Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2023, 17:53
Behavioral task
behavioral1
Sample
testating.exe
Resource
win7-20221111-en
General
-
Target
testating.exe
-
Size
502KB
-
MD5
1f8f68e7623630103601f6235e9c94a6
-
SHA1
3c32c376b1be12d1f9df117eb8435804548c02c8
-
SHA256
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
-
SHA512
c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
SSDEEP
6144:4TEgdc0YHXAGbgiIN2RSBWDR3Uz8sXKYF8MtcEnOb8F96rQ3u49JTxcTR32:4TEgdfYfbgnttr3pcreu4nTxcd2
Malware Config
Extracted
quasar
1.4.0
Office04
192.168.1.237:1290
0cdb9102-24f8-4ed6-ba0c-d7625d69d684
-
encryption_key
63E6BFBD5330A53154091A63A8847C4FAA484D23
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2899
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/4488-132-0x0000000000500000-0x0000000000584000-memory.dmp family_quasar behavioral2/files/0x0006000000022dd3-136.dat family_quasar behavioral2/files/0x0006000000022dd3-137.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3788 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 664 schtasks.exe 3880 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4488 testating.exe Token: SeDebugPrivilege 3788 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3788 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4488 wrote to memory of 664 4488 testating.exe 82 PID 4488 wrote to memory of 664 4488 testating.exe 82 PID 4488 wrote to memory of 3788 4488 testating.exe 84 PID 4488 wrote to memory of 3788 4488 testating.exe 84 PID 3788 wrote to memory of 3880 3788 Client.exe 85 PID 3788 wrote to memory of 3880 3788 Client.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\testating.exe"C:\Users\Admin\AppData\Local\Temp\testating.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\testating.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:664
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3880
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631