Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2022, 09:51
Behavioral task
behavioral1
Sample
QuasarAplicativo.exe
Resource
win7-20220901-en
General
-
Target
QuasarAplicativo.exe
-
Size
502KB
-
MD5
bbd0db3230e57aeb7ca23e59aadf0134
-
SHA1
fdda0bfd08bbd74557dd878bda12f05368befb7d
-
SHA256
741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
-
SHA512
4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
SSDEEP
6144:VTEgdc0YpXAGbgiIN2RSBuSBtPB+a9VIvyTcEi9b8F9vkDC+ROcTR32:VTEgdfYlbgRljSCN8CQOcd2
Malware Config
Extracted
quasar
1.4.0
Office04
flingmodder-53370.portmap.io:53370
c16cce68-0a86-440c-89b1-c088c1c8b4cb
-
encryption_key
9BFDFBA45AE2C2C16DA4EEEA02438784B89CACC0
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
windows
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/2420-132-0x00000000001C0000-0x0000000000244000-memory.dmp family_quasar behavioral2/files/0x000a000000022e3b-136.dat family_quasar behavioral2/files/0x000a000000022e3b-137.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 4996 svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2216 schtasks.exe 2492 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2420 QuasarAplicativo.exe Token: SeDebugPrivilege 4996 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2216 2420 QuasarAplicativo.exe 83 PID 2420 wrote to memory of 2216 2420 QuasarAplicativo.exe 83 PID 2420 wrote to memory of 4996 2420 QuasarAplicativo.exe 84 PID 2420 wrote to memory of 4996 2420 QuasarAplicativo.exe 84 PID 4996 wrote to memory of 2492 4996 svchost.exe 85 PID 4996 wrote to memory of 2492 4996 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2216
-
-
C:\Users\Admin\AppData\Roaming\windows\svchost.exe"C:\Users\Admin\AppData\Roaming\windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2492
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3
-
Filesize
502KB
MD5bbd0db3230e57aeb7ca23e59aadf0134
SHA1fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA5124393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3