Analysis
-
max time kernel
1s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 00:10
General
-
Target
Client-built.exe
-
Size
3.3MB
-
MD5
d5228d8272c425d9aa1af3a1ab93d9fd
-
SHA1
f88b9a56ed8377a277a8a6b7b09d01779824fae8
-
SHA256
f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b
-
SHA512
d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741
-
SSDEEP
49152:0v8go2QSaNpzyPllgamb0CZof/JZXxNESEuk/iWLoGdqITHHB72eh2NT:0vNo2QSaNpzyPllgamYCZof/JBxdY6
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-1-0x0000000000890000-0x0000000000BDE000-memory.dmp family_quasar C:\Program Files\Miicrosoft Security\NewCheats.exe family_quasar -
Drops file in Program Files directory 2 IoCs
Processes:
Client-built.exedescription ioc process File created C:\Program Files\Miicrosoft Security\NewCheats.exe Client-built.exe File opened for modification C:\Program Files\Miicrosoft Security\NewCheats.exe Client-built.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2800 schtasks.exe 5032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 1040 Client-built.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Client-built.exedescription pid process target process PID 1040 wrote to memory of 2800 1040 Client-built.exe schtasks.exe PID 1040 wrote to memory of 2800 1040 Client-built.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Miicrosoft Security\NewCheats.exe"C:\Program Files\Miicrosoft Security\NewCheats.exe"2⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Miicrosoft Security\NewCheats.exeFilesize
2.2MB
MD5206ab1e2f22509d064439afe0ed30aee
SHA14d02aef9c6d978b24bc93b43e66b61491944d9fd
SHA256ce8d4a18e9154f6fff40a109fc885ddd03f5457e2086f743793758a654b55f68
SHA5128165d467f505ebbcde733a84d8dbed02b59709d7167d21714c01342af90049a8542fa17a3f2e1527c2364a81b6d45055800d6fcb3d84fad508d9c50fd118418b
-
C:\Program Files\Miicrosoft Security\NewCheats.exeFilesize
2.3MB
MD54831ee06e795a47aff7f78e4595ddfed
SHA1bad4669d3eb9db5588c4110734cf232031b84c7f
SHA2569b1a89c2ccad74b28c30cd8f3324b61140d79a377a7007c7fdb16c64d87de391
SHA512311a91cd83e7a2bf7afd15bcfed983908bd3def234ac0effee088e96742148c1d38aad38016da8b30b49128fa79c68ed8e62c71b8bd03ff08abf643a16a24926
-
memory/1040-0-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmpFilesize
8KB
-
memory/1040-1-0x0000000000890000-0x0000000000BDE000-memory.dmpFilesize
3.3MB
-
memory/1040-2-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmpFilesize
10.8MB
-
memory/1040-9-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmpFilesize
10.8MB
-
memory/2888-10-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmpFilesize
10.8MB
-
memory/2888-11-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmpFilesize
10.8MB
-
memory/2888-12-0x0000000002890000-0x00000000028E0000-memory.dmpFilesize
320KB
-
memory/2888-13-0x000000001D260000-0x000000001D312000-memory.dmpFilesize
712KB