory of 1364 1176 Client-built (1).exe schtasks.exe PID 1176 wrote to memory of 1364 1176 Client-built (1).exe schtasks.exe PID 1176 wrote to memory of 1328 1176 Client-built (1).exe Client.exe PID 1176 wrote to memory of 1328 1176 Client-built (1).exe Client.exe PID 1176 wrote to memory of 1328 1176 Client-built (1).exe Client.exe PID 1328 wrote to memory of 2764 1328 Client.exe schtasks.exe PID 1328 wrote to memory of 2764 1328 Client.exe schtasks.exe PID 1328 wrote to memory of 2764 1328 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built (1).exe"C:\Users\Admin\AppData\Local\Temp\Client-built (1).exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD5acae78b76f4b990b86e2d2d5edfbb6fe
SHA10407bc802c64787ffd2baf35f6ef6c186e88d1dc
SHA256afaf1fafdbbd222021f2d6dc870e4026866a2be055654207be312d6d9cbf3bf4
SHA5128ff3124fa36c76ee7da622cf6faa6e992369dd6211e9808896afb32b677dadbbf65ed36748c8b7edfd0d01a706b3e38e293053f10e2d983017061f82fc426ee3
-
memory/1176-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmpFilesize
4KB
-
memory/1176-1-0x0000000000030000-0x0000000000354000-memory.dmpFilesize
3.1MB
-
memory/1176-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmpFilesize
9.9MB
-
memory/1176-10-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmpFilesize
9.9MB
-
memory/1328-8-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmpFilesize
9.9MB
-
memory/1328-9-0x0000000000110000-0x0000000000434000-memory.dmpFilesize
3.1MB
-
memory/1328-11-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmpFilesize
9.9MB
-
memory/1328-12-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmpFilesize
9.9MB