Analysis
-
max time kernel
150s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 13:06
Behavioral task
behavioral1
Sample
439e49a4df2f4bcc359283d02f612e98.exe
Resource
win7v20210410
General
-
Target
439e49a4df2f4bcc359283d02f612e98.exe
-
Size
527KB
-
MD5
439e49a4df2f4bcc359283d02f612e98
-
SHA1
bf6e8632bedeb80e72f664e2d4ca8b260a77115d
-
SHA256
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
-
SHA512
4d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
Malware Config
Extracted
quasar
1.4.0
Office04
45.77.20.114:1604
39083318-6c39-4d8c-beda-fd48beb29cc9
-
encryption_key
7E1D5BE8A11725FE11CAC5785F9684E24960D4AC
-
install_name
Media.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Media
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SubDir\Media.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Media.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Media.exepid process 296 Media.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439e49a4df2f4bcc359283d02f612e98.exeMedia.exedescription pid process Token: SeDebugPrivilege 1932 439e49a4df2f4bcc359283d02f612e98.exe Token: SeDebugPrivilege 296 Media.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Media.exepid process 296 Media.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
439e49a4df2f4bcc359283d02f612e98.exeMedia.exedescription pid process target process PID 1932 wrote to memory of 1700 1932 439e49a4df2f4bcc359283d02f612e98.exe schtasks.exe PID 1932 wrote to memory of 1700 1932 439e49a4df2f4bcc359283d02f612e98.exe schtasks.exe PID 1932 wrote to memory of 1700 1932 439e49a4df2f4bcc359283d02f612e98.exe schtasks.exe PID 1932 wrote to memory of 296 1932 439e49a4df2f4bcc359283d02f612e98.exe Media.exe PID 1932 wrote to memory of 296 1932 439e49a4df2f4bcc359283d02f612e98.exe Media.exe PID 1932 wrote to memory of 296 1932 439e49a4df2f4bcc359283d02f612e98.exe Media.exe PID 296 wrote to memory of 868 296 Media.exe schtasks.exe PID 296 wrote to memory of 868 296 Media.exe schtasks.exe PID 296 wrote to memory of 868 296 Media.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe"C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Media" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exe"C:\Users\Admin\AppData\Roaming\SubDir\Media.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Media" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Media.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exeMD5
439e49a4df2f4bcc359283d02f612e98
SHA1bf6e8632bedeb80e72f664e2d4ca8b260a77115d
SHA256a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
SHA5124d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exeMD5
439e49a4df2f4bcc359283d02f612e98
SHA1bf6e8632bedeb80e72f664e2d4ca8b260a77115d
SHA256a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
SHA5124d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/296-63-0x0000000000000000-mapping.dmp
-
memory/296-66-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/296-68-0x000000001B140000-0x000000001B142000-memory.dmpFilesize
8KB
-
memory/868-70-0x0000000000000000-mapping.dmp
-
memory/1700-62-0x0000000000000000-mapping.dmp
-
memory/1932-59-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/1932-61-0x000000001ACA0000-0x000000001ACA2000-memory.dmpFilesize
8KB