Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-08-2021 15:16
Behavioral task
behavioral1
Sample
1914a2c8d1589d346dec86208bbbee37.exe
Resource
win7v20210410
General
-
Target
1914a2c8d1589d346dec86208bbbee37.exe
-
Size
502KB
-
MD5
1914a2c8d1589d346dec86208bbbee37
-
SHA1
c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
-
SHA256
a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
-
SHA512
fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
Malware Config
Extracted
quasar
1.4.0
test1
166.62.33.218:6624
b2e23ea3-acf2-4226-ae2a-ae57e85e6e82
-
encryption_key
C8BFD012DB4B42D492F03E53D34F6E70BFC0E813
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Program Files\SubDir\Client.exe family_quasar C:\Program Files\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1756 Client.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exedescription ioc process File opened for modification C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe File created C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1872 schtasks.exe 1640 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exeClient.exedescription pid process Token: SeDebugPrivilege 1096 1914a2c8d1589d346dec86208bbbee37.exe Token: SeDebugPrivilege 1756 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1756 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exeClient.exedescription pid process target process PID 1096 wrote to memory of 1872 1096 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 1096 wrote to memory of 1872 1096 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 1096 wrote to memory of 1872 1096 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 1096 wrote to memory of 1756 1096 1914a2c8d1589d346dec86208bbbee37.exe Client.exe PID 1096 wrote to memory of 1756 1096 1914a2c8d1589d346dec86208bbbee37.exe Client.exe PID 1096 wrote to memory of 1756 1096 1914a2c8d1589d346dec86208bbbee37.exe Client.exe PID 1756 wrote to memory of 1640 1756 Client.exe schtasks.exe PID 1756 wrote to memory of 1640 1756 Client.exe schtasks.exe PID 1756 wrote to memory of 1640 1756 Client.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\SubDir\Client.exeMD5
1914a2c8d1589d346dec86208bbbee37
SHA1c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
SHA256a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
SHA512fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
-
C:\Program Files\SubDir\Client.exeMD5
1914a2c8d1589d346dec86208bbbee37
SHA1c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
SHA256a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
SHA512fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
-
memory/1096-59-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/1096-61-0x000000001AFB0000-0x000000001AFB2000-memory.dmpFilesize
8KB
-
memory/1640-69-0x0000000000000000-mapping.dmp
-
memory/1756-63-0x0000000000000000-mapping.dmp
-
memory/1756-66-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/1756-68-0x000000001B080000-0x000000001B082000-memory.dmpFilesize
8KB
-
memory/1872-62-0x0000000000000000-mapping.dmp