Analysis
-
max time kernel
57s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 18:10
Behavioral task
behavioral1
Sample
Electron.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Electron.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
Electron.exe
Resource
win10v2004-20231127-en
General
-
Target
Electron.exe
-
Size
3.2MB
-
MD5
5dd7500f21add8f9bc322529a35cb55f
-
SHA1
b12eec8fdf6224f65e27fb9d9b06dc4375e1b37b
-
SHA256
48d2d3e579bbcddda54aa5bd48197b179ca7b75018d05ce12ff3cf9e7b78e40e
-
SHA512
dfbbb5b026e46dd5569814f6e8558678808bf9d4d7c8d4949f8943bb7eb92ecea8f2abfc0f9f2becdd0d2f04b61000262f20e2af87a11e3fc8d4931879633e3b
-
SSDEEP
98304:/veL26AaNeWgPhlmVqkQ7XSKB3OzLRCL:3e4SlPgL
Malware Config
Extracted
quasar
1.4.1
Office04
limehag920-33288.portmap.host:33288
9818b060-d6e3-4e48-b21e-c9ef7bc65511
-
encryption_key
E97F64327412A3864CF0B0BE4A85415B949C39AD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2148-0-0x0000000000E90000-0x00000000011C4000-memory.dmp family_quasar behavioral1/memory/2452-13-0x0000000000360000-0x0000000000694000-memory.dmp family_quasar behavioral1/memory/2908-26-0x0000000001050000-0x0000000001384000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1524 PING.EXE 2648 PING.EXE 2516 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2148 Electron.exe Token: SeDebugPrivilege 2452 Electron.exe Token: SeDebugPrivilege 2908 Electron.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2148 Electron.exe 2452 Electron.exe 2908 Electron.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2148 Electron.exe 2452 Electron.exe 2908 Electron.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2148 Electron.exe 2452 Electron.exe 2908 Electron.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2148 wrote to memory of 3012 2148 Electron.exe 28 PID 2148 wrote to memory of 3012 2148 Electron.exe 28 PID 2148 wrote to memory of 3012 2148 Electron.exe 28 PID 3012 wrote to memory of 2592 3012 cmd.exe 30 PID 3012 wrote to memory of 2592 3012 cmd.exe 30 PID 3012 wrote to memory of 2592 3012 cmd.exe 30 PID 3012 wrote to memory of 2648 3012 cmd.exe 31 PID 3012 wrote to memory of 2648 3012 cmd.exe 31 PID 3012 wrote to memory of 2648 3012 cmd.exe 31 PID 3012 wrote to memory of 2452 3012 cmd.exe 32 PID 3012 wrote to memory of 2452 3012 cmd.exe 32 PID 3012 wrote to memory of 2452 3012 cmd.exe 32 PID 2452 wrote to memory of 2508 2452 Electron.exe 33 PID 2452 wrote to memory of 2508 2452 Electron.exe 33 PID 2452 wrote to memory of 2508 2452 Electron.exe 33 PID 2508 wrote to memory of 2500 2508 cmd.exe 35 PID 2508 wrote to memory of 2500 2508 cmd.exe 35 PID 2508 wrote to memory of 2500 2508 cmd.exe 35 PID 2508 wrote to memory of 2516 2508 cmd.exe 36 PID 2508 wrote to memory of 2516 2508 cmd.exe 36 PID 2508 wrote to memory of 2516 2508 cmd.exe 36 PID 2508 wrote to memory of 2908 2508 cmd.exe 37 PID 2508 wrote to memory of 2908 2508 cmd.exe 37 PID 2508 wrote to memory of 2908 2508 cmd.exe 37 PID 2908 wrote to memory of 1260 2908 Electron.exe 40 PID 2908 wrote to memory of 1260 2908 Electron.exe 40 PID 2908 wrote to memory of 1260 2908 Electron.exe 40 PID 1260 wrote to memory of 1680 1260 cmd.exe 42 PID 1260 wrote to memory of 1680 1260 cmd.exe 42 PID 1260 wrote to memory of 1680 1260 cmd.exe 42 PID 1260 wrote to memory of 1524 1260 cmd.exe 43 PID 1260 wrote to memory of 1524 1260 cmd.exe 43 PID 1260 wrote to memory of 1524 1260 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hpO5htDnpGk2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2592
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IoHqLxysdlFf.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\blBgpvBxu9wo.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1524
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5bd23869efcf526ba54b33e6e09f36e39
SHA1ee4f301b3acc73fe01f9662f7f1d3b2618e90ad4
SHA2560dc22cf7eb9f0763d13c4f99af839b9a56e8462edf20ce4aec55b37f14c30872
SHA5121b29637d210281d1a44a51bb79f977b3aaa3db0ea62a75236e7801a632d602fc42ae301736059ba234526e89d244be5eacaf72c08c8494761a4fb4503adc45c0
-
Filesize
205B
MD5bd23869efcf526ba54b33e6e09f36e39
SHA1ee4f301b3acc73fe01f9662f7f1d3b2618e90ad4
SHA2560dc22cf7eb9f0763d13c4f99af839b9a56e8462edf20ce4aec55b37f14c30872
SHA5121b29637d210281d1a44a51bb79f977b3aaa3db0ea62a75236e7801a632d602fc42ae301736059ba234526e89d244be5eacaf72c08c8494761a4fb4503adc45c0
-
Filesize
205B
MD51b36941dbe83917e59a7c1ac67ec137b
SHA13c299e1211b72f2691b909593c52f3f0adb5c227
SHA25680cd1cceae84f67bdb1c6e05c94bb605e9ae3d8a0f32c9d2d6ea86d75feb8194
SHA51232e7dd8676cb20d0fce9df70025ad2dbbfac6acf854f42cf57d97ab8e805b0bdde1c4751f757d37506d4707f03832d041a8762178a061f2b30ede5ac9dac096d
-
Filesize
205B
MD51b36941dbe83917e59a7c1ac67ec137b
SHA13c299e1211b72f2691b909593c52f3f0adb5c227
SHA25680cd1cceae84f67bdb1c6e05c94bb605e9ae3d8a0f32c9d2d6ea86d75feb8194
SHA51232e7dd8676cb20d0fce9df70025ad2dbbfac6acf854f42cf57d97ab8e805b0bdde1c4751f757d37506d4707f03832d041a8762178a061f2b30ede5ac9dac096d
-
Filesize
205B
MD542a6b84a629f43ba0b6975630c4e1b9a
SHA1afebd750aa592dd37510ef0f43a73112b182156b
SHA256335dc0a008c51c136d84dc5fdfd9528fb91a4dac5268c934745227383aeb36ae
SHA5127432bf9cb418e67296064192f3e3ad6168a7406c519bea3435e55034af0d7d3465dad09ed092be89a3eb5982adb85086ac563655d80c1af53091f82575be21bb
-
Filesize
205B
MD542a6b84a629f43ba0b6975630c4e1b9a
SHA1afebd750aa592dd37510ef0f43a73112b182156b
SHA256335dc0a008c51c136d84dc5fdfd9528fb91a4dac5268c934745227383aeb36ae
SHA5127432bf9cb418e67296064192f3e3ad6168a7406c519bea3435e55034af0d7d3465dad09ed092be89a3eb5982adb85086ac563655d80c1af53091f82575be21bb