Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2023, 14:04
Behavioral task
behavioral1
Sample
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe
Resource
win7-20220812-en
General
-
Target
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe
-
Size
502KB
-
MD5
1f8f68e7623630103601f6235e9c94a6
-
SHA1
3c32c376b1be12d1f9df117eb8435804548c02c8
-
SHA256
76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
-
SHA512
c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
SSDEEP
6144:4TEgdc0YHXAGbgiIN2RSBWDR3Uz8sXKYF8MtcEnOb8F96rQ3u49JTxcTR32:4TEgdfYfbgnttr3pcreu4nTxcd2
Malware Config
Extracted
quasar
1.4.0
Office04
192.168.1.237:1290
0cdb9102-24f8-4ed6-ba0c-d7625d69d684
-
encryption_key
63E6BFBD5330A53154091A63A8847C4FAA484D23
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
2899
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/4616-132-0x0000000000970000-0x00000000009F4000-memory.dmp family_quasar behavioral2/files/0x0006000000022e2e-136.dat family_quasar behavioral2/files/0x0006000000022e2e-137.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 3788 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4844 schtasks.exe 4264 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4616 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe Token: SeDebugPrivilege 3788 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3788 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4844 4616 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 80 PID 4616 wrote to memory of 4844 4616 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 80 PID 4616 wrote to memory of 3788 4616 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 82 PID 4616 wrote to memory of 3788 4616 76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe 82 PID 3788 wrote to memory of 4264 3788 Client.exe 83 PID 3788 wrote to memory of 4264 3788 Client.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe"C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4264
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631
-
Filesize
502KB
MD51f8f68e7623630103601f6235e9c94a6
SHA13c32c376b1be12d1f9df117eb8435804548c02c8
SHA25676257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591
SHA512c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631