Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
06-08-2023 06:04
Behavioral task
behavioral1
Sample
msedge.exe
Resource
win7-20230712-en
General
-
Target
msedge.exe
-
Size
3.1MB
-
MD5
601b5ceb9825f198f947dd3f6ff3426c
-
SHA1
194d19c1cd161685cefd979234206af5e5fa619b
-
SHA256
964075417678392171f77862b062dc35ebd24bdbc3826e02c5bd00e0e7cd4651
-
SHA512
ed1ab84dbd876154d031d0f04e06771c9e082c5756fa796b745e488d3e48a61a569f907123dcb9dd036397f0b956a61dc87b6cb7ffeb49bdc53e9583471dfff2
-
SSDEEP
49152:nvUt62XlaSFNWPjljiFa2RoUYIaIRJ6FbR3LoGdUrTHHB72eh2NT:nvI62XlaSFNWPjljiFXRoUYIaIRJ6XE
Malware Config
Extracted
quasar
1.4.1
system
185.183.35.122:4782
033db415-964b-488b-a1d8-81ebb438757c
-
encryption_key
CEAEA9FD2F3E18352164BB4D9A6F56EFF5E2D896
-
install_name
conhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Defender
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2652-54-0x0000000000A30000-0x0000000000D54000-memory.dmp family_quasar C:\Windows\System32\SubDir\conhost.exe family_quasar C:\Windows\system32\SubDir\conhost.exe family_quasar behavioral1/memory/1260-63-0x0000000000950000-0x0000000000C74000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 1260 conhost.exe -
Drops file in System32 directory 5 IoCs
Processes:
msedge.execonhost.exedescription ioc process File created C:\Windows\system32\SubDir\conhost.exe msedge.exe File opened for modification C:\Windows\system32\SubDir\conhost.exe msedge.exe File opened for modification C:\Windows\system32\SubDir msedge.exe File opened for modification C:\Windows\system32\SubDir\conhost.exe conhost.exe File opened for modification C:\Windows\system32\SubDir conhost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1912 schtasks.exe 2820 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msedge.execonhost.exedescription pid process Token: SeDebugPrivilege 2652 msedge.exe Token: SeDebugPrivilege 1260 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1260 conhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msedge.execonhost.exedescription pid process target process PID 2652 wrote to memory of 1912 2652 msedge.exe schtasks.exe PID 2652 wrote to memory of 1912 2652 msedge.exe schtasks.exe PID 2652 wrote to memory of 1912 2652 msedge.exe schtasks.exe PID 2652 wrote to memory of 1260 2652 msedge.exe conhost.exe PID 2652 wrote to memory of 1260 2652 msedge.exe conhost.exe PID 2652 wrote to memory of 1260 2652 msedge.exe conhost.exe PID 1260 wrote to memory of 2820 1260 conhost.exe schtasks.exe PID 1260 wrote to memory of 2820 1260 conhost.exe schtasks.exe PID 1260 wrote to memory of 2820 1260 conhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\conhost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\conhost.exe"C:\Windows\system32\SubDir\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\conhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\SubDir\conhost.exeFilesize
3.1MB
MD5601b5ceb9825f198f947dd3f6ff3426c
SHA1194d19c1cd161685cefd979234206af5e5fa619b
SHA256964075417678392171f77862b062dc35ebd24bdbc3826e02c5bd00e0e7cd4651
SHA512ed1ab84dbd876154d031d0f04e06771c9e082c5756fa796b745e488d3e48a61a569f907123dcb9dd036397f0b956a61dc87b6cb7ffeb49bdc53e9583471dfff2
-
C:\Windows\system32\SubDir\conhost.exeFilesize
3.1MB
MD5601b5ceb9825f198f947dd3f6ff3426c
SHA1194d19c1cd161685cefd979234206af5e5fa619b
SHA256964075417678392171f77862b062dc35ebd24bdbc3826e02c5bd00e0e7cd4651
SHA512ed1ab84dbd876154d031d0f04e06771c9e082c5756fa796b745e488d3e48a61a569f907123dcb9dd036397f0b956a61dc87b6cb7ffeb49bdc53e9583471dfff2
-
memory/1260-63-0x0000000000950000-0x0000000000C74000-memory.dmpFilesize
3.1MB
-
memory/1260-64-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmpFilesize
9.9MB
-
memory/1260-65-0x000000001B120000-0x000000001B1A0000-memory.dmpFilesize
512KB
-
memory/1260-66-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmpFilesize
9.9MB
-
memory/1260-67-0x000000001B120000-0x000000001B1A0000-memory.dmpFilesize
512KB
-
memory/2652-54-0x0000000000A30000-0x0000000000D54000-memory.dmpFilesize
3.1MB
-
memory/2652-55-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmpFilesize
9.9MB
-
memory/2652-56-0x000000001B520000-0x000000001B5A0000-memory.dmpFilesize
512KB
-
memory/2652-62-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmpFilesize
9.9MB