Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 16:46
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240611-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
4f56c5c10fd6d558874a09e5d4dbdffd
-
SHA1
5b9692b0cfc0da65752a7c6e98528a49ef1b17b9
-
SHA256
0a1af9ad6684d877f7c58b00bec90875ccfd709f547fe396a87a9c26e881977b
-
SHA512
699ff682370ee44a41af76686435f41682910d1291fbe159570f51e1aed05331dfce20074b3d5cd5937dfe6a8db651f8a4f320b4bf2fe2f38d585b8d4b95c8b4
-
SSDEEP
49152:GvnI22SsaNYfdPBldt698dBcjHnKmmmmzzRoGdJCTHHB72eh2NT:GvI22SsaNYfdPBldt6+dBcjHKmmh
Malware Config
Extracted
quasar
1.4.1
Office04
86.137.1.84:4782
adc301f6-35ca-4636-b286-ad2aef63f877
-
encryption_key
54B7AB1A151267275EF24D335CE7E3B6ABDDC53E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Launcher Task Manager
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1124-1-0x0000000000F80000-0x00000000012A4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2264-9-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2264 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2612 schtasks.exe 2740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client-built.exeClient.exedescription pid process Token: SeDebugPrivilege 1124 Client-built.exe Token: SeDebugPrivilege 2264 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2264 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2264 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2264 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Client-built.exeClient.exedescription pid process target process PID 1124 wrote to memory of 2612 1124 Client-built.exe schtasks.exe PID 1124 wrote to memory of 2612 1124 Client-built.exe schtasks.exe PID 1124 wrote to memory of 2612 1124 Client-built.exe schtasks.exe PID 1124 wrote to memory of 2264 1124 Client-built.exe Client.exe PID 1124 wrote to memory of 2264 1124 Client-built.exe Client.exe PID 1124 wrote to memory of 2264 1124 Client-built.exe Client.exe PID 2264 wrote to memory of 2740 2264 Client.exe schtasks.exe PID 2264 wrote to memory of 2740 2264 Client.exe schtasks.exe PID 2264 wrote to memory of 2740 2264 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD54f56c5c10fd6d558874a09e5d4dbdffd
SHA15b9692b0cfc0da65752a7c6e98528a49ef1b17b9
SHA2560a1af9ad6684d877f7c58b00bec90875ccfd709f547fe396a87a9c26e881977b
SHA512699ff682370ee44a41af76686435f41682910d1291fbe159570f51e1aed05331dfce20074b3d5cd5937dfe6a8db651f8a4f320b4bf2fe2f38d585b8d4b95c8b4
-
memory/1124-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmpFilesize
4KB
-
memory/1124-1-0x0000000000F80000-0x00000000012A4000-memory.dmpFilesize
3.1MB
-
memory/1124-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/1124-10-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/2264-8-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/2264-9-0x00000000012C0000-0x00000000015E4000-memory.dmpFilesize
3.1MB
-
memory/2264-11-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/2264-12-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB