Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2022, 10:07
General
-
Target
741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe
-
Size
502KB
-
MD5
bbd0db3230e57aeb7ca23e59aadf0134
-
SHA1
fdda0bfd08bbd74557dd878bda12f05368befb7d
-
SHA256
741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
-
SHA512
4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
SSDEEP
6144:VTEgdc0YpXAGbgiIN2RSBuSBtPB+a9VIvyTcEi9b8F9vkDC+ROcTR32:VTEgdfYlbgRljSCN8CQOcd2
Malware Config
Extracted
quasar
1.4.0
Office04
flingmodder-53370.portmap.io:53370
c16cce68-0a86-440c-89b1-c088c1c8b4cb
-
encryption_key
9BFDFBA45AE2C2C16DA4EEEA02438784B89CACC0
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
windows
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2700-132-0x0000000000A60000-0x0000000000AE4000-memory.dmp family_quasar behavioral1/files/0x00020000000224a1-136.dat family_quasar behavioral1/files/0x00020000000224a1-137.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4360 svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1800 schtasks.exe 2416 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2700 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe Token: SeDebugPrivilege 4360 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4360 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1800 2700 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe 82 PID 2700 wrote to memory of 1800 2700 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe 82 PID 2700 wrote to memory of 4360 2700 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe 83 PID 2700 wrote to memory of 4360 2700 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe 83 PID 4360 wrote to memory of 2416 4360 svchost.exe 84 PID 4360 wrote to memory of 2416 4360 svchost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe"C:\Users\Admin\AppData\Local\Temp\741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1800
-
-
C:\Users\Admin\AppData\Roaming\windows\svchost.exe"C:\Users\Admin\AppData\Roaming\windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2416
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3