Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/01/2023, 14:04
Behavioral task
behavioral1
Sample
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe
Resource
win7-20220812-en
General
-
Target
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe
-
Size
502KB
-
MD5
1f8f68e7623630103601f6235e9c94a6
-
SHA1
3c32c376b1be12d1f9df117eb8435804548c02c8
-
SHA256
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
-
SHA512
c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
SSDEEP
6144:4TEgdc0YHXAGbgiIN2RSBWDR3Uz8sXKYF8MtcEnOb8F96rQ3u49JTxcTR32:4TEgdfYfbgnttr3pcreu4nTxcd2
Malware Config
Extracted
quasar
1.4.0
Office04
192.168.1.237:1290
0cdb9102-24f8-4ed6-ba0c-d7625d69d684
-
encryption_key
63E6BFBD5330A53154091A63A8847C4FAA484D23
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2899
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/1392-54-0x0000000000D20000-0x0000000000DA4000-memory.dmp family_quasar behavioral1/files/0x000a000000012308-58.dat family_quasar behavioral1/files/0x000a000000012308-59.dat family_quasar behavioral1/memory/1688-60-0x0000000000BC0000-0x0000000000C44000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1688 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 952 schtasks.exe 1348 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe Token: SeDebugPrivilege 1688 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1688 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1392 wrote to memory of 952 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 29 PID 1392 wrote to memory of 952 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 29 PID 1392 wrote to memory of 952 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 29 PID 1392 wrote to memory of 1688 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 30 PID 1392 wrote to memory of 1688 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 30 PID 1392 wrote to memory of 1688 1392 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 30 PID 1688 wrote to memory of 1348 1688 Client.exe 31 PID 1688 wrote to memory of 1348 1688 Client.exe 31 PID 1688 wrote to memory of 1348 1688 Client.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe"C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:952
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1348
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631