Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/01/2023, 18:46
Behavioral task
behavioral1
Sample
BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe
Resource
win7-20221111-en
General
-
Target
BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe
-
Size
502KB
-
MD5
25143aaeca811f4e42df904f96d6fc03
-
SHA1
2970f0d3a80dfcb65e39f6e015034e83e6476bd4
-
SHA256
bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
-
SHA512
06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3
-
SSDEEP
6144:0TEgdc0YkXAGbgiIN2RSBEnk6mHnUC/5Etqv+yw42UcEtOb8F9fML3d9yfDcTR3i:0TEgdfYubg4k6qu4mywodp+Dmcdi
Malware Config
Extracted
quasar
1.4.0
Office04
77.83.242.206:4782
b50e3441-70f1-40ac-96af-dfb81f08fe1b
-
encryption_key
34EAA505D1DB50EE025558A72F9F26647208F015
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/memory/1588-54-0x00000000002D0000-0x0000000000354000-memory.dmp family_quasar behavioral1/files/0x000900000001234f-58.dat family_quasar behavioral1/files/0x000900000001234f-59.dat family_quasar behavioral1/memory/1776-60-0x0000000000EE0000-0x0000000000F64000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1776 Client.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe File opened for modification C:\Windows\system32\SubDir\Client.exe BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1156 schtasks.exe 1760 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe Token: SeDebugPrivilege 1776 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1776 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1156 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 28 PID 1588 wrote to memory of 1156 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 28 PID 1588 wrote to memory of 1156 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 28 PID 1588 wrote to memory of 1776 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 30 PID 1588 wrote to memory of 1776 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 30 PID 1588 wrote to memory of 1776 1588 BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe 30 PID 1776 wrote to memory of 1760 1776 Client.exe 31 PID 1776 wrote to memory of 1760 1776 Client.exe 31 PID 1776 wrote to memory of 1760 1776 Client.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1156
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1760
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD525143aaeca811f4e42df904f96d6fc03
SHA12970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA51206526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3
-
Filesize
502KB
MD525143aaeca811f4e42df904f96d6fc03
SHA12970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA51206526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3