Analysis
-
max time kernel
15s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-08-2021 17:18
Behavioral task
behavioral1
Sample
1914a2c8d1589d346dec86208bbbee37.exe
Resource
win7v20210410
General
-
Target
1914a2c8d1589d346dec86208bbbee37.exe
-
Size
502KB
-
MD5
1914a2c8d1589d346dec86208bbbee37
-
SHA1
c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
-
SHA256
a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
-
SHA512
fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
Malware Config
Extracted
quasar
1.4.0
test1
166.62.33.218:6624
b2e23ea3-acf2-4226-ae2a-ae57e85e6e82
-
encryption_key
C8BFD012DB4B42D492F03E53D34F6E70BFC0E813
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Program Files\SubDir\Client.exe family_quasar C:\Program Files\SubDir\Client.exe family_quasar -
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
-
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4228 Client.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org -
Drops file in Program Files directory 2 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exedescription ioc process File created C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe File opened for modification C:\Program Files\SubDir\Client.exe 1914a2c8d1589d346dec86208bbbee37.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3688 schtasks.exe 3796 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exeClient.exedescription pid process Token: SeDebugPrivilege 4648 1914a2c8d1589d346dec86208bbbee37.exe Token: SeDebugPrivilege 4228 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4228 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1914a2c8d1589d346dec86208bbbee37.exeClient.exedescription pid process target process PID 4648 wrote to memory of 3688 4648 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 4648 wrote to memory of 3688 4648 1914a2c8d1589d346dec86208bbbee37.exe schtasks.exe PID 4648 wrote to memory of 4228 4648 1914a2c8d1589d346dec86208bbbee37.exe Client.exe PID 4648 wrote to memory of 4228 4648 1914a2c8d1589d346dec86208bbbee37.exe Client.exe PID 4228 wrote to memory of 3796 4228 Client.exe schtasks.exe PID 4228 wrote to memory of 3796 4228 Client.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1914a2c8d1589d346dec86208bbbee37.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\SubDir\Client.exeMD5
1914a2c8d1589d346dec86208bbbee37
SHA1c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
SHA256a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
SHA512fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
-
C:\Program Files\SubDir\Client.exeMD5
1914a2c8d1589d346dec86208bbbee37
SHA1c9f854cb866fc0dfa54ad4438fb1e3479a9a384e
SHA256a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
SHA512fb7c411b9aa69deb8ac2660846a555e3bc2481dea13b858f1aa214a67160f02eb205dd08e84c6867c06deddca00ca562c938e2f667e05faac67adfcd9385799c
-
memory/3688-117-0x0000000000000000-mapping.dmp
-
memory/3796-124-0x0000000000000000-mapping.dmp
-
memory/4228-118-0x0000000000000000-mapping.dmp
-
memory/4228-123-0x0000000000CD0000-0x0000000000CD2000-memory.dmpFilesize
8KB
-
memory/4228-125-0x000000001B0D0000-0x000000001B0D1000-memory.dmpFilesize
4KB
-
memory/4228-126-0x000000001C1D0000-0x000000001C1D1000-memory.dmpFilesize
4KB
-
memory/4648-114-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/4648-116-0x00000000007B0000-0x00000000007B2000-memory.dmpFilesize
8KB