Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 13:06
Behavioral task
behavioral1
Sample
439e49a4df2f4bcc359283d02f612e98.exe
Resource
win7v20210410
General
-
Target
439e49a4df2f4bcc359283d02f612e98.exe
-
Size
527KB
-
MD5
439e49a4df2f4bcc359283d02f612e98
-
SHA1
bf6e8632bedeb80e72f664e2d4ca8b260a77115d
-
SHA256
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
-
SHA512
4d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
Malware Config
Extracted
quasar
1.4.0
Office04
45.77.20.114:1604
39083318-6c39-4d8c-beda-fd48beb29cc9
-
encryption_key
7E1D5BE8A11725FE11CAC5785F9684E24960D4AC
-
install_name
Media.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Media
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SubDir\Media.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Media.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Media.exepid process 2884 Media.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3484 schtasks.exe 1376 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
439e49a4df2f4bcc359283d02f612e98.exeMedia.exedescription pid process Token: SeDebugPrivilege 656 439e49a4df2f4bcc359283d02f612e98.exe Token: SeDebugPrivilege 2884 Media.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Media.exepid process 2884 Media.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
439e49a4df2f4bcc359283d02f612e98.exeMedia.exedescription pid process target process PID 656 wrote to memory of 3484 656 439e49a4df2f4bcc359283d02f612e98.exe schtasks.exe PID 656 wrote to memory of 3484 656 439e49a4df2f4bcc359283d02f612e98.exe schtasks.exe PID 656 wrote to memory of 2884 656 439e49a4df2f4bcc359283d02f612e98.exe Media.exe PID 656 wrote to memory of 2884 656 439e49a4df2f4bcc359283d02f612e98.exe Media.exe PID 2884 wrote to memory of 1376 2884 Media.exe schtasks.exe PID 2884 wrote to memory of 1376 2884 Media.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe"C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Media" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\439e49a4df2f4bcc359283d02f612e98.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exe"C:\Users\Admin\AppData\Roaming\SubDir\Media.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Media" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Media.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exeMD5
439e49a4df2f4bcc359283d02f612e98
SHA1bf6e8632bedeb80e72f664e2d4ca8b260a77115d
SHA256a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
SHA5124d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
-
C:\Users\Admin\AppData\Roaming\SubDir\Media.exeMD5
439e49a4df2f4bcc359283d02f612e98
SHA1bf6e8632bedeb80e72f664e2d4ca8b260a77115d
SHA256a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
SHA5124d1fd328d45b67ce5a8acb91fe25cbc6e4b6bc252ef95e94cb43ae3264f83f77d0e66cff16fbe8b40a2ac063c8b95758dd6969001a1d56a7e4f96ca3a786c992
-
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/656-116-0x0000000001130000-0x0000000001132000-memory.dmpFilesize
8KB
-
memory/1376-124-0x0000000000000000-mapping.dmp
-
memory/2884-118-0x0000000000000000-mapping.dmp
-
memory/2884-123-0x0000000000C60000-0x0000000000C62000-memory.dmpFilesize
8KB
-
memory/2884-125-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/2884-126-0x000000001B8D0000-0x000000001B8D1000-memory.dmpFilesize
4KB
-
memory/3484-117-0x0000000000000000-mapping.dmp