Analysis
-
max time kernel
57s -
max time network
54s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
02-12-2023 18:10
Behavioral task
behavioral1
Sample
Electron.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Electron.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
Electron.exe
Resource
win10v2004-20231127-en
General
-
Target
Electron.exe
-
Size
3.2MB
-
MD5
5dd7500f21add8f9bc322529a35cb55f
-
SHA1
b12eec8fdf6224f65e27fb9d9b06dc4375e1b37b
-
SHA256
48d2d3e579bbcddda54aa5bd48197b179ca7b75018d05ce12ff3cf9e7b78e40e
-
SHA512
dfbbb5b026e46dd5569814f6e8558678808bf9d4d7c8d4949f8943bb7eb92ecea8f2abfc0f9f2becdd0d2f04b61000262f20e2af87a11e3fc8d4931879633e3b
-
SSDEEP
98304:/veL26AaNeWgPhlmVqkQ7XSKB3OzLRCL:3e4SlPgL
Malware Config
Extracted
quasar
1.4.1
Office04
limehag920-33288.portmap.host:33288
9818b060-d6e3-4e48-b21e-c9ef7bc65511
-
encryption_key
E97F64327412A3864CF0B0BE4A85415B949C39AD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4724-0-0x0000000000E30000-0x0000000001164000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 5032 PING.EXE 3980 PING.EXE 1156 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4724 Electron.exe Token: SeDebugPrivilege 5084 Electron.exe Token: SeDebugPrivilege 4660 Electron.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4724 Electron.exe 5084 Electron.exe 4660 Electron.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4724 Electron.exe 5084 Electron.exe 4660 Electron.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4724 Electron.exe 5084 Electron.exe 4660 Electron.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4164 4724 Electron.exe 74 PID 4724 wrote to memory of 4164 4724 Electron.exe 74 PID 4164 wrote to memory of 3744 4164 cmd.exe 76 PID 4164 wrote to memory of 3744 4164 cmd.exe 76 PID 4164 wrote to memory of 5032 4164 cmd.exe 77 PID 4164 wrote to memory of 5032 4164 cmd.exe 77 PID 4164 wrote to memory of 5084 4164 cmd.exe 78 PID 4164 wrote to memory of 5084 4164 cmd.exe 78 PID 5084 wrote to memory of 3136 5084 Electron.exe 79 PID 5084 wrote to memory of 3136 5084 Electron.exe 79 PID 3136 wrote to memory of 4596 3136 cmd.exe 82 PID 3136 wrote to memory of 4596 3136 cmd.exe 82 PID 3136 wrote to memory of 3980 3136 cmd.exe 81 PID 3136 wrote to memory of 3980 3136 cmd.exe 81 PID 3136 wrote to memory of 4660 3136 cmd.exe 83 PID 3136 wrote to memory of 4660 3136 cmd.exe 83 PID 4660 wrote to memory of 2368 4660 Electron.exe 84 PID 4660 wrote to memory of 2368 4660 Electron.exe 84 PID 2368 wrote to memory of 880 2368 cmd.exe 86 PID 2368 wrote to memory of 880 2368 cmd.exe 86 PID 2368 wrote to memory of 1156 2368 cmd.exe 87 PID 2368 wrote to memory of 1156 2368 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibwSTP4WYaLg.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6U0YYLN4nnIN.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:3980
-
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jl6l5CSnegqR.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1156
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51dcda70572487b230bb9e47148a0946d
SHA106f9b414b54eb9a816d9b37a2b54c82a94197a05
SHA2569e6e954e3f620c078e96da9f741090719a3b6b282704a1e54942b683223de4ed
SHA5127de9c424f82129e049ca6830c6ae1f23489738d487999e773f1593494f1caddc9dd9c77f85c3a01e05ee37653de3ab17da8c3fdf75adc0c0c2fb38a938246179
-
Filesize
205B
MD595e9bbc0b27dba76e402d0a2a154c9c0
SHA10ff0ab71e1d8127ed783375132fdd99f123a0219
SHA25689a8dded3f920654ba78d80f1027fe685d3f7305192f486287952413c6602012
SHA512e880fbd82033c1516028b17370094ba3a545d70ab03e00b78307d35623e9e65fc9d61483738be39cea8c08f54501d72c1f37468ea46acd32c60dd23271b24fb3
-
Filesize
205B
MD59e6ef90e3dbace5bdc11be4d4085662f
SHA1f68cb4e3afa64f353f9517297009efcdc96a7355
SHA25675df2c23291ed6f3aed9aed6bc18b02a466465d4fda8f6973b7591fb1dac3136
SHA512fa2fa0dff8707107fcae584ce52f71ec21e47d143ea4c516a451a4efa7c79d9573390bbb6d0ae7e79e3978f7f4ddd4deae826722dbb3f10a773390f3cbf8b40e
-
Filesize
205B
MD568fa1fd4d5152108ab7b3700a3db0606
SHA17da764c3e81d963da50e0b8ebfa0152d879b1e36
SHA2562a76f1b13bfdd7be065ab72c506710c258457d1cb8892a2a6225e60eb1cf833d
SHA512c29b160e3b9ee21cafcb9e3d86cd1d5b7f21cec61ad54c65627551be8d7113ededd69480cd48ec17c60e1276454b8ea247ca79cab007bed405c1d030c0063177