Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
06-10-2023 14:29
Behavioral task
behavioral1
Sample
0x000600000001b030-21.exe
Resource
win7-20230831-en
General
-
Target
0x000600000001b030-21.exe
-
Size
3.1MB
-
MD5
e59e289b47fee7506e2cc216378f3955
-
SHA1
0dc7ab970aac7e9348928415ee5bdae424415489
-
SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf
-
SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef
-
SSDEEP
49152:Dv+I22SsaNYfdPBldt698dBcjHnMOBqsarFUoGdkATHHB72eh2NT:Dvz22SsaNYfdPBldt6+dBcjHMoqc0
Malware Config
Extracted
quasar
1.4.1
Slave
fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:4782
c01ef685-50b2-41b1-af94-aee5bc04e6fd
-
encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-0-0x0000000000F70000-0x0000000001294000-memory.dmp family_quasar C:\Windows\System32\SubDir\svchost.exe family_quasar C:\Windows\system32\SubDir\svchost.exe family_quasar behavioral1/memory/2440-8-0x0000000000810000-0x0000000000B34000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2440 svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
0x000600000001b030-21.exesvchost.exedescription ioc process File created C:\Windows\system32\SubDir\svchost.exe 0x000600000001b030-21.exe File opened for modification C:\Windows\system32\SubDir\svchost.exe 0x000600000001b030-21.exe File opened for modification C:\Windows\system32\SubDir 0x000600000001b030-21.exe File opened for modification C:\Windows\system32\SubDir\svchost.exe svchost.exe File opened for modification C:\Windows\system32\SubDir svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1860 schtasks.exe 1660 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0x000600000001b030-21.exesvchost.exedescription pid process Token: SeDebugPrivilege 1956 0x000600000001b030-21.exe Token: SeDebugPrivilege 2440 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2440 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0x000600000001b030-21.exesvchost.exedescription pid process target process PID 1956 wrote to memory of 1860 1956 0x000600000001b030-21.exe schtasks.exe PID 1956 wrote to memory of 1860 1956 0x000600000001b030-21.exe schtasks.exe PID 1956 wrote to memory of 1860 1956 0x000600000001b030-21.exe schtasks.exe PID 1956 wrote to memory of 2440 1956 0x000600000001b030-21.exe svchost.exe PID 1956 wrote to memory of 2440 1956 0x000600000001b030-21.exe svchost.exe PID 1956 wrote to memory of 2440 1956 0x000600000001b030-21.exe svchost.exe PID 2440 wrote to memory of 1660 2440 svchost.exe schtasks.exe PID 2440 wrote to memory of 1660 2440 svchost.exe schtasks.exe PID 2440 wrote to memory of 1660 2440 svchost.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000600000001b030-21.exe"C:\Users\Admin\AppData\Local\Temp\0x000600000001b030-21.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\svchost.exe"C:\Windows\system32\SubDir\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\SubDir\svchost.exeFilesize
3.1MB
MD5e59e289b47fee7506e2cc216378f3955
SHA10dc7ab970aac7e9348928415ee5bdae424415489
SHA2566299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf
SHA5120c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef
-
C:\Windows\system32\SubDir\svchost.exeFilesize
3.1MB
MD5e59e289b47fee7506e2cc216378f3955
SHA10dc7ab970aac7e9348928415ee5bdae424415489
SHA2566299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf
SHA5120c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef
-
memory/1956-0-0x0000000000F70000-0x0000000001294000-memory.dmpFilesize
3.1MB
-
memory/1956-1-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmpFilesize
9.9MB
-
memory/1956-2-0x000000001B0C0000-0x000000001B140000-memory.dmpFilesize
512KB
-
memory/1956-11-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmpFilesize
9.9MB
-
memory/2440-8-0x0000000000810000-0x0000000000B34000-memory.dmpFilesize
3.1MB
-
memory/2440-9-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmpFilesize
9.9MB
-
memory/2440-10-0x000000001B1A0000-0x000000001B220000-memory.dmpFilesize
512KB
-
memory/2440-12-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmpFilesize
9.9MB
-
memory/2440-13-0x000000001B1A0000-0x000000001B220000-memory.dmpFilesize
512KB